Latest version: 2.1.0

NDPMon in the press

Downloads

Documentation

Plugins

Training

Community

edit SideBar

Custom Rules Plugin

The rules plugin lets the user define custom rules for raising alerts. Those rules include one or more matches that can be used to check the value of predefined packet fields. Some of the fields defined do not expect a value, they just check for occurences of Neighbor Discovery options. Some of them are also a shortcut to check the ICMPv6 type of a message.

Build

To build it, simply enable it in the configure script

  1. ./configure --enable-rules

Configuration

  1. <config_ndpmon>
  2.   [...]
  3.   <rule description="<describe the purpose of this rule>">
  4.       <match field="<field name>" value="<field value, if any>" />
  5.       <!-- you may define multiple matches... -->
  6.       <!-- there is also a negative match type
  7.            to express that a condition shall not apply to the packet
  8.         -->
  9.       <no-match field="<field name>" value="<field value, if any>" />
  10.   </rule>
  11.   [...]
  12. </config_ndpmon>

Fields

Fields may have one of the following types:

Type Description
ethernet address IEEE 802.3 MAC address, e.g. FF:FF:FF:FF:FF:FF
ipv6 address IPv6 address, may also be expressed in prefix notation. For instance fe80::/10
uint8 / uint16 / uint32 Unsigned 8-bit/16-bit/32-bit integer value.

The following fields can be matched in rules:

Field name Type
ethernet.source ethernet address
ethernet.destination ethernet address
inet6.source ipv6 address
inet6.destination ipv6 address
inet6.payload uint16
inet6.nextheader uint8
inet6.hoplimit uint8
icmp6.type uint8
icmp6.code uint8
nd.rs no value expected
nd.ra no value expected
nd.ns no value expected
nd.na no value expected
nd.rd no value expected
nd.ra.curhoplimit uint8
nd.ra.flag.managed no value expected
nd.ra.flag.other no value expected
nd.ra.flag.homeagent no value expected
nd.ra.lifetime uint16
nd.ra.reachabletimer uint32
nd.ra.retranstimer uint32
nd.ns.targetaddress ipv6 address
nd.na.flag.router no value expected
nd.na.flag.solicited no value expected
nd.na.flag.override no value expected
nd.na.targetaddress ipv6 address
nd.rd.targetaddress ipv6 address
nd.rd.destinationaddress ipv6 address
nd.opt.sourcelinklayer no value expected
opt.targetlinklayer no value expected
nd.opt.prefixinfo no value expected
nd.opt.mtu no value expected
nd.opt.sourcelinklayer.address ethernet address
nd.opt.targetlinklayer.address ethernet address
nd.opt.prefixinfo.flag.onlink no value expected
nd.opt.prefixinfo.flag.autoconf no value expected
nd.opt.prefixinfo.validlifetime uint32
nd.opt.prefixinfo.preferredlifetime uint32
nd.opt.prefixinfo.prefix ipv6 address
nd.opt.mtu.mtu uint32