Re: GRE PPTP/EAP inspection

["Al Lewis \(allewi\) via Snort-sigs" <snort-sigs () lists snort org>]

Also, you export the variable below so you can see the comparison values (or any others). Should help you find where 
the cursor is.


Whoa9@whoa9:/var/tmp/snort-2.9.15$ export SNORT_DEBUG=0x0000000000001000LL


Whoa9@whoa9:/var/tmp/snort-2.9.15$ ./bin/snort -c etc/pptp.conf -r ~/Downloads/pptp_eap.pcap -Acmg -k none -q
sp_pattern_match.c:195: Plugin: PatternMatch Initialized!
sp_byte_check.c:699: [*] byte test firing...
payload starts at 0x5566023849a2
sp_byte_check.c:763: checking absolute offset 12
sp_byte_check.c:837: Grabbed 3 bytes at offset 12 cmp_value = 0x00C22701(12723969) value = 0x00C22701(12723969)
03/25-08:08:34.602456  [**] [1:2:0] EAP Request 2 [**] [Priority: 0] {GRE} 172.16.100.50 -> 172.16.100.100
03/25-08:08:34.602456 DE:AD:CD:B7:69:87 -> DE:AD:45:9D:B7:A6 type:0x800 len:0x492
172.16.100.50 -> 172.16.100.100 GRE TTL:64 TOS:0x0 ID:52936 IpLen:20 DgmLen:1156 DF

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


The debug values are listed under ‘include/snort/dynamic_output/snort_debug.h’


whoa@whoa9:/var/tmp/snort-2.9.15$ less include/snort/dynamic_output/snort_debug.h | grep PATTERN_MATCH
#define DEBUG_PATTERN_MATCH   0x0000000000001000LL
whoa9@whoa9:/var/tmp/snort-2.9.15$


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
Cisco Systems Inc.
Email: allewi () cisco com<mailto:allewi () cisco com>



From: Snort-sigs <snort-sigs-bounces () lists snort org> on behalf of "Al Lewis (allewi) via Snort-sigs" <snort-sigs () 
lists snort org>
Reply-To: "Al Lewis (allewi)" <allewi () cisco com>
Date: Thursday, March 26, 2020 at 7:44 PM
To: Teodor Lupan <theologu () gmail com>
Cc: "snort-sigs () lists snort org" <snort-sigs () lists snort org>
Subject: Re: [Snort-sigs] GRE PPTP/EAP inspection


Part of the content you are trying to match on is being decoded in the PPTP header (as Alex said) so that content match 
wont work.


#0  DecodePppPktEncapsulated (pkt=0x555556be056e "\302'\001", len=1124, p=0x555556075780 <s_packet>) at decode.c:1998
1998     if(pkt[0] & 0x01)
(gdb) n
2008         protocol = ntohs(*((uint16_t *)pkt));
(gdb) n
2009         hlen = 2;
(gdb) print protocol
$30 = 49703
(gdb) print /x protocol
$31 = 0xc227


(gdb) x /16xb pkt
0x555556be056e: 0xc2 0x27 0x01 0x00 0x04 0x62 0x04 0x10
0x555556be0576: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
(gdb)



You could try some byte matching and hopping around to get you where you need to be. The rule below should get you 
started.



Whoa9@whoa9:/var/tmp/snort-2.9.15$ ./bin/snort -c etc/pptp.conf -r ~/Downloads/pptp_eap.pcap -Acmg -k none -q

03/25-08:08:34.602456  [**] [1:2:0] EAP Request 2 [**] [Priority: 0] {GRE} 172.16.100.50 -> 172.16.100.100

03/25-08:08:34.602456 DE:AD:CD:B7:69:87 -> DE:AD:45:9D:B7:A6 type:0x800 len:0x492

172.16.100.50 -> 172.16.100.100 GRE TTL:64 TOS:0x0 ID:52936 IpLen:20 DgmLen:1156 DF



=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+





03/25-08:08:34.602456  [**] [1:1:0] EAP Request 1 [**] [Priority: 0] {GRE} 172.16.100.50 -> 172.16.100.100

03/25-08:08:34.602456 DE:AD:CD:B7:69:87 -> DE:AD:45:9D:B7:A6 type:0x800 len:0x492

172.16.100.50 -> 172.16.100.100 GRE TTL:64 TOS:0x0 ID:52936 IpLen:20 DgmLen:1156 DF



=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+





Whoa9@whoa9:/var/tmp/snort-2.9.15$ cat etc/pptp.conf | grep alert

alert ip any any -> any any (msg:"EAP Request 1"; ip_proto:47; dsize: > 260; byte_test:3, =, 12723969, 12, relative; 
sid:1)

alert ip any any -> any any (msg:"EAP Request 2"; ip_proto:47; dsize: > 260; byte_test:3, =, 0xc22701, 12, relative; 
sid:2)






Hope this helps.


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
Cisco Systems Inc.
Email: allewi () cisco com<mailto:allewi () cisco com>



From: Snort-sigs <snort-sigs-bounces () lists snort org> on behalf of Teodor Lupan via Snort-sigs <snort-sigs () lists 
snort org>
Reply-To: Teodor Lupan <theologu () gmail com>
Date: Thursday, March 26, 2020 at 4:39 PM
To: "snort-sigs () lists snort org" <snort-sigs () lists snort org>
Subject: Re: [Snort-sigs] GRE PPTP/EAP inspection

Thanks for idea! I have compiled latest version with the indicated flag and it's the same.... It sees the packets 
correctly, but still content matching is not possible

[image.png]

On Thu, Mar 26, 2020 at 7:13 PM James Lay via Snort-sigs <snort-sigs () lists snort org<mailto:snort-sigs () lists 
snort org>> wrote:
Compiling with:

--enable-non-ether-decoders

should get you what you need.

James
On Thu, 2020-03-26 at 12:38 -0400, Alex McDonnell wrote:
I went down this rabbit hole and I thin I figured out this is probably a case of similarly named protocols. PPTP is 
point to point tunneling protocol from https://www.ietf.org/rfc/rfc2637.txt and is a TCP protocol. Your PCAP has a PPP 
point to point protocol which is a layer 2 protocol thus why I think Snort cannot dump the raw data from it.

Alex McDonnell
Talos

On Thu, Mar 26, 2020 at 10:16 AM Teodor Lupan via Snort-sigs <snort-sigs () lists snort org<mailto:snort-sigs () lists 
snort org>> wrote:
Hi everybody!

I am trying to match on a GRE/PPTP packet with a specific content "|c2 27 01|" which translates to an EAP code Request, 
with a signature like:

alert ip any any -> any any (msg:"EAP Request"; ip_proto:47;  dsize: > 260; content: "|c2 27 01|"; offset: 0; rawbytes;)

According to https://www.snort.org/faq/readme-gre this should have worked, the GRE decoder is enabled, but still the 
payload seems to be encapsulated as I am unable to match on rawbytes content... or maybe I am missing something.
Do you have any suggestions to make this work? (I have attached a pcap)

Thanks!
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org<mailto:Snort-sigs () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

_______________________________________________

Snort-sigs mailing list

Snort-sigs () lists snort org<mailto:Snort-sigs () lists snort org>

https://lists.snort.org/mailman/listinfo/snort-sigs



Please visit http://blog.snort.org for the latest news about Snort!



Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette



Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging<https://snort.org/downloads/#rule-downloads%22%3Eemerging> 
threats</a>!



_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org<mailto:Snort-sigs () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!