Two components are developed: GTP decoder and GTP preprocessor.
When the decoder is enabled and configured, the decoder strips the GTP headers and parses the underlying IP/TCP/UDP encapsulated packets. Therefore all rules and detection work as if there was no GTP header.
IP -> UDP -> GTP -> IP -> TCP -> HTTP
If you had a standard HTTP rule:
alert tcp any any -> any $HTTP_PORTS (msg:"Test HTTP"; flow:to_server,established; content:"SOMETHINGEVIL"; http_uri; .... sid:X; rev:Y;)it would alert on the inner HTTP data that is encapsulated in GTP without any changes to the rule other than enabling and configuring the GTP decoder.