next up previous contents
Next: Dependency Requirements Up: Preprocessors Previous: Shared memory support   Contents

GTP Decoder and Preprocessor

GTP (GPRS Tunneling Protocol) is used in core communication networks to establish a channel between GSNs (GPRS Serving Node). GTP decoding preprocessor provides ways to tackle intrusion attempts to those networks through GTP. It also makes detecting new attacks easier.

Two components are developed: GTP decoder and GTP preprocessor.

When the decoder is enabled and configured, the decoder strips the GTP headers and parses the underlying IP/TCP/UDP encapsulated packets. Therefore all rules and detection work as if there was no GTP header.


Most GTP packets look like this
IP -> UDP -> GTP -> IP -> TCP -> HTTP

If you had a standard HTTP rule:

alert tcp any any ->  any $HTTP_PORTS (msg:"Test HTTP"; flow:to_server,established; 
content:"SOMETHINGEVIL"; http_uri;  .... sid:X; rev:Y;)
it would alert on the inner HTTP data that is encapsulated in GTP without any changes to the rule other than enabling and configuring the GTP decoder.


Eugene Misnik 2013-05-08