Are your tools ready for IPv6? (part 2)
In my previous diary, I started sharing some of my experiences with trying to update my automated malware analysis and honeynet environments to handle IPv6 (the conversation I started with my talk by the same name at SANSFIRE last month). In this diary, I'd like to wrap that up and provide a couple of updates.
So, here are the rest of the tools/categories that I've been looking at/thinking about in my upgrade process.
- Network Management
- SNMP - Back when I was doing a lot more network troubleshooting, one of the primary tools we used to monitor just about everything was HP OpenView which relied on SNMP. While I am not using SNMP in my automated malware analysis environment or (currently) my honeynets, I did start thinking about it. It appears that net-snmp has run fine in IPv6 since 2002 or 2003 and OpenView for at least a couple of years (at least 2009, maybe since 2005). WIN
- FTP/TFTP/SFTP - Again, not something I actually use in these environments, but tools that were used in some previous environments for installing or backing up configurations. There are FTP, TFTP, and SFTP clients and servers for all the OSes that I've looked at that can do IPv6. Whether or not your devices have the appropriate versions installed or not though, who knows. WIN?
- NTP - For log correlation, you want synchronized clocks. If the system can do NTP and IPv6, it can probably do NTP over IPv6. BTW, ff0x::101 are the multicast addresses set aside for the local NTP servers. I'm going to assume WIN
- Logging
- syslog (classic) - okay syslog dates to the 1980s, long before IPv6. You wouldn't really expect the stock syslogd on older OSes to handle IPv6. FAIL
- rsyslog - The current standard on Ubuntu, handles IPv6 just fine. WIN
- syslog-ng - My favorite syslog daemon, also handles IPv6 just fine. WIN
- Kiwi/SNARE - I'm not using any tools to send Windows event logs to a syslog server, so I haven't checked to see how they do with IPv6, but I imagine some of our readers have. ????
- web server/applications - these are pretty much left as an exercise to the reader. ????
- Databases
- Postgresql - One of the things I really like about postgresql is the built-in cidr and inet datatypes for storing IP addresses in databases. As of, at least, v8.2 either type can handle an IPv6 address as well as IPv4. WIN
- MySQL -While it lacks the built-in types that Postgreql has, for IPv4 they provide built-in functions inet_aton() and inet_ntoa() to convert addresses to integers for storage in the database. As of version 5.6.3, MySQL will (does?) have inet6_aton() and inet6_ntoa(). WIN?
- Oracle - It has been over a decade since I was an Oracle DBA, but from what I can tell...not so much. FAIL
- IDS/IPS
- snort/snort-inline - As with the firewalls discussion in the previous diary, I haven't looked at the commercial products lately. if any of our readers can fill me in on how they do, it would be greatly appreciated. The previous setup was based on the Honeynet Project's roo honeywall (the issues with updating roo are worthy of a diary all their own) which was running snort 2.8.something. I am using 2.9.0.5 in the updated setup and it seems to work just fine. I've heard reports of some issues with snort and IPv6, but have not encountered any problems myself. WIN
- Scanning
- nmap - Okay, with the tremendous increase in the size of the target space, linear scanning isn't particularly practical anymore. We will need to figure out more efficient ways to scan. That said, there is still no ability to specify an IPv6 CIDR block as of 5.52.IPv6.beta (from June 2011). FAIL
- fping/fping6 - while fping6 exists and can do many of the things that fping can do on IPv6 addresses. Unfortunately, you cannot specify an IPv6 CIDR block or a range of IPv6 addresses with the -g option. FAIL
- nessus - I honestly haven't looked at vulnerability scanners lately. Can any of our readers help me out here? ????
- Pentest tools
- metasploit - I don't do much pen testing these days either, but when I've needed to use metasploit it has mostly worked for me. WIN?
- Miscellaneous other tools
- netcat - there are a number of netcat versions out there that work with IPv6 just fine. WIN
- p0f - this one wasn't on my list for the SANSFIRE talk because, frankly, it just occurred to me about 1.5 weeks ago. Unfortunately, it doesn't support IPv6 now and seems to no longer be supported. I haven't sent off a request to the author though. FAIL
- prads - As a result of p0f not handling IPv6, I started looking around for tools that could do passive (or active) OS fingerprinting of IPv6 traffic and happened across prads. It look promisiing. Is there anything else out there? WIN
There you have the tools that I've looked at and some that I've just thought about. I'm sure I've missed some tools/categories that are important to some of the rest of you. Please feel free to use the comment section or contact form to let me know what I missed.
Update: Since the previous diary, one of our readers pointed out that a new version of httpry (v0.1.6) has just been released that does handle IPv6. Also, due to some personal issues, I haven't been able to get back to any of my scripts until this week. I've updated the tools in http://handlers.sans.edu/jclausing/ipv6/ to handle type 0, 43, and 60 extension headers (hop-by-hop, routing header, and destination options).
---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu
SANS FOR558-Network Forensics coming to central OH in Sep, see http://www.sans.org/mentor/details.php?nid=25749
Reverse-Engineering Malware: Malware Analysis Tools and Techniques | Coral Gables | Nov 18th - Nov 23rd 2024 |
Comments
http://www.oracle.com/technetwork/database/enterprise-edition/oracledatabase-ipv6-sod-132278.pdf
koyeung
Aug 23rd 2011
1 decade ago
koppensb
Aug 23rd 2011
1 decade ago
Ken
Aug 23rd 2011
1 decade ago
I imagine an ip6hdr table is needed along with a field in the event table to indicate v4 or v6. Unless there's a way to overlay both v4 and v6 in the iphdr table. Barnyard/barndard2 would need to be modified to support the new schema.
Another question is whether the unified/unified2 output plugins support v6 currently. Or whatever other output plugin(s) you use.
Ken
Aug 23rd 2011
1 decade ago
Ken: I'll have to look at my unified2 logs (and barnyard2), but I thought I had seen some IPv6 alerts, but now I can't find them. Hmm... For most of my honeynet stuff, I still use the old alert_full and alert_fast.
Jim
Aug 23rd 2011
1 decade ago
spo_alert_arubaaction.c
spo_alert_prelude.c
spo_csv.c
spo_unified2.c
spo_unified.c
These output plugin source files do not contain the (case-insensitive) "ipv6" string:
spo_alert_fast.c
spo_alert_full.c
spo_alert_sf_socket.c
spo_alert_syslog.c
spo_alert_test.c
spo_alert_unixsock.c
spo_database.c
spo_log_ascii.c
spo_log_null.c
spo_log_tcpdump.c
That's a crude test, perhaps, but you'd defintely want to look closer if you use one of those.
Ken
Aug 23rd 2011
1 decade ago