Snort mailing list archives
Detection of malware using GTP tunneling protocol
From: Roland <roland () mirolima de>
Date: Mon, 09 Jun 2014 13:36:02 +0200
Hi, I'm trying to detect malware in mobile networks on the Gn Interface. Therefore I have enabled gtp and the gtp preprocessor. When I'm sending some precaptured malware samples I get the following effect * Start snort ==> snort -c /etc/snort/snort.conf -i eth1 -A console * Send captured samples ==> tcpreplay -i eth1 -t <sample> * Snort does not show any alarm * kill -USR1 <snort pid> ==> shows that packets have been received, that GTP preprocessor did some work on it =============================================================================== HTTP Inspect - encodings (Note: stream-reassembled packets included): POST methods: 0 GET methods: 0 HTTP Request Headers extracted: 0 HTTP Request Cookies extracted: 0 Post parameters extracted: 0 HTTP response Headers extracted: 0 HTTP Response Cookies extracted: 0 Unicode: 0 Double unicode: 0 Non-ASCII representable: 0 Directory traversals: 0 Extra slashes ("//"): 0 Self-referencing paths ("./"): 0 HTTP Response Gzip packets extracted: 0 Gzip Compressed Data Processed: n/a Gzip Decompressed Data Processed: n/a Total packets processed: 128 =============================================================================== GTP Preprocessor Statistics Total sessions: 1 Total reserved messages: 0 Packets with reserved information elements: 0 Total messages of version 1: 840 =============================================================================== Retry the same but wait 10 minutes before sending the packets * Start snort ==> snort -c /etc/snort/snort.conf -i eth1 -A console * Wait 10 minutes * Send captured samples ==> tcpreplay -i eth1 -t <sample> * Snort alarms all malware packets =============================================================================== HTTP Inspect - encodings (Note: stream-reassembled packets included): POST methods: 11 GET methods: 117 HTTP Request Headers extracted: 128 HTTP Request Cookies extracted: 0 Post parameters extracted: 0 HTTP response Headers extracted: 0 HTTP Response Cookies extracted: 0 Unicode: 0 Double unicode: 0 Non-ASCII representable: 0 Directory traversals: 0 Extra slashes ("//"): 1 Self-referencing paths ("./"): 0 HTTP Response Gzip packets extracted: 0 Gzip Compressed Data Processed: n/a Gzip Decompressed Data Processed: n/a Total packets processed: 132 =============================================================================== GTP Preprocessor Statistics Total sessions: 1 Total reserved messages: 0 Packets with reserved information elements: 0 Total messages of version 1: 840 Does anyone have a clue what the reason for this behaviour is? As the malware packets are recognized in the second case, I assume that the used pcap file is okay. Snort version 2.9.6.0, DAQ 2.0.2, Centos 6.5 Thanks Roland ------------------------------------------------------------------------------ HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing & Easy Data Exploration http://www.hpccsystems.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Detection of malware using GTP tunneling protocol Roland (Jun 09)