Skip to content

Instantly share code, notes, and snippets.

Created January 26, 2018 17:06
What would you like to do?
MITM6 IDS Signatures
# Snort & Suricata signatures for:
alert udp fe80::/12 [546,547] -> fe80::/12 [546,547] (msg:"FOX-SRT - Policy - DHCPv6 advertise"; content:"|02|"; offset:48; depth:1; reference:url,; threshold:type limit, track by_src, count 1, seconds 3600; classtype:policy-violation; sid:21002327; rev:2;)
alert udp ::/0 53 -> any any (msg:"FOX-SRT - Suspicious - WPAD DNS reponse over IPv6"; byte_test:1,&,0x7F,2; byte_test:2,>,0,6; content:"|00 04|wpad"; nocase; fast_pattern; threshold: type limit, track by_src, count 1, seconds 1800; reference:url,; classtype:attempted-admin; priority:1; sid:21002330; rev:1;)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment