Snort mailing list archives
Re: Snort and GTP encapsulation info
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Mon, 13 Feb 2017 13:13:00 +0000
Complete example. cliffjumper$ ./bin/snort -c etc/ANA-GTP.conf -r etc/ANA-GTP.pcap -Acmg -k none -q 09/08-20:20:15.504682 [**] [1:10000004:0] gtp_type 16 [**] [Priority: 0] {UDP} 10.1.2.3:48620 -> 10.9.8.7:3386 09/08-20:20:15.504682 02:01:02:03:04:05 -> 02:09:08:07:06:05 type:0x800 len:0x6C 10.1.2.3:48620 -> 10.9.8.7:3386 UDP TTL:64 TOS:0x0 ID:1 IpLen:20 DgmLen:94 Len: 66 10 10 00 2E 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 06 00 00 01 0F 02 10 00 01 11 00 00 ................ 80 00 02 01 21 83 00 07 65 78 70 6C 6F 69 74 85 ....!...exploit. 00 04 C0 A8 01 01 85 00 04 C0 A8 01 01 86 00 02 ................ 00 00 .. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/08-20:20:15.504829 [**] [1:10000004:0] gtp_type 16 [**] [Priority: 0] {UDP} 10.1.2.3:48620 -> 10.9.8.7:2123 09/08-20:20:15.504829 02:01:02:03:04:05 -> 02:09:08:07:06:05 type:0x800 len:0x64 10.1.2.3:48620 -> 10.9.8.7:2123 UDP TTL:64 TOS:0x0 ID:1 IpLen:20 DgmLen:86 Len: 58 32 10 00 32 00 00 00 01 00 01 00 00 06 00 00 01 2..2............ 0F 02 10 00 01 11 00 00 80 00 02 01 21 83 00 07 ............!... 65 78 70 6C 6F 69 74 85 00 04 C0 A8 01 01 85 00 exploit......... 04 C0 A8 01 01 86 00 02 00 00 .......... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/08-20:20:15.504829 [**] [1:10000003:0] gtp_version 1 [**] [Priority: 0] {UDP} 10.1.2.3:48620 -> 10.9.8.7:2123 09/08-20:20:15.504829 02:01:02:03:04:05 -> 02:09:08:07:06:05 type:0x800 len:0x64 10.1.2.3:48620 -> 10.9.8.7:2123 UDP TTL:64 TOS:0x0 ID:1 IpLen:20 DgmLen:86 Len: 58 32 10 00 32 00 00 00 01 00 01 00 00 06 00 00 01 2..2............ 0F 02 10 00 01 11 00 00 80 00 02 01 21 83 00 07 ............!... 65 78 70 6C 6F 69 74 85 00 04 C0 A8 01 01 85 00 exploit......... 04 C0 A8 01 01 86 00 02 00 00 .......... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/08-20:20:15.504901 [**] [1:10000005:0] gtp_type 32 [**] [Priority: 0] {UDP} 10.1.2.3:48620 -> 10.9.8.7:2123 09/08-20:20:15.504901 02:01:02:03:04:05 -> 02:09:08:07:06:05 type:0x800 len:0x45 10.1.2.3:48620 -> 10.9.8.7:2123 UDP TTL:64 TOS:0x0 ID:1 IpLen:20 DgmLen:55 Len: 27 58 20 00 17 00 00 00 01 00 01 00 00 5D 00 00 00 X ..........]... 47 00 07 00 65 78 70 6C 6F 69 74 G...exploit =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com<mailto:allewi () cisco com> From: allewi <allewi () cisco com<mailto:allewi () cisco com>> Date: Monday, February 13, 2017 at 7:45 AM To: Ana Serrano Mamolar <B00315494 () studentmail uws ac uk<mailto:B00315494 () studentmail uws ac uk>> Cc: 'snort-users' <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>> Subject: Re: [Snort-users] Snort and GTP encapsulation info Try these with the pcap I sent you. These are for the version and type. alert udp any any -> any any ( msg:"gtp_version 1"; sid:10000003; gtp_version:1;) alert udp any any -> any any ( msg:"gtp_type 16"; sid:10000004; gtp_type:16; ) alert udp any any -> any any ( msg:"gtp_type 32"; sid:10000005; gtp_type:32; ) Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com<mailto:allewi () cisco com> From: Ana Serrano Mamolar <B00315494 () studentmail uws ac uk<mailto:B00315494 () studentmail uws ac uk>> Date: Monday, February 13, 2017 at 7:32 AM To: allewi <allewi () cisco com<mailto:allewi () cisco com>> Cc: 'snort-users' <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>> Subject: Re: [Snort-users] Snort and GTP encapsulation info Thanks Albert, My rules are similar than yours, but with gtp_version and gt_type: alert udp any any -> any any ( msg:"gtp_version"; sid:10000003; gtp_version:1;) alert udp any any -> any any ( msg:"gtp_type"; sid:10000004; gtp_type:255; ) So, when I add any of these gtp params, the alert is not triggering. It seems like is not processing gtp information correctly. My snort.conf is like the manual says: config enable_gtp portvar GTP_PORTS [2152,3386] preprocessor gtp: ports { 2123 3386 2152 } Thanks ________________________________ From: Al Lewis (allewi) <allewi () cisco com<mailto:allewi () cisco com>> Sent: 13 February 2017 12:04:55 To: Ana Serrano Mamolar Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-users] Snort and GTP encapsulation info Example attached. cliffjumper$ ./bin/snort -c etc/ANNA-gtp.conf -r etc/ANNA-gtp.pcap -Acmg -k none -q 09/08-20:20:15.504682 [**] [1:1:0] gtp_info numeric [**] [Priority: 0] {UDP} 10.1.2.3:48620 -> 10.9.8.7:3386 09/08-20:20:15.504682 02:01:02:03:04:05 -> 02:09:08:07:06:05 type:0x800 len:0x6C 10.1.2.3:48620 -> 10.9.8.7:3386 UDP TTL:64 TOS:0x0 ID:1 IpLen:20 DgmLen:94 Len: 66 10 10 00 2E 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 06 00 00 01 0F 02 10 00 01 11 00 00 ................ 80 00 02 01 21 83 00 07 65 78 70 6C 6F 69 74 85 ....!...exploit. 00 04 C0 A8 01 01 85 00 04 C0 A8 01 01 86 00 02 ................ 00 00 .. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/08-20:20:15.504901 [**] [1:2:0] gtp_info numeric [**] [Priority: 0] {UDP} 10.1.2.3:48620 -> 10.9.8.7:2123 09/08-20:20:15.504901 02:01:02:03:04:05 -> 02:09:08:07:06:05 type:0x800 len:0x45 10.1.2.3:48620 -> 10.9.8.7:2123 UDP TTL:64 TOS:0x0 ID:1 IpLen:20 DgmLen:55 Len: 27 58 20 00 17 00 00 00 01 00 01 00 00 5D 00 00 00 X ..........]... 47 00 07 00 65 78 70 6C 6F 69 74 G...exploit =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ alert udp any any -> any any ( msg:"gtp_info numeric"; sid:1; gtp_info:131; ) alert udp any any -> any any ( msg:"gtp_info numeric"; sid:2; gtp_info:71; ) Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com<mailto:allewi () cisco com> From: allewi <allewi () cisco com<mailto:allewi () cisco com>> Date: Monday, February 13, 2017 at 6:42 AM To: Ana Serrano Mamolar <B00315494 () studentmail uws ac uk<mailto:B00315494 () studentmail uws ac uk>>, "Joel Esler (jesler)" <jesler () cisco com<mailto:jesler () cisco com>> Cc: 'snort-users' <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>> Subject: Re: [Snort-users] Snort and GTP encapsulation info Can you send us the pcap please? Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com<mailto:allewi () cisco com> From: Ana Serrano Mamolar <B00315494 () studentmail uws ac uk<mailto:B00315494 () studentmail uws ac uk>> Date: Monday, February 13, 2017 at 6:29 AM To: "Joel Esler (jesler)" <jesler () cisco com<mailto:jesler () cisco com>> Cc: 'snort-users' <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>> Subject: Re: [Snort-users] Snort and GTP encapsulation info Hi again, I can not make Snort gtp preprocessor and decoder working. I have reviewed many times the snort manual and follow instructions to configure it to be able to manage gtp_rules. These are the lines in my snort.conf related to gtp: config enable_gtp portvar GTP_PORTS [2152,3386] preprocessor gtp: ports { 2123 3386 2152 } I have also checked that stream5 and frag3 are actived, and I saw that they were by default in my configuration. Is there any other way to check it better? Then, I have tried with a pcap I have that includes GTP encapsulation. I can see that with Wireshark, and also its gtp version and message type. Unfortunately, when I add some gtp_version ( I tried with the three, just in case) or gtp_type in my rule it doesn't trigger the Alert. My alert is a very simple one for UDP, that used to be triggered with this pcap before adding ant gtp rule. Does anybody have had the same problem or know how could it be solved? Thanks ________________________________ From: Ana Serrano Mamolar <B00315494 () studentmail uws ac uk<mailto:B00315494 () studentmail uws ac uk>> Sent: 09 February 2017 11:10:37 To: Joel Esler (jesler) Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-users] Snort and GTP encapsulation info Thanks Joel, I didn't know this tool until know, very useful. Now, I have run it with my last snort.u2 log, but I can not get any gtp information. As I said I have already enabled gtp in my config file. Should I use any special option when running Snort to obtain this gtp information? Thanks ________________________________ From: Joel Esler (jesler) <jesler () cisco com<mailto:jesler () cisco com>> Sent: 08 February 2017 20:06:32 To: Ana Serrano Mamolar Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-users] Snort and GTP encapsulation info It may not be a field that is inserted into the db. It may be in the unified2 output file that you can access with u2spewfoo in the contrib/ directory. -- Joel Esler | Talos: Manager | jesler () cisco com<mailto:jesler () cisco com> On Feb 8, 2017, at 2:54 PM, Ana Serrano Mamolar <B00315494 () studentmail uws ac uk<mailto:B00315494 () studentmail uws ac uk>> wrote: Hi all, Again with an encapsulation question. I am trying to understand how Snort manage GTP encapsulation, that I know that is supported. I already enable gtp in my config file by " config enable_gtp". I run Snort with different pcaps that I have that include GTP and trying to see which info I obtained from Snort with a very silly rule to be sure that is triggerred. My question is the following: Does somebody know where in the database is stored the TEID ( tunnel identifier ) of the packet that triggered the alert? . I have seen in Snort source code that it's parsed. But then I can not find it in the database. Thanks ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org<http://slashdot.org/>! http://sdm.link/slashdot_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!
Attachment:
ANA-GTP.conf
Description: ANA-GTP.conf
Attachment:
ANA-GTP.pcap
Description: ANA-GTP.pcap
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort and GTP encapsulation info Ana Serrano Mamolar (Feb 08)
- Re: Snort and GTP encapsulation info Joel Esler (jesler) (Feb 08)
- Re: Snort and GTP encapsulation info Ana Serrano Mamolar (Feb 09)
- Re: Snort and GTP encapsulation info Ana Serrano Mamolar (Feb 13)
- Re: Snort and GTP encapsulation info Al Lewis (allewi) (Feb 13)
- Re: Snort and GTP encapsulation info Al Lewis (allewi) (Feb 13)
- Re: Snort and GTP encapsulation info Ana Serrano Mamolar (Feb 13)
- Re: Snort and GTP encapsulation info Al Lewis (allewi) (Feb 13)
- Re: Snort and GTP encapsulation info Al Lewis (allewi) (Feb 13)
- Re: Snort and GTP encapsulation info Ana Serrano Mamolar (Feb 09)
- Re: Snort and GTP encapsulation info Joel Esler (jesler) (Feb 08)
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Re: Snort and GTP encapsulation info Ana Serrano Mamolar (Feb 13)
- Re: Snort and GTP encapsulation info Ana Serrano Mamolar (Feb 13)
- Re: Snort and GTP encapsulation info Al Lewis (allewi) (Feb 13)
- Re: Snort and GTP encapsulation info Ana Serrano Mamolar (Feb 14)
- Re: Snort and GTP encapsulation info Al Lewis (allewi) (Feb 14)
- Re: Snort and GTP encapsulation info Ana Serrano Mamolar (Feb 14)
- Re: Snort and GTP encapsulation info Ana Serrano Mamolar (Feb 14)
- Re: Snort and GTP encapsulation info Ana Serrano Mamolar (Feb 14)
- Re: Snort and GTP encapsulation info Ana Serrano Mamolar (Feb 14)
- Re: Snort and GTP encapsulation info Al Lewis (allewi) (Feb 14)