RSA Admin

IPv6 formatting issue in certain tables?

Discussion created by RSA Admin Employee on May 20, 2011
Latest reply on Jul 7, 2011 by RSA Admin

I've noticed that IPv6 addresses don't show up properly within certain tables and reports for the RSA enVision.  This is on RSA enVision 4.0 SP4.


Here's how to reproduce the results even if you don't have IPv6 deployed across your network, as long as you didn't explicitly disable IPv6 on your Linux server.


1. SSH to a Linux server (RHEL5 used) and enter the command /sbin/ifconfig


2. For your network interfaces (likely eth0) look for a line with "inet6 addr". This will be the link local IPv6 address for that interface.


3. SSH to this link-local address from the server (i.e. from your existing SSH session)


ssh <username>@<IPV6address>%<interface>

ex: ssh jsmith@fe80::123:4567:890a:bcde%eth0


4. Enter the wrong password, followed by the right password (i.e. 2 logins in order to generate both types of events)


5. In the RSA enVision, go to Analysis | Query | Create new query


6. Select Table "Unix"


7. To filter out logs from other systems, for "DeviceAddress" enter the IPv4 IP address of the Linux system that you connected to above


8. In the results, look at SourceAddress.  It'll be truncated to 16 characters (likely to fit the IPv4 format


When generating the query if you enter the truncated IPv6 address in the SourceAddress field, your search will produce results.


If you enter the full IPv6 address in the SourceAddress field, your search will not produce results.


The canned report (Linux - Failed Authentication by Device) will also have the IPv6 address truncated.


There is another topic on this board on IPv6 in which it shows a firewall table with a properly formatted IPv6 address, so I'm guess that what's needed is a review of all tables to confirm that they can accommodate 39-character long (32 hex + 7 colon) IPv6 addresses?