Snort mailing list archives
Detection of malware using GTP tunneling protocol
From: Roland <roland () mirolima de>
Date: Mon, 09 Jun 2014 13:36:02 +0200
Hi,
I'm trying to detect malware in mobile networks on the Gn Interface.
Therefore I have enabled gtp and the gtp preprocessor.
When I'm sending some precaptured malware samples I get the following effect
* Start snort ==> snort -c /etc/snort/snort.conf -i eth1 -A console
* Send captured samples ==> tcpreplay -i eth1 -t <sample>
* Snort does not show any alarm
* kill -USR1 <snort pid> ==> shows that packets have been received, that
GTP preprocessor did some work on it
===============================================================================
HTTP Inspect - encodings (Note: stream-reassembled packets included):
POST methods: 0
GET methods: 0
HTTP Request Headers extracted: 0
HTTP Request Cookies extracted: 0
Post parameters extracted: 0
HTTP response Headers extracted: 0
HTTP Response Cookies extracted: 0
Unicode: 0
Double unicode: 0
Non-ASCII representable: 0
Directory traversals: 0
Extra slashes ("//"): 0
Self-referencing paths ("./"): 0
HTTP Response Gzip packets extracted: 0
Gzip Compressed Data Processed: n/a
Gzip Decompressed Data Processed: n/a
Total packets processed: 128
===============================================================================
GTP Preprocessor Statistics
Total sessions: 1
Total reserved messages: 0
Packets with reserved information elements: 0
Total messages of version 1: 840
===============================================================================
Retry the same but wait 10 minutes before sending the packets
* Start snort ==> snort -c /etc/snort/snort.conf -i eth1 -A console
* Wait 10 minutes
* Send captured samples ==> tcpreplay -i eth1 -t <sample>
* Snort alarms all malware packets
===============================================================================
HTTP Inspect - encodings (Note: stream-reassembled packets included):
POST methods: 11
GET methods: 117
HTTP Request Headers extracted: 128
HTTP Request Cookies extracted: 0
Post parameters extracted: 0
HTTP response Headers extracted: 0
HTTP Response Cookies extracted: 0
Unicode: 0
Double unicode: 0
Non-ASCII representable: 0
Directory traversals: 0
Extra slashes ("//"): 1
Self-referencing paths ("./"): 0
HTTP Response Gzip packets extracted: 0
Gzip Compressed Data Processed: n/a
Gzip Decompressed Data Processed: n/a
Total packets processed: 132
===============================================================================
GTP Preprocessor Statistics
Total sessions: 1
Total reserved messages: 0
Packets with reserved information elements: 0
Total messages of version 1: 840
Does anyone have a clue what the reason for this behaviour is? As the
malware packets are recognized in the second case, I assume that the
used pcap file is okay.
Snort version 2.9.6.0, DAQ 2.0.2, Centos 6.5
Thanks
Roland
------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://www.hpccsystems.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Detection of malware using GTP tunneling protocol Roland (Jun 09)