IPv6 support for Sguil #51
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
the first one gets renamed before looping over it, so we have to test if the file exists, before checking for its size in sensor/pcap_agent.tcl
in order to let the Transcript not break sguild when trying to open a transcript of a IPv6 connection. Since the tcpflow I have is not IPv6 capable, it's untested, and the window doesn't show much.
Tested with prads which supports IPv6 and and IPv6 ready squert
IPv6 addresses.
the IP that came as input. Also add ValidateIPAddress, similar as it was for the clients. Fixup comparison in SguildAutoCat when comparing against network ranges, and make it work for IPv6 as well.
|
The reverse DNS for IPv6 problem will be gone with next tcllib version, seems my patch was integrated: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Work was done on OpenBSD, so I've some unrelated patches in use as well to make it
integrate there as best as possible.
sguild server, sguil client, sensor scripts patched to handle IPv6 in addition to IPv4
- database schema updated to store IP addresses as varbinary(16)
- access IP addresses with INET6_NTOA/INET6_ATON everywhere
- no no database upgrade script
- sensors tested to be working:
- suricata_agent: works well
- snort_agent: retrieving logs from barnyard2 files, only IPv4, as I see it, it's a barnyard2 limitation
- sancp_agent:
- sancp itself doesn't support IPv6, but I used it with cxtracker for my testing
- pads_agent:
- pads itself doesn't support IPv6, but I used it with prads for my testing
- pcap_agent: seems to do the trick
- autocat seems to work as well
- however, my IPv6 patch made it require TCL 8.6
- what is not working IPv6 wise:
- reverse DNS lookups of IPv6 in sguil client
- it's not a problem in Sguil per-se, it's a limitation of tcllib, but should be easy
to make it work: https://core.tcl-lang.org/tcllib/tktview?name=8168daf796
- transcript generation relies on tcpflow, however, the version on OpenBSD is quite
from the stone-age and doesn't support IPv6. A quick attempt to update it failed and I haven't yet bothered to look deeper into it.
Note: haven't looked at the ES integration part at all yet.
However, have patches for the security-onion fork of Squert to add IPv6 support there as well.