Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Facing issue in logging GTP response packets

From: Vinayak Malshetty <vinay.c7 () gmail com>
Date: Tue, 3 Jul 2012 11:17:08 +0530
Hi,


please  anyone help me in  resolving the below problem

I am running snort in IDS mode, to capture GTPv1 echo request and response
packets, but I am seeing that only echo request packets are captured below
is the topology

(Linux-1) eth4 ----------------------------eth4(Linux-2)
70.5.1.1                                                       70.6.1.1
Linux-2 is sending GTP echo request and Linux-1 is responding but in the
log only GTP request is logged


Running snort as “snort -i eth4 -c GTP_Config/sample.conf” on Linux-1
machine
I have created rule to log gtp packets as
log udp 70.5.1.1 2123 <> 70.6.1.1 2123 \
(gid:143;sid:10000010)

But when I am running snort in sniffer mode I am able to see both request
and response on the console as below
Commencing packet processing (pid=15788)
07/01-04:32:42.714873 70.6.1.1:2123 -> 70.5.1.1:2123
UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:40 DF
Len: 12
32 01 00 04 00 00 00 00 6C 00 00 00              2.......l...   ß  *Request
*
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

07/01-04:32:42.714878 70.6.1.1:2123 -> 70.5.1.1:2123
UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:139 DF
Len: 111
32 10 00 67 00 00 00 00 6C 01 00 00 02 42 00 01  2..g....l....B..
21 43 65 87 F9 0E 1B 0F 01 10 00 00 00 01 11 00  !Ce.............
00 00 01 14 00 1A 08 00 80 00 02 F1 21 83 00 08  ............!...
69 6E 74 65 72 6E 65 74 84 00 15 80 C0 23 11 01  internet.....#..
01 00 11 03 6D 69 67 08 68 65 6D 6D 65 6C 69 67  ....mig.hemmelig
85 00 04 46 06 01 01 85 00 04 46 06 01 01 86 00  ...F......F.....
07 91 64 07 12 32 54 F6 87 00 04 00 0B 92 1F     ..d..2T........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

07/01-04:32:42.714915 70.5.1.1:2123 -> 70.6.1.1:2123
UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:42 DF
Len: 14
32 02 00 06 00 00 00 00 6C 00 00 00 0E 01        2.......l.....   *
--->Response
*
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

07/01-04:32:42.714995 70.5.1.1:2123 -> 70.6.1.1:2123
UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:114 DF
Len: 86
32 11 00 4E 00 00 00 01 6C 01 00 00 01 80 08 00  2..N....l.......
0E 01 10 00 00 00 01 11 00 00 00 01 7F 00 00 00  ................
01 80 00 06 F1 21 50 00 00 02 84 00 14 80 80 21  .....!P........!
10 02 00 00 10 81 06 00 00 00 00 83 06 00 00 00  ................
00 85 00 04 46 05 01 01 85 00 04 46 05 01 01 87  ....F......F....
00 04 00 0B 92 1F                                ......

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=


Many Thanks,
-vinayak

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: