Snort mailing list archives
Re: GRE preprocessor and rules
From: Ana Serrano Mamolar <B00315494 () studentmail uws ac uk>
Date: Fri, 17 Feb 2017 13:02:41 +0000
Ok, many thanks Albert. ________________________________ From: Al Lewis (allewi) <allewi () cisco com> Sent: 17 February 2017 12:49:34 To: Ana Serrano Mamolar Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] GRE preprocessor and rules If its not listed/documented there then I don’t think it is supported. Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com<mailto:allewi () cisco com> From: Ana Serrano Mamolar <B00315494 () studentmail uws ac uk<mailto:B00315494 () studentmail uws ac uk>> Date: Friday, February 17, 2017 at 4:31 AM To: allewi <allewi () cisco com<mailto:allewi () cisco com>> Cc: 'snort-users' <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>> Subject: Re: [Snort-users] GRE preprocessor and rules Hi Albert, In README.gre they say "Snort does not support more than 1 layer of GRE encapsulation" so it is | Eth | IP | GRE | IP | GRE | IP | TCP | Payload | But it doen't say anything about anyother double encapsulation such as | Eth | IP | GRE | IP | GTP | IP | UDP | Payload | This is not support either? Thanks ________________________________ From: Al Lewis (allewi) <allewi () cisco com<mailto:allewi () cisco com>> Sent: 17 February 2017 04:11:13 To: Ana Serrano Mamolar Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-users] GRE preprocessor and rules See the README.gre file for more info… only one layer of encapsulation is supported. ALLEWI-M-8257:snort-2.9.9.0-released allewi$ cat etc/ANA3.conf | grep alert alert icmp 1.1.1.1 any -> any any (msg:"INNER IP"; sid:10000004;) ALLEWI-M-8257:snort-2.9.9.0-released allewi$ tcpdump -n -r etc/ANA-GRE.pcap reading from file etc/ANA-GRE.pcap, link-type EN10MB (Ethernet) 07:06:06.434897 IP 10.0.0.1 > 10.0.0.2: GREv0, length 104: IP 1.1.1.1 > 2.2.2.2: ICMP echo request, id 2, seq 0, length 80 ALLEWI-M-8257:snort-2.9.9.0-released allewi$ ./bin/snort -c etc/ANA3.conf -r etc/ANA-GRE.pcap -Acmg -q 06/21-07:06:06.434897 [**] [1:10000004:0] INNER IP [**] [Priority: 0] {ICMP} 1.1.1.1 -> 2.2.2.2 06/21-07:06:06.434897 C2:00:57:75:00:00 -> C2:01:57:75:00:00 type:0x800 len:0x8A 10.0.0.1 -> 10.0.0.2 GRE TTL:255 TOS:0x0 ID:10 IpLen:20 DgmLen:124 GRE version:0 flags:0x00 ether-type:0x0800 1.1.1.1 -> 2.2.2.2 ICMP TTL:255 TOS:0x0 ID:10 IpLen:20 DgmLen:100 Type:8 Code:0 ID:2 Seq:0 ECHO 00 00 00 00 00 03 BE 70 AB CD AB CD AB CD AB CD .......p........ AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD ................ AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD ................ AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD ................ AB CD AB CD AB CD AB CD ........ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com<mailto:allewi () cisco com> From: Ana Serrano Mamolar <B00315494 () studentmail uws ac uk<mailto:B00315494 () studentmail uws ac uk>> Date: Thursday, February 16, 2017 at 2:09 PM To: 'snort-users' <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>> Subject: [Snort-users] GRE preprocessor and rules Hi, Does somebody know how to use rules to filter by the inner IP in case of GRE encapsultation? That is, in the following case, | Eth | IP1 | GRE | IP2 | TCP | Payload | is it possible by default trigger an alert matching a rule with IP2 ? Thanks
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- GRE preprocessor and rules Ana Serrano Mamolar (Feb 16)
- <Possible follow-ups>
- Re: GRE preprocessor and rules Al Lewis (allewi) (Feb 16)
- Re: GRE preprocessor and rules Ana Serrano Mamolar (Feb 17)
- Re: GRE preprocessor and rules Al Lewis (allewi) (Feb 17)
- Re: GRE preprocessor and rules Ana Serrano Mamolar (Feb 17)
- Re: GRE preprocessor and rules Ana Serrano Mamolar (Feb 17)