readme.ipv6

This is the snapshot of Snot Latest Rules

Overview
========

Some versions of BSD are vulnerable to an attack that involves sending two 
fragmented ICMPV6 packets with specific fragmentation flags (see Bugtraq ID
22901 or CVE-2007-1365).  Snort will, by default alert if it sees the both
packets in sequence, or the second packet by itself.  

Snort will keep track of multiple simultaneous IPv6 fragmented ICMPv6 sessions,
up to a user-configurable timeout or until a session can be confirmed to be 
safe.

Configuration
=============

This module is enabled by default.  To configure its behavior, add a line to
snort.conf with:
    
    ipv6_frag <option1 arg1>[, <option2 arg2>, ...]

Options:
   
    bsd_icmp_frag_alert [on/off]    -       Whether or not to alert on the 
                                            BSD fragmented ICMPv6 vulnerability

    bad_ipv6_frag_alert [on/off]    -       Whether or not to alert if the 
                                            second packet is seen by itself

    frag_timeout [integer]          -       Length of time to track the attack
                                            in seconds.  Min 0, max 3600, 
                                            default 60 (consistent with BSD's
                                            internal default).

    max_frag_sessions [integer]     -       Total number of possible attacks 
                                            to track.  Min 0, default 10000.

To enable drops in inline mode, use "config enable_decode_drops".