Snort mailing list archives

GRE PPTP/EAP inspection

From: Teodor Lupan via Snort-sigs <snort-sigs () lists snort org>
Date: Thu, 26 Mar 2020 13:48:39 +0200

Hi everybody!

I am trying to match on a GRE/PPTP packet with a specific content "|c2 27
01|" which translates to an EAP code Request, with a signature like:

alert ip any any -> any any (msg:"EAP Request"; ip_proto:47;  dsize: > 260;
content: "|c2 27 01|"; offset: 0; rawbytes;)

According to https://www.snort.org/faq/readme-gre this should have worked,
the GRE decoder is enabled, but still the payload seems to be encapsulated
as I am unable to match on rawbytes content... or maybe I am missing
something.
Do you have any suggestions to make this work? (I have attached a pcap)

Thanks!

Attachment: pptp_eap.pcap
Description:

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

GRE PPTP/EAP inspection Teodor Lupan via Snort-sigs (Mar 26)
- Re: GRE PPTP/EAP inspection Alex McDonnell (Mar 26)
  - Re: GRE PPTP/EAP inspection James Lay via Snort-sigs (Mar 26)
    - Re: GRE PPTP/EAP inspection Teodor Lupan via Snort-sigs (Mar 26)
    - Re: GRE PPTP/EAP inspection rmkml (Mar 26)
    - Re: GRE PPTP/EAP inspection Al Lewis (allewi) via Snort-sigs (Mar 26)
    - Re: GRE PPTP/EAP inspection Al Lewis (allewi) via Snort-sigs (Mar 26)
    - Re: GRE PPTP/EAP inspection Teodor Lupan via Snort-sigs (Mar 27)
    - Re: GRE PPTP/EAP inspection Al Lewis (allewi) via Snort-sigs (Mar 27)