[Snort-users] Detection of malware using GTP tunneling protocol

Roland roland at ...16861...
Mon Jun 9 07:36:02 EDT 2014


Hi,

I'm trying to detect malware in mobile networks on the Gn Interface. 
Therefore I have enabled gtp and the gtp preprocessor.
When I'm sending some precaptured malware samples I get the following effect

* Start snort ==> snort -c /etc/snort/snort.conf -i eth1 -A console
* Send captured samples ==> tcpreplay -i eth1 -t <sample>
* Snort does not show any alarm
* kill -USR1 <snort pid> ==> shows that packets have been received, that 
GTP preprocessor did some work on it

===============================================================================
HTTP Inspect - encodings (Note: stream-reassembled packets included):
     POST methods:                         0
     GET methods:                          0
     HTTP Request Headers extracted:       0
     HTTP Request Cookies extracted:       0
     Post parameters extracted:            0
     HTTP response Headers extracted:      0
     HTTP Response Cookies extracted:      0
     Unicode:                              0
     Double unicode:                       0
     Non-ASCII representable:              0
     Directory traversals:                 0
     Extra slashes ("//"):                 0
     Self-referencing paths ("./"):        0
     HTTP Response Gzip packets extracted: 0
     Gzip Compressed Data Processed:       n/a
     Gzip Decompressed Data Processed:     n/a
     Total packets processed:              128
===============================================================================
GTP Preprocessor Statistics
   Total sessions: 1
   Total reserved messages: 0
   Packets with reserved information elements: 0
   Total messages of version 1: 840
===============================================================================

Retry the same but wait 10 minutes before sending the packets

* Start snort ==> snort -c /etc/snort/snort.conf -i eth1 -A console
* Wait 10 minutes
* Send captured samples ==> tcpreplay -i eth1 -t <sample>
* Snort alarms all malware packets

===============================================================================
HTTP Inspect - encodings (Note: stream-reassembled packets included):
     POST methods:                         11
     GET methods:                          117
     HTTP Request Headers extracted:       128
     HTTP Request Cookies extracted:       0
     Post parameters extracted:            0
     HTTP response Headers extracted:      0
     HTTP Response Cookies extracted:      0
     Unicode:                              0
     Double unicode:                       0
     Non-ASCII representable:              0
     Directory traversals:                 0
     Extra slashes ("//"):                 1
     Self-referencing paths ("./"):        0
     HTTP Response Gzip packets extracted: 0
     Gzip Compressed Data Processed:       n/a
     Gzip Decompressed Data Processed:     n/a
     Total packets processed:              132
===============================================================================
GTP Preprocessor Statistics
   Total sessions: 1
   Total reserved messages: 0
   Packets with reserved information elements: 0
   Total messages of version 1: 840

Does anyone have a clue what the reason for this behaviour is? As the 
malware packets are recognized in the second case, I assume that the 
used pcap file is okay.

Snort version 2.9.6.0, DAQ 2.0.2, Centos 6.5

Thanks
Roland




More information about the Snort-users mailing list