In my previous diary, Istarted sharing some of my experiences with trying to update my automated malware analysis and honeynet environments to handle IPv6 (the conversation I started with my talk by the same name at SANSFIRE last month). In this diary, I'd like to wrap that up and provide a couple of updates.
So, here are the rest of the tools/categories that I've been looking at/thinking about in my upgrade process.
SNMP - Back when Iwas doing a lot more network troubleshooting, one of the primary tools we used to monitor just about everything was HPOpenView which relied on SNMP. While Iam not using SNMPin my automated malware analysis environment or (currently)my honeynets, I did start thinking about it. It appears that net-snmp has run fine in IPv6 since 2002 or 2003 and OpenView for at least a couple of years (at least 2009, maybe since 2005). WIN
FTP/TFTP/SFTP - Again, not something Iactually use in these environments, but tools that were used in some previous environments for installing or backing up configurations. There are FTP, TFTP, and SFTP clients and servers for all the OSes that I've looked at that can do IPv6. Whether or not your devices have the appropriate versions installed or not though, who knows. WIN?
NTP - For log correlation, you want synchronized clocks. If the system can do NTPand IPv6, it can probably do NTPover IPv6. BTW, ff0x::101 are the multicast addresses set aside for the local NTP servers. I'm going to assume WIN
syslog (classic) - okay syslog dates to the 1980s, long before IPv6. You wouldn't really expect the stock syslogd on older OSes to handle IPv6. FAIL
rsyslog - The current standard on Ubuntu, handles IPv6 just fine. WIN
syslog-ng - My favorite syslog daemon, also handles IPv6 just fine. WIN
Kiwi/SNARE- I'm not using any tools to send Windows event logs to a syslog server, so Ihaven't checked to see how they do with IPv6, but Iimagine some of our readers have. ????
web server/applications - these are pretty much left as an exercise to the reader. ????
Postgresql - One of the things Ireally like about postgresql is the built-in cidr and inet datatypes for storing IP addresses in databases. As of, at least, v8.2 either type can handle anIPv6 address as well as IPv4. WIN
MySQL -While it lacks the built-in types that Postgreql has, for IPv4 they provide built-in functions inet_aton() and inet_ntoa() to convert addresses to integers for storage in the database. As of version 5.6.3, MySQL will (does?) have inet6_aton() and inet6_ntoa(). WIN?
Oracle - It has been over a decade since Iwas an Oracle DBA, but from what Ican tell...not so much. FAIL
snort/snort-inline - As with the firewalls discussion in the previous diary, Ihaven't looked at the commercial products lately. if any of our readers can fill me in on how they do, it would be greatly appreciated. The previous setup was based on the Honeynet Project's roo honeywall (the issues with updating roo are worthy of a diary all their own) which was running snort 2.8.something. I am using 220.127.116.11 in the updated setup and it seems to work just fine. I've heard reports of some issues with snort and IPv6, but have not encountered any problems myself. WIN
nmap - Okay, with the tremendous increase in the size of the target space, linear scanning isn't particularly practical anymore. We will need to figure out more efficient ways to scan.That said, there is still no ability to specify an IPv6 CIDRblock as of 5.52.IPv6.beta (from June 2011). FAIL
fping/fping6 - while fping6 exists and can do many of the things that fping can do on IPv6 addresses. Unfortunately, you cannot specify an IPv6 CIDR block or a range of IPv6 addresses with the -g option. FAIL
nessus - Ihonestly haven't looked at vulnerability scanners lately. Can any of our readers help me out here? ????
metasploit - I don't do much pen testing these days either, but when I've needed to use metasploit it has mostly worked for me. WIN?
Miscellaneous other tools
netcat - there are a number of netcat versions out there that work with IPv6 just fine. WIN
p0f - this one wasn't on my list for the SANSFIREtalk because, frankly, it just occurred to me about 1.5 weeks ago. Unfortunately, it doesn't support IPv6 now and seems to no longer be supported. Ihaven't sent off a request to the author though. FAIL
prads - As a result of p0f not handling IPv6, Istarted looking around for tools that could do passive (or active)OSfingerprinting of IPv6 traffic and happened across prads. It look promisiing. Is there anything else out there? WIN
There you have the tools that I've looked at and some that I've just thought about. I'm sure I've missed some tools/categories that are important to some of the rest of you. Please feel free to use the comment section or contact form to let me know what Imissed.
Update: Since the previous diary, one of our readers pointed out that a new version of httpry (v0.1.6) has just been released that does handle IPv6. Also, due to some personal issues, Ihaven't been able to get back to any of my scripts until this week. I've updated the tools in http://handlers.sans.edu/jclausing/ipv6/ to handle type 0, 43, and 60 extension headers (hop-by-hop, routing header, and destination options).
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu
SANS FOR558-Network Forensics coming to central OH in Sep, see http://www.sans.org/mentor/details.php?nid=25749
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.