OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Lance Spitzner (lance_at_honeynet.org)
Date: Tue Dec 17 2002 - 20:34:33 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Recently one of the Honeynet Project's Solaris Honeynets was compromised.
    What made this attack unique was after breaking into the system, the
    attackers enabled IPv6 tunneling on the system, with communications being
    forwarded to another country. The attack and communications were captured
    using Snort, however the data could not be decoded due to the IPv6
    tunneling. Also, once tunneled, this could potentialy disable/bypass the
    capabilities of some IDS systems.

    Marty is addressing this issue and has added IPv6 decode support to
    Snort. Its not part of Snort current (2.0) yet, its still in the
    process of testing. If you would like to test this new capability,
    you can find it online at

        http://www.snort.org/~roesch/

    Marty's looking for feedback. As IPv6 usage spreads, especially in
    Asia, you will want to be prepared for it. Keep in mind, even in
    IPv4 environments (as was our Solaris Honeynet) attackers can
    encode their data in IPv6 and then tunnel it through IPv4. We will
    most likely being seeing more of this type of behavior.

    Just a friendly heads-up :)

    -- 
    Lance Spitzner
    http://www.tracking-hackers.com