Snort mailing list archives
GRE PPTP/EAP inspection
From: Teodor Lupan via Snort-sigs <snort-sigs () lists snort org>
Date: Thu, 26 Mar 2020 13:48:39 +0200
Hi everybody! I am trying to match on a GRE/PPTP packet with a specific content "|c2 27 01|" which translates to an EAP code Request, with a signature like: alert ip any any -> any any (msg:"EAP Request"; ip_proto:47; dsize: > 260; content: "|c2 27 01|"; offset: 0; rawbytes;) According to https://www.snort.org/faq/readme-gre this should have worked, the GRE decoder is enabled, but still the payload seems to be encapsulated as I am unable to match on rawbytes content... or maybe I am missing something. Do you have any suggestions to make this work? (I have attached a pcap) Thanks!
Attachment:
pptp_eap.pcap
Description:
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- GRE PPTP/EAP inspection Teodor Lupan via Snort-sigs (Mar 26)
- Re: GRE PPTP/EAP inspection Alex McDonnell (Mar 26)
- Re: GRE PPTP/EAP inspection James Lay via Snort-sigs (Mar 26)
- Re: GRE PPTP/EAP inspection Teodor Lupan via Snort-sigs (Mar 26)
- Re: GRE PPTP/EAP inspection rmkml (Mar 26)
- Re: GRE PPTP/EAP inspection Al Lewis (allewi) via Snort-sigs (Mar 26)
- Re: GRE PPTP/EAP inspection Al Lewis (allewi) via Snort-sigs (Mar 26)
- Re: GRE PPTP/EAP inspection Teodor Lupan via Snort-sigs (Mar 27)
- Re: GRE PPTP/EAP inspection Al Lewis (allewi) via Snort-sigs (Mar 27)
- Re: GRE PPTP/EAP inspection James Lay via Snort-sigs (Mar 26)
- Re: GRE PPTP/EAP inspection Alex McDonnell (Mar 26)