Snort mailing list archives

Re: GRE PPTP/EAP inspection

From: James Lay via Snort-sigs <snort-sigs () lists snort org>
Date: Thu, 26 Mar 2020 11:10:35 -0600

Compiling with:

--enable-non-ether-decoders

should get you what you need.
James
On Thu, 2020-03-26 at 12:38 -0400, Alex McDonnell wrote:

I went down this rabbit hole and I thin I figured out this is
probably a case of similarly named protocols. PPTP is point to point
tunneling protocol from https://www.ietf.org/rfc/rfc2637.txt and is a
TCP protocol. Your PCAP has a PPP point to point protocol which is a
layer 2 protocol thus why I think Snort cannot dump the raw data from
it. 

Alex McDonnell
Talos


On Thu, Mar 26, 2020 at 10:16 AM Teodor Lupan via Snort-sigs <
snort-sigs () lists snort org> wrote:

Hi everybody!
I am trying to match on a GRE/PPTP packet with a specific
content "|c2 27 01|" which translates to an EAP code Request, with
a signature like:

alert ip any any -> any any (msg:"EAP Request"; ip_proto:47; 

dsize: > 260;

 content: "|c2 27 01|"; offset: 0;  rawbytes;)

According to https://www.snort.org/faq/readme-gre this should have
worked, the GRE decoder is enabled, but still the payload seems to
be encapsulated as I am unable to match on rawbytes content... or
maybe I am missing something.
Do you have any suggestions to make this work? (I have attached a
pcap)

Thanks!
_______________________________________________

Snort-sigs mailing list

Snort-sigs () lists snort org

https://lists.snort.org/mailman/listinfo/snort-sigs



Please visit http://blog.snort.org for the latest news about Snort!



Please follow these rules: 
https://snort.org/faq/what-is-the-mailing-list-etiquette



Visit the Snort.org to subscribe to the official Snort ruleset,
make sure to stay up to date to catch the most <a href=" 
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!


_______________________________________________Snort-sigs mailing
listSnort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs
Please visit http://blog.snort.org for the latest news about Snort!
Please follow these rules: 
https://snort.org/faq/what-is-the-mailing-list-etiquette
Visit the Snort.org to subscribe to the official Snort ruleset, make
sure to stay up to date to catch the most <a href=" 
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

GRE PPTP/EAP inspection Teodor Lupan via Snort-sigs (Mar 26)
- Re: GRE PPTP/EAP inspection Alex McDonnell (Mar 26)
  - Re: GRE PPTP/EAP inspection James Lay via Snort-sigs (Mar 26)
    - Re: GRE PPTP/EAP inspection Teodor Lupan via Snort-sigs (Mar 26)
    - Re: GRE PPTP/EAP inspection rmkml (Mar 26)
    - Re: GRE PPTP/EAP inspection Al Lewis (allewi) via Snort-sigs (Mar 26)
    - Re: GRE PPTP/EAP inspection Al Lewis (allewi) via Snort-sigs (Mar 26)
    - Re: GRE PPTP/EAP inspection Teodor Lupan via Snort-sigs (Mar 27)
    - Re: GRE PPTP/EAP inspection Al Lewis (allewi) via Snort-sigs (Mar 27)