Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: GRE PPTP/EAP inspection

From: Teodor Lupan via Snort-sigs <snort-sigs () lists snort org>
Date: Fri, 27 Mar 2020 13:20:11 +0200
Thank you very much for the help and detailed information!

byte_test did the trick!

Teodor Lupan

On Fri, Mar 27, 2020 at 1:41 AM Al Lewis (allewi) <allewi () cisco com> wrote:




Part of the content you are trying to match on is being decoded in the
PPTP header (as Alex said) so that content match wont work.





#0  DecodePppPktEncapsulated (pkt=0x555556be056e "\302'\001", len=1124,
p=0x555556075780 <s_packet>) at decode.c:1998

1998     if(pkt[0] & 0x01)

(gdb) n

2008         protocol = ntohs(*((uint16_t *)pkt));

(gdb) n

2009         hlen = 2;

(gdb) print protocol

$30 = 49703

(gdb) print /x protocol

*$31 = 0xc227*





(gdb) x /16xb pkt

*0x555556be056e: 0xc2 0x27 0x01* 0x00 0x04 0x62 0x04 0x10

0x555556be0576: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

(gdb)







You could try some byte matching and hopping around to get you where you
need to be. The rule below should get you started.





*Whoa9@whoa9*:*/var/tmp/snort-2.9.15*$ ./bin/snort -c etc/pptp.conf -r
~/Downloads/pptp_eap.pcap -Acmg -k none -q

03/25-08:08:34.602456  [**] [1:2:0] EAP Request 2 [**] [Priority: 0]
{GRE} 172.16.100.50 -> 172.16.100.100

03/25-08:08:34.602456 DE:AD:CD:B7:69:87 -> DE:AD:45:9D:B7:A6 type:0x800
len:0x492

172.16.100.50 -> 172.16.100.100 GRE TTL:64 TOS:0x0 ID:52936 IpLen:20
DgmLen:1156 DF



=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+





03/25-08:08:34.602456  [**] [1:1:0] EAP Request 1 [**] [Priority: 0]
{GRE} 172.16.100.50 -> 172.16.100.100

03/25-08:08:34.602456 DE:AD:CD:B7:69:87 -> DE:AD:45:9D:B7:A6 type:0x800
len:0x492

172.16.100.50 -> 172.16.100.100 GRE TTL:64 TOS:0x0 ID:52936 IpLen:20
DgmLen:1156 DF



=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+





*Whoa9@whoa9*:*/var/tmp/snort-2.9.15*$ cat etc/pptp.conf | grep alert

alert ip any any -> any any (msg:"EAP Request 1"; ip_proto:47; dsize: >
260; byte_test:3, =, 12723969, 12, relative; sid:1)

alert ip any any -> any any (msg:"EAP Request 2"; ip_proto:47; dsize: >
260; byte_test:3, =, 0xc22701, 12, relative; sid:2)







Hope this helps.





*Albert Lewis*

ENGINEER.SOFTWARE ENGINEERING

Cisco Systems Inc.

Email: allewi () cisco com







*From: *Snort-sigs <snort-sigs-bounces () lists snort org> on behalf of
Teodor Lupan via Snort-sigs <snort-sigs () lists snort org>
*Reply-To: *Teodor Lupan <theologu () gmail com>
*Date: *Thursday, March 26, 2020 at 4:39 PM
*To: *"snort-sigs () lists snort org" <snort-sigs () lists snort org>
*Subject: *Re: [Snort-sigs] GRE PPTP/EAP inspection



Thanks for idea! I have compiled latest version with the indicated flag
and it's the same.... It sees the packets correctly, but still content
matching is not possible



[image: image.png]



On Thu, Mar 26, 2020 at 7:13 PM James Lay via Snort-sigs <
snort-sigs () lists snort org> wrote:

Compiling with:



--enable-non-ether-decoders



should get you what you need.



James

On Thu, 2020-03-26 at 12:38 -0400, Alex McDonnell wrote:

I went down this rabbit hole and I thin I figured out this is probably a
case of similarly named protocols. PPTP is point to point tunneling
protocol from https://www.ietf.org/rfc/rfc2637.txt and is a TCP protocol.
Your PCAP has a PPP point to point protocol which is a layer 2 protocol
thus why I think Snort cannot dump the raw data from it.



Alex McDonnell

Talos



On Thu, Mar 26, 2020 at 10:16 AM Teodor Lupan via Snort-sigs <
snort-sigs () lists snort org> wrote:

Hi everybody!



I am trying to match on a GRE/PPTP packet with a specific content "|c2 27
01|" which translates to an EAP code Request, with a signature like:



alert ip any any -> any any (msg:"EAP Request"; ip_proto:47;  dsize: >
260; content: "|c2 27 01|"; offset: 0; rawbytes;)



According to https://www.snort.org/faq/readme-gre this should have
worked, the GRE decoder is enabled, but still the payload seems to be
encapsulated as I am unable to match on rawbytes content... or maybe I am
missing something.

Do you have any suggestions to make this work? (I have attached a pcap)



Thanks!

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules:
https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure
to stay up to date to catch the most <a href="
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

_______________________________________________

Snort-sigs mailing list

Snort-sigs () lists snort org

https://lists.snort.org/mailman/listinfo/snort-sigs



Please visit http://blog.snort.org for the latest news about Snort!



Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette



Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!





_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules:
https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure
to stay up to date to catch the most <a href="
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!




_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: