Snort mailing list archives

Re: GRE preprocessor and rules

From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Fri, 17 Feb 2017 04:11:13 +0000

See the README.gre file for more info… only one layer of encapsulation is supported.


ALLEWI-M-8257:snort-2.9.9.0-released allewi$ cat etc/ANA3.conf | grep alert
alert icmp 1.1.1.1 any -> any any (msg:"INNER IP"; sid:10000004;)


ALLEWI-M-8257:snort-2.9.9.0-released allewi$ tcpdump -n -r etc/ANA-GRE.pcap
reading from file etc/ANA-GRE.pcap, link-type EN10MB (Ethernet)
07:06:06.434897 IP 10.0.0.1 > 10.0.0.2: GREv0, length 104: IP 1.1.1.1 > 2.2.2.2: ICMP echo request, id 2, seq 0, length 
80



ALLEWI-M-8257:snort-2.9.9.0-released allewi$ ./bin/snort -c etc/ANA3.conf -r etc/ANA-GRE.pcap -Acmg -q
06/21-07:06:06.434897  [**] [1:10000004:0] INNER IP [**] [Priority: 0] {ICMP} 1.1.1.1 -> 2.2.2.2
06/21-07:06:06.434897 C2:00:57:75:00:00 -> C2:01:57:75:00:00 type:0x800 len:0x8A
10.0.0.1 -> 10.0.0.2 GRE TTL:255 TOS:0x0 ID:10 IpLen:20 DgmLen:124
GRE version:0 flags:0x00 ether-type:0x0800
1.1.1.1 -> 2.2.2.2 ICMP TTL:255 TOS:0x0 ID:10 IpLen:20 DgmLen:100
Type:8  Code:0  ID:2   Seq:0  ECHO
00 00 00 00 00 03 BE 70 AB CD AB CD AB CD AB CD  .......p........
AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD  ................
AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD  ................
AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD  ................
AB CD AB CD AB CD AB CD                          ........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+





Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Ana Serrano Mamolar <B00315494 () studentmail uws ac uk<mailto:B00315494 () studentmail uws ac uk>>
Date: Thursday, February 16, 2017 at 2:09 PM
To: 'snort-users' <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>>
Subject: [Snort-users] GRE preprocessor and rules


Hi,

Does somebody know how to use rules to filter by the inner IP in case of GRE encapsultation?

That is, in the following case,



| Eth | IP1 | GRE | IP2 | TCP | Payload |


is it possible by default trigger an alert matching a rule with IP2 ?

Thanks

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

GRE preprocessor and rules Ana Serrano Mamolar (Feb 16)
- <Possible follow-ups>
- Re: GRE preprocessor and rules Al Lewis (allewi) (Feb 16)
  - Re: GRE preprocessor and rules Ana Serrano Mamolar (Feb 17)
    - Re: GRE preprocessor and rules Al Lewis (allewi) (Feb 17)
    - Re: GRE preprocessor and rules Ana Serrano Mamolar (Feb 17)