Re: Snort and GTP encapsulation info

["Al Lewis (allewi)" <allewi () cisco com>]

Works for me. Did you disable checksum verification? (pcap has bad checksums)

Version 0:

ALLEWI-M-8257:snort-2.9.9.0-released allewi$ ./bin/snort -c etc/ANA3.conf -r ~/Downloads/gtp3.pcap -Acmg -k none -q
05/16-15:12:34.547278  [**] [1:10000006:0] gtp_version 0 [**] [Priority: 0] {UDP} 127.0.0.2:3386 -> 127.0.0.1:3386
05/16-15:12:34.547278 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800 len:0x8D
127.0.0.2:3386 -> 127.0.0.1:3386 UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:127 DF
Len: 99
1E 10 00 4F 10 01 00 00 FF FF FF FF 42 00 01 21  ...O........B..!
43 65 87 09 06 0B 92 1F 0E 04 0F 01 10 00 01 11  Ce..............
00 01 80 00 02 F1 21 83 00 09 08 69 6E 74 65 72  ......!....inter
6E 65 74 84 00 15 80 C0 23 11 01 01 00 11 03 6D  net.....#......m
69 67 08 68 65 6D 6D 65 6C 69 67 85 00 04 7F 00  ig.hemmelig.....
00 02 85 00 04 7F 00 00 02 86 00 07 91 64 07 12  .............d..
32 54 F6                                         2T.



Type 255:

ALLEWI-M-8257:snort-2.9.9.0-released allewi$ ./bin/snort -c etc/ANA3.conf -r ~/Downloads/gtp3.pcap -Acmg -k none -q
05/16-15:24:34.684727  [**] [1:10000004:0] udp gtp_type 255 [**] [Priority: 0] {UDP} 127.0.0.2:3386 -> 127.0.0.1:3386
05/16-15:24:34.684727 00:00:00:00:00:00 -> 00:00:00:00:00:00 type:0x800 len:0x92
127.0.0.2:3386 -> 127.0.0.1:3386 UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:132 DF
Len: 104
1E FF 00 54 00 00 00 01 FF FF FF FF 42 00 01 21  ...T........B..!
43 65 87 09 45 00 00 54 00 00 40 00 40 01 C5 3F  Ce..E..T..@.@..?
C0 A8 00 03 D1 55 E3 68 08 00 E5 E9 00 00 00 00  .....U.h........
82 54 F0 4B AA 72 0A 00 08 09 0A 0B 0C 0D 0E 0F  .T.K.r..........
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F  ................
20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F   !"#$%&'()*+,-./
30 31 32 33 34 35 36 37                          01234567

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


ALLEWI-M-8257:snort-2.9.9.0-released allewi$ cat etc/ANA3.conf | grep ^alert
alert udp any any -> any any (msg:"udp gtp_type 255"; sid:10000004; gtp_type:255; )
alert udp any any -> any any ( msg:"gtp_version 0"; sid:10000006; gtp_version:0; )


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Ana Serrano Mamolar <B00315494 () studentmail uws ac uk<mailto:B00315494 () studentmail uws ac uk>>
Date: Tuesday, February 14, 2017 at 7:49 AM
To: allewi <allewi () cisco com<mailto:allewi () cisco com>>
Cc: 'snort-users' <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>>
Subject: Re: [Snort-users] Snort and GTP encapsulation info


Sorry, I forgot to attach the pcap

________________________________
From: Ana Serrano Mamolar
Sent: 14 February 2017 12:48:56
To: Al Lewis (allewi)
Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Snort and GTP encapsulation info


Regarding to my last message, I have other pcaps with just GTP encapsulation that are also not matching by gtp_version 
or gtp_type when I run Snort. I attach an example that I found on the Internet with gtp_version 0  and gtp_type 255.

With this pcap Snort is not matching any of my rules

alert udp any any -> any any (msg:"udp gtp_version 0"; sid:10000003; gtp_version:0; )
alert udp any any -> any any (msg:"udp gtp_type 255"; sid:10000004; gtp_type:255; )

I am trying to see the differences between this pcap and the last I attached, and I can no find any different that 
could cause that Snort wouldn't match gtp params for the last one but yes for the first one.



________________________________
From: Ana Serrano Mamolar <B00315494 () studentmail uws ac uk<mailto:B00315494 () studentmail uws ac uk>>
Sent: 14 February 2017 12:15:21
To: Al Lewis (allewi)
Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Snort and GTP encapsulation info


It also seems that, if you have 2 encapsulations, like VXLAN/GTP or GRE/GTP gtp_version or gtp_type parameters can not 
be matched.


________________________________
From: Ana Serrano Mamolar
Sent: 14 February 2017 12:13:40
To: Al Lewis (allewi)
Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Snort and GTP encapsulation info


Ok,

So we can not filter by gtp_version and inner IP.

Thanks for your help Albert.

________________________________
From: Al Lewis (allewi) <allewi () cisco com<mailto:allewi () cisco com>>
Sent: 14 February 2017 11:57:39
To: Ana Serrano Mamolar
Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Snort and GTP encapsulation info

Correct. Once you enable_gtp it doesn’t look like you can match “back” on the previous header. The “inner” packet is 
what shows up to detection.


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Ana Serrano Mamolar <B00315494 () studentmail uws ac uk<mailto:B00315494 () studentmail uws ac uk>>
Date: Tuesday, February 14, 2017 at 5:47 AM
To: allewi <allewi () cisco com<mailto:allewi () cisco com>>
Cc: 'snort-users' <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>>
Subject: Re: [Snort-users] Snort and GTP encapsulation info


Hi Albert,

Thanks a lot for your help. I think I was misunderstanding the "enable_gtp" meaning. So now, by disabling it, I can use 
my rules to filter by gtp_version and gtp_type.

So, that means that I can not filter by , for instance, gtp_version and ip in gtp layer at the same time. Am I right?

I mean, in the pcap I attached yesterday. How would be the way to get events with a concrete gtp_type  and ip_source 
202.11.40.158 ?


Thanks



________________________________
From: Al Lewis (allewi) <allewi () cisco com<mailto:allewi () cisco com>>
Sent: 13 February 2017 18:37:55
To: Ana Serrano Mamolar
Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Snort and GTP encapsulation info

Ana,

When “config enable_gtp” is set Snort will decode the packet and remove the GTP headers. They will show up in detection 
as the next layer header (in this case icmp).

If you want to match specifically on the value OF 255 (pdu) within the gtp header you need to remove the “config 
enable_gtp” option so that Snort doesn’t pop the GTP header.


alewis@big-debbie:/var/tmp/snort-2.9.8.3$ ./bin/snort -c etc/ANA-GTP-1.conf -r etc/ANA-GTP-3.pcap -Acmg -q
12/10-05:53:35.441511  [**] [1:10000005:0] gtp_type 255 [**] [Priority: 0] {UDP} 192.168.40.179:2152 -> 
192.168.40.178:2152
12/10-05:53:35.441511 00:0C:29:E3:C6:4D -> 00:0C:29:DA:D1:DE type:0x800 len:0x8A
192.168.40.179:2152 -> 192.168.40.178:2152 UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:124 DF
Len: 96
32 FF 00 58 00 00 00 01 28 DB 00 00 45 00 00 54  2..X....(...E..T
00 00 40 00 40 01 5E A5 CA 0B 28 9E C0 A8 28 B2  ..@.@.^...(...(.
08 00 BE E7 00 00 28 7B 04 11 20 4B F4 3D 0D 00  ......({.. K.=..
08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17  ................
18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27  ........ !"#$%&'
28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37  ()*+,-./01234567

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



12/10-05:53:35.441511  [**] [1:10000005:0] gtp_type 255 [**] [Priority: 0] {UDP} 192.168.40.179:2152 -> 
192.168.40.178:2152
12/10-05:53:35.441511 00:0C:29:E3:C6:4D -> 00:0C:29:DA:D1:DE type:0x800 len:0x8A
192.168.40.179:2152 -> 192.168.40.178:2152 UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:124 DF
Len: 96
32 FF 00 58 00 00 00 01 28 DB 00 00 45 00 00 54  2..X....(...E..T
00 00 40 00 40 01 5E A5 CA 0B 28 9E C0 A8 28 B2  ..@.@.^...(...(.
08 00 BE E7 00 00 28 7B 04 11 20 4B F4 3D 0D 00  ......({.. K.=..
08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17  ................
18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27  ........ !"#$%&'
28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37  ()*+,-./01234567

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


alewis@big-debbie:/var/tmp/snort-2.9.8.3$ cat etc/ANA-GTP-1.conf | grep "type 255"

alert udp any any -> any any ( msg:"gtp_type 255"; sid:10000005; gtp_version: 1; gtp_type:255; )


Also the gtp_version should be 1 in this case and not 0.


Thanks!

Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Ana Serrano Mamolar <B00315494 () studentmail uws ac uk<mailto:B00315494 () studentmail uws ac uk>>
Date: Monday, February 13, 2017 at 11:35 AM
To: allewi <allewi () cisco com<mailto:allewi () cisco com>>, 'snort-users' <snort-users () lists sourceforge 
net<mailto:snort-users () lists sourceforge net>>
Subject: Re: [Snort-users] Snort and GTP encapsulation info


Here I attach a pcap I downloaded as an example, and with which I have the same problem. Not triggering any of my 
alerts of rules with gtp params. As you can see in the pcap, it is also gtp_version:0 and gtp_type:255.

Hope this is useful for you.

Thanks

________________________________
From: Ana Serrano Mamolar
Sent: 13 February 2017 16:26:07
To: Al Lewis (allewi); snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Snort and GTP encapsulation info


Yes, both of them match with my pcap , version and type. At least , Wireshark shows
Version: GTP release 99 (1)
Protocol type: GTP (1)
Message Type: T-PDU (0xff).
Anyway, just for discard that it was the reason and Wireshark was showing wrong values , I tried with the three 
versions of gtp (0,1 and 2), but with none of them the alert was triggered. That's why I thought there was a problem 
with gtp params.


________________________________
From: Al Lewis (allewi) <allewi () cisco com<mailto:allewi () cisco com>>
Sent: 13 February 2017 13:26:48
To: Ana Serrano Mamolar
Subject: Re: [Snort-users] Snort and GTP encapsulation info

Is the message type in your pcap a pdu (255)?

The readme file for snort lists the message types and their numbers.

See the README.GTP file for details.


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com<mailto:allewi () cisco com>

From: allewi <allewi () cisco com<mailto:allewi () cisco com>>
Date: Monday, February 13, 2017 at 8:21 AM
To: Ana Serrano Mamolar <B00315494 () studentmail uws ac uk<mailto:B00315494 () studentmail uws ac uk>>
Subject: Re: [Snort-users] Snort and GTP encapsulation info

If this is the case then whatever is in your pcap doesn’t match the values you are looking for.

Without the pcap its difficult for me to tell for sure.

Make sure the version and type match your options you are setting in your rule.


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Ana Serrano Mamolar <B00315494 () studentmail uws ac uk<mailto:B00315494 () studentmail uws ac uk>>
Date: Monday, February 13, 2017 at 8:17 AM
To: allewi <allewi () cisco com<mailto:allewi () cisco com>>
Subject: Re: [Snort-users] Snort and GTP encapsulation info


Hi,

This file is already included in my snort.conf.

include $RULE_PATH/local_rules


As I said, I know that this file rules is being loaded by snort, since, if I remove the gtp param ,

so if just leave the rule like that:

alert udp any any -> any any ( msg:"gtp_version"; sid:10000003;

then, this alert  is being triggered.

01/19-19:55:10.052620  [**] [1:10000003:0] gtp_version [**] [Priority: 0] {UDP}



Thanks

________________________________
From: Al Lewis (allewi) <allewi () cisco com<mailto:allewi () cisco com>>
Sent: 13 February 2017 13:09:02
To: Ana Serrano Mamolar
Subject: Re: [Snort-users] Snort and GTP encapsulation info

For the example I gave just copy the rules into the conf file. Then run snort again and it should alert (as shown in 
the other email)

If you have your rules in a separate config file then you need to include the other file in your config.

The file must be explicitly included into your conf with the “include” keyword.

Something like: 'include /etc/snort/rules/local.rules’ should be in your file.

Also make sure you don’t have overlapping rule ID’s on the include.




Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Ana Serrano Mamolar <B00315494 () studentmail uws ac uk<mailto:B00315494 () studentmail uws ac uk>>
Date: Monday, February 13, 2017 at 7:59 AM
To: allewi <allewi () cisco com<mailto:allewi () cisco com>>
Subject: Re: [Snort-users] Snort and GTP encapsulation info


When I run Snort as you said ( ./bin/snort -c etc/ANA-GTP.conf -r etc/ANA-GTP.pcap -Acmg -k none -q ),

 I don't have anything since any alert is being triggered.


Then, if I run  " cat /etc/snort/snort.conf | grep 100000 " I neither get my rules. Should I ? My rules are loaded in a 
separate file in /etc/snort/rules/local.rules. These rules are being loaded, since if I remove the gtp parameter from 
them, the alert is triggered.


When you write etc/ANA-GTP.conf , it does means that there is a separate configuration for GTP dtection? I am using the 
same "snort.conf" for everything.


Thanks


________________________________
From: Al Lewis (allewi) <allewi () cisco com<mailto:allewi () cisco com>>
Sent: 13 February 2017 12:49:16
To: Ana Serrano Mamolar
Subject: Re: [Snort-users] Snort and GTP encapsulation info

You should get something like this:

cliffjumper$ ./bin/snort -c etc/ANA-GTP.conf -r etc/ANA-GTP.pcap -Acmg -k none -q
09/08-20:20:15.504682  [**] [1:10000004:0] gtp_type 16 [**] [Priority: 0] {UDP} 10.1.2.3:48620 -> 10.9.8.7:3386
09/08-20:20:15.504682 02:01:02:03:04:05 -> 02:09:08:07:06:05 type:0x800 len:0x6C
10.1.2.3:48620 -> 10.9.8.7:3386 UDP TTL:64 TOS:0x0 ID:1 IpLen:20 DgmLen:94
Len: 66
10 10 00 2E 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 06 00 00 01 0F 02 10 00 01 11 00 00  ................
80 00 02 01 21 83 00 07 65 78 70 6C 6F 69 74 85  ....!...exploit.
00 04 C0 A8 01 01 85 00 04 C0 A8 01 01 86 00 02  ................
00 00                                            ..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


09/08-20:20:15.504829  [**] [1:10000004:0] gtp_type 16 [**] [Priority: 0] {UDP} 10.1.2.3:48620 -> 10.9.8.7:2123
09/08-20:20:15.504829 02:01:02:03:04:05 -> 02:09:08:07:06:05 type:0x800 len:0x64
10.1.2.3:48620 -> 10.9.8.7:2123 UDP TTL:64 TOS:0x0 ID:1 IpLen:20 DgmLen:86
Len: 58
32 10 00 32 00 00 00 01 00 01 00 00 06 00 00 01  2..2............
0F 02 10 00 01 11 00 00 80 00 02 01 21 83 00 07  ............!...
65 78 70 6C 6F 69 74 85 00 04 C0 A8 01 01 85 00  exploit.........
04 C0 A8 01 01 86 00 02 00 00                    ..........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


09/08-20:20:15.504829  [**] [1:10000003:0] gtp_version 1 [**] [Priority: 0] {UDP} 10.1.2.3:48620 -> 10.9.8.7:2123
09/08-20:20:15.504829 02:01:02:03:04:05 -> 02:09:08:07:06:05 type:0x800 len:0x64
10.1.2.3:48620 -> 10.9.8.7:2123 UDP TTL:64 TOS:0x0 ID:1 IpLen:20 DgmLen:86
Len: 58
32 10 00 32 00 00 00 01 00 01 00 00 06 00 00 01  2..2............
0F 02 10 00 01 11 00 00 80 00 02 01 21 83 00 07  ............!...
65 78 70 6C 6F 69 74 85 00 04 C0 A8 01 01 85 00  exploit.........
04 C0 A8 01 01 86 00 02 00 00                    ..........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


09/08-20:20:15.504901  [**] [1:10000005:0] gtp_type 32 [**] [Priority: 0] {UDP} 10.1.2.3:48620 -> 10.9.8.7:2123
09/08-20:20:15.504901 02:01:02:03:04:05 -> 02:09:08:07:06:05 type:0x800 len:0x45
10.1.2.3:48620 -> 10.9.8.7:2123 UDP TTL:64 TOS:0x0 ID:1 IpLen:20 DgmLen:55
Len: 27
58 20 00 17 00 00 00 01 00 01 00 00 5D 00 00 00  X ..........]...
47 00 07 00 65 78 70 6C 6F 69 74                 G...exploit

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


Rules...


ALLEWI-M-8257:snort-2.9.9.0-released allewi$ cat etc/ANA-GTP.conf | grep 100000
alert udp any any -> any any ( msg:"gtp_version 1"; sid:10000003; gtp_version:1;)
alert udp any any -> any any ( msg:"gtp_type 16"; sid:10000004; gtp_type:16; )
alert udp any any -> any any ( msg:"gtp_type 32"; sid:10000005; gtp_type:32; )



Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Ana Serrano Mamolar <B00315494 () studentmail uws ac uk<mailto:B00315494 () studentmail uws ac uk>>
Date: Monday, February 13, 2017 at 7:01 AM
To: allewi <allewi () cisco com<mailto:allewi () cisco com>>
Subject: Re: [Snort-users] Snort and GTP encapsulation info


Hi Albert,

Unfortunately I can not send the pcap. If the reason for having that was to see GTP encapsulation, I can assure you 
that it has, and it is also showed when I open with Wireshark (in the GPRS Tunneling Protocol layer).

Thanks

________________________________
From: Al Lewis (allewi) <allewi () cisco com<mailto:allewi () cisco com>>
Sent: 13 February 2017 11:42:15
To: Ana Serrano Mamolar; Joel Esler (jesler)
Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Snort and GTP encapsulation info

Can you send us the pcap please?


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Ana Serrano Mamolar <B00315494 () studentmail uws ac uk<mailto:B00315494 () studentmail uws ac uk>>
Date: Monday, February 13, 2017 at 6:29 AM
To: "Joel Esler (jesler)" <jesler () cisco com<mailto:jesler () cisco com>>
Cc: 'snort-users' <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>>
Subject: Re: [Snort-users] Snort and GTP encapsulation info


Hi again,


I can not make Snort gtp preprocessor and decoder working.

I have reviewed many times the snort manual and follow instructions to configure it to be able to manage gtp_rules. 
These are the lines in my snort.conf related to gtp:

config enable_gtp

portvar GTP_PORTS [2152,3386]

preprocessor gtp: ports { 2123 3386 2152 }


I have also checked that stream5 and frag3 are actived, and I saw that they were by default in my configuration. Is 
there any other way to check it better?


Then, I have tried with a pcap I have that includes GTP encapsulation. I can see that with Wireshark, and also its gtp 
version and message type.

Unfortunately, when I add some gtp_version ( I tried with the three, just in case) or gtp_type in my rule it doesn't 
trigger the Alert.

My alert is a very simple one for UDP, that used to be triggered with this pcap before adding ant gtp rule.


Does anybody have had the same problem or know how could it be solved?

Thanks


________________________________
From: Ana Serrano Mamolar <B00315494 () studentmail uws ac uk<mailto:B00315494 () studentmail uws ac uk>>
Sent: 09 February 2017 11:10:37
To: Joel Esler (jesler)
Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Snort and GTP encapsulation info


Thanks Joel,

I didn't know this tool until know, very useful. Now, I have run it with my last snort.u2 log, but I can not get any 
gtp information.

As I said I have already enabled gtp in my config file. Should I use any special option when running Snort to obtain 
this gtp information?

Thanks


________________________________
From: Joel Esler (jesler) <jesler () cisco com<mailto:jesler () cisco com>>
Sent: 08 February 2017 20:06:32
To: Ana Serrano Mamolar
Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Snort and GTP encapsulation info

It may not be a field that is inserted into the db.  It may be in the unified2 output file that you can access with 
u2spewfoo in the contrib/ directory.

--
Joel Esler | Talos: Manager | jesler () cisco com<mailto:jesler () cisco com>






On Feb 8, 2017, at 2:54 PM, Ana Serrano Mamolar <B00315494 () studentmail uws ac uk<mailto:B00315494 () studentmail uws 
ac uk>> wrote:

Hi all,
Again with an encapsulation question.
I am trying to understand how Snort manage GTP encapsulation, that I know that is supported. I already enable gtp in my 
config file by " config enable_gtp".
I run Snort with different pcaps that I have that include GTP and trying to see which info I obtained from Snort with a 
very silly rule to be sure that is triggerred.
My question is the following: Does somebody know where in the database is stored the TEID ( tunnel identifier ) of the 
packet that triggered the alert? . I have seen in Snort source code that it's parsed. But then I can not find it in the 
database.
Thanks
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org<http://slashdot.org/>! 
http://sdm.link/slashdot_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!