Snort mailing list archives
Facing issue in logging GTP response packets
From: Vinayak Malshetty <vinay.c7 () gmail com>
Date: Tue, 3 Jul 2012 11:17:08 +0530
Hi, please anyone help me in resolving the below problem I am running snort in IDS mode, to capture GTPv1 echo request and response packets, but I am seeing that only echo request packets are captured below is the topology (Linux-1) eth4 ----------------------------eth4(Linux-2) 70.5.1.1 70.6.1.1 Linux-2 is sending GTP echo request and Linux-1 is responding but in the log only GTP request is logged Running snort as “snort -i eth4 -c GTP_Config/sample.conf” on Linux-1 machine I have created rule to log gtp packets as log udp 70.5.1.1 2123 <> 70.6.1.1 2123 \ (gid:143;sid:10000010) But when I am running snort in sniffer mode I am able to see both request and response on the console as below Commencing packet processing (pid=15788) 07/01-04:32:42.714873 70.6.1.1:2123 -> 70.5.1.1:2123 UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:40 DF Len: 12 32 01 00 04 00 00 00 00 6C 00 00 00 2.......l... ß *Request * =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 07/01-04:32:42.714878 70.6.1.1:2123 -> 70.5.1.1:2123 UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:139 DF Len: 111 32 10 00 67 00 00 00 00 6C 01 00 00 02 42 00 01 2..g....l....B.. 21 43 65 87 F9 0E 1B 0F 01 10 00 00 00 01 11 00 !Ce............. 00 00 01 14 00 1A 08 00 80 00 02 F1 21 83 00 08 ............!... 69 6E 74 65 72 6E 65 74 84 00 15 80 C0 23 11 01 internet.....#.. 01 00 11 03 6D 69 67 08 68 65 6D 6D 65 6C 69 67 ....mig.hemmelig 85 00 04 46 06 01 01 85 00 04 46 06 01 01 86 00 ...F......F..... 07 91 64 07 12 32 54 F6 87 00 04 00 0B 92 1F ..d..2T........ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 07/01-04:32:42.714915 70.5.1.1:2123 -> 70.6.1.1:2123 UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:42 DF Len: 14 32 02 00 06 00 00 00 00 6C 00 00 00 0E 01 2.......l..... * --->Response * =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 07/01-04:32:42.714995 70.5.1.1:2123 -> 70.6.1.1:2123 UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:114 DF Len: 86 32 11 00 4E 00 00 00 01 6C 01 00 00 01 80 08 00 2..N....l....... 0E 01 10 00 00 00 01 11 00 00 00 01 7F 00 00 00 ................ 01 80 00 06 F1 21 50 00 00 02 84 00 14 80 80 21 .....!P........! 10 02 00 00 10 81 06 00 00 00 00 83 06 00 00 00 ................ 00 85 00 04 46 05 01 01 85 00 04 46 05 01 01 87 ....F......F.... 00 04 00 0B 92 1F ...... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= Many Thanks, -vinayak
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Facing issue in logging GTP response packets Vinayak Malshetty (Jul 02)