[Snort-users] Snort and GTP encapsulation info

Ana Serrano Mamolar B00315494 at ...17757...
Mon Feb 13 06:29:23 EST 2017

Hi again,

I can not make Snort gtp preprocessor and decoder working.

I have reviewed many times the snort manual and follow instructions to configure it to be able to manage gtp_rules. These are the lines in my snort.conf related to gtp:

config enable_gtp

portvar GTP_PORTS [2152,3386]

preprocessor gtp: ports { 2123 3386 2152 }

I have also checked that stream5 and frag3 are actived, and I saw that they were by default in my configuration. Is there any other way to check it better?

Then, I have tried with a pcap I have that includes GTP encapsulation. I can see that with Wireshark, and also its gtp version and message type.

Unfortunately, when I add some gtp_version ( I tried with the three, just in case) or gtp_type in my rule it doesn't trigger the Alert.

My alert is a very simple one for UDP, that used to be triggered with this pcap before adding ant gtp rule.

Does anybody have had the same problem or know how could it be solved?


From: Ana Serrano Mamolar <B00315494 at ...17757...>
Sent: 09 February 2017 11:10:37
To: Joel Esler (jesler)
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort and GTP encapsulation info

Thanks Joel,

I didn't know this tool until know, very useful. Now, I have run it with my last snort.u2 log, but I can not get any gtp information.

As I said I have already enabled gtp in my config file. Should I use any special option when running Snort to obtain this gtp information?


From: Joel Esler (jesler) <jesler at ...589...>
Sent: 08 February 2017 20:06:32
To: Ana Serrano Mamolar
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort and GTP encapsulation info

It may not be a field that is inserted into the db.  It may be in the unified2 output file that you can access with u2spewfoo in the contrib/ directory.

Joel Esler | Talos: Manager | jesler at ...589...<mailto:jesler at ...589...>

On Feb 8, 2017, at 2:54 PM, Ana Serrano Mamolar <B00315494 at ...17757...<mailto:B00315494 at ...17757...>> wrote:

Hi all,
Again with an encapsulation question.
I am trying to understand how Snort manage GTP encapsulation, that I know that is supported. I already enable gtp in my config file by " config enable_gtp".
I run Snort with different pcaps that I have that include GTP and trying to see which info I obtained from Snort with a very silly rule to be sure that is triggerred.
My question is the following: Does somebody know where in the database is stored the TEID ( tunnel identifier ) of the packet that triggered the alert? . I have seen in Snort source code that it's parsed. But then I can not find it in the database.
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org<http://slashdot.org/>! http://sdm.link/slashdot_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170213/148a48c2/attachment.html>

More information about the Snort-users mailing list