[Snort-users] GRE preprocessor and rules

Ana Serrano Mamolar B00315494 at ...17757...
Fri Feb 17 04:31:17 EST 2017

Hi Albert,

In README.gre they say "Snort does not support more than 1 layer of GRE encapsulation"  so it is

| Eth | IP | GRE | IP | GRE | IP | TCP | Payload |

But it doen't say anything about anyother double encapsulation such as

| Eth | IP | GRE | IP | GTP | IP | UDP | Payload |

This is not support either?


From: Al Lewis (allewi) <allewi at ...589...>
Sent: 17 February 2017 04:11:13
To: Ana Serrano Mamolar
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] GRE preprocessor and rules

See the README.gre file for more info… only one layer of encapsulation is supported.

ALLEWI-M-8257:snort- allewi$ cat etc/ANA3.conf | grep alert
alert icmp any -> any any (msg:"INNER IP"; sid:10000004;)

ALLEWI-M-8257:snort- allewi$ tcpdump -n -r etc/ANA-GRE.pcap
reading from file etc/ANA-GRE.pcap, link-type EN10MB (Ethernet)
07:06:06.434897 IP > GREv0, length 104: IP > ICMP echo request, id 2, seq 0, length 80

ALLEWI-M-8257:snort- allewi$ ./bin/snort -c etc/ANA3.conf -r etc/ANA-GRE.pcap -Acmg -q
06/21-07:06:06.434897  [**] [1:10000004:0] INNER IP [**] [Priority: 0] {ICMP} ->
06/21-07:06:06.434897 C2:00:57:75:00:00 -> C2:01:57:75:00:00 type:0x800 len:0x8A -> GRE TTL:255 TOS:0x0 ID:10 IpLen:20 DgmLen:124
GRE version:0 flags:0x00 ether-type:0x0800 -> ICMP TTL:255 TOS:0x0 ID:10 IpLen:20 DgmLen:100
Type:8  Code:0  ID:2   Seq:0  ECHO
00 00 00 00 00 03 BE 70 AB CD AB CD AB CD AB CD  .......p........
AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD  ................
AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD  ................
AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD  ................
AB CD AB CD AB CD AB CD                          ........


Albert Lewis
SOURCEfire, Inc. now part of Cisco
Email: allewi at ...589...<mailto:allewi at ...589...>

From: Ana Serrano Mamolar <B00315494 at ...17757...<mailto:B00315494 at ...17788.....>>
Date: Thursday, February 16, 2017 at 2:09 PM
To: 'snort-users' <snort-users at lists.sourceforge.net<mailto:snort-users at ...3204...ts.sourceforge.net>>
Subject: [Snort-users] GRE preprocessor and rules


Does somebody know how to use rules to filter by the inner IP in case of GRE encapsultation?

That is, in the following case,

| Eth | IP1 | GRE | IP2 | TCP | Payload |

is it possible by default trigger an alert matching a rule with IP2 ?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170217/899313f5/attachment.html>

More information about the Snort-users mailing list