/
README.GTP
670 lines (609 loc) · 29.9 KB
/
README.GTP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
GTP Decoder and Preprocessor
================================================================================
Hui Cao
Overview
================================================================================
GTP (GPRS Tunneling Protocol) is used in core communication networks to establish
a channel between GSNs (GPRS Serving Node). GTP decoding & preprocessor provides
ways to tackle intrusion attempts to those networks through GTP. It also makes
detecting new attacks easier.
Two components are developed: GTP decoder and GTP preprocessor.
GTP decoder extracts payload inside GTP PDU;
GTP preprocessor inspects all the signaling messages and provide keywords for
further inspection
When the decoder is enabled and configured, the decoder strips the GTP headers
and parses the underlying IP/TCP/UDP encapsulated packets. Therefore all rules
and detection work as if there was no GTP header.
Example:
Most GTP packets look like this
IP -> UDP -> GTP -> IP -> TCP -> HTTP
If you had a standard HTTP rule "alert tcp any any -> any $HTTP_PORTS (msg:
"Test HTTP"; flow:to_server,established; content:"SOMETHINGEVIL"; http_uri;
.... sid:X; rev:Y;)", it would alert on the inner HTTP data that is encapsulated
in GTP without any changes to the rule other than enabling and configuring the GTP
decoder.
Sections:
Dependency Requirements
GTP Data Channel Decoder Configuration
GTP Control Channel Preprocessor Configuration
GTP Decoder Events
GTP Preprocessor Events
Rule Options
Dependency Requirements
================================================================================
For proper functioning of the preprocessor:
Stream session tracking must be enabled, i.e. stream5. UDP must be
enabled in stream5. The preprocessor requires a session tracker to keep
its data.
IP defragmentation should be enabled, i.e. the frag3 preprocessor should be
enabled and configured.
GTP Data Channel Decoder Configuration
================================================================================
GTP decoder extracts payload from GTP PDU. The following configuration sets
GTP decoding:
config enable_gtp
By default, GTP decoder uses port number 2152 (GTPv1) and 3386 (GTPv0).
If users want to change those values, they can use portvar GTP_PORTS:
portvar GTP_PORTS [2152,3386]
GTP Control Channel Preprocessor Configuration
================================================================================
Different from GTP decoder, GTP preprocessor examines all signaling messages.
The preprocessor configuration name is "gtp".
preprocessor gtp
Option Argument Required Default
ports <ports> No ports { 2123 3386 }
Option explanations
ports
This specifies on what ports to check for GTP control messages. Typically,
this includes 2123 3386.
Syntax:
ports { <port> [<port>< ... >] }
Examples:
ports { 2123 3386 }
Note: there are spaces before and after '{' and '}'
Configuration examples
preprocessor gtp
preprocessor gtp: ports { 2123 3386 2152 }
Default configuration
preprocessor gtp
GTP Decoder Events
================================================================================
SID Description
--------------------------------------------------------------------------------
297 Two or more GTP encapsulation layers present
298 GTP header length is invalid
GTP Preprocessor Events
================================================================================
The preprocessor uses GID 143 to register events.
SID Description
--------------------------------------------------------------------------------
1 Message length is invalid.
2 Information element length is invalid.
3 Information elements are out of order.
Rule Options
================================================================================
New rule options are supported by enabling the GTP preprocessor:
gtp_type
gtp_info
gtp_version
gtp_type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The gtp_type keyword is used to check for specific GTP types. User can input
message type value, an integer in [0, 255], or a string defined in the Table
below. More than one type can be specified, via a comma separated list, and
are OR'ed together. If the type used in a rule is not listed in the
preprocessor configuration, an error will be thrown.
Same message type might have different message type value in different GTP
versions. For example, sgsn_context_request has message type value 50 in
GTPv0 and GTPv1, but 130 in GTPv2. gtp_type will match to a different value
depending on the version number in the packet. In this example, evaluating
a GTPv0 or GTPv1 packet will check whether the message type value is 50;
evaluating a GTPv2 packet will check whether the message type value is 130.
When a message type is not defined in a version, any packet in that version
will always return "No match".
If an integer is used to specify message type, every GTP packet is evaluated,
no matter what version the packet is. If the message type matches the value
in packet, it will return "Match".
Syntax:
gtp_type:<type-list>;
type-list = type|type, type-list
type = "0-255"|
| "echo_request" | "echo_response" ...
Examples:
gtp_type:10, 11, echo_request;
GTPv0 message types:
Value Message Type
**********************************************
1 echo_request
2 echo_response
3 version_not_supported
4 node_alive_request
5 node_alive_response
6 redirection_request
7 redirection_response
16 create_pdp_context_request
17 create_pdp_context_response
18 update_pdp_context_request
19 update_pdp_context_response
20 delete_pdp_context_request
21 delete_pdp_context_response
22 create_aa_pdp_context_request
23 create_aa_pdp_context_response
24 delete_aa_pdp_context_request
25 delete_aa_pdp_context_response
26 error_indication
27 pdu_notification_request
28 pdu_notification_response
29 pdu_notification_reject_request
30 pdu_notification_reject_response
32 send_routing_info_request
33 send_routing_info_response
34 failure_report_request
35 failure_report_response
36 note_ms_present_request
37 note_ms_present_response
48 identification_request
49 identification_response
50 sgsn_context_request
51 sgsn_context_response
52 sgsn_context_ack
240 data_record_transfer_request
241 data_record_transfer_response
255 pdu
GTPv1 message types:
Value Message Type
**********************************************
1 echo_request
2 echo_response
3 version_not_supported
4 node_alive_request
5 node_alive_response
6 redirection_request
7 redirection_response
16 create_pdp_context_request
17 create_pdp_context_response
18 update_pdp_context_request
19 update_pdp_context_response
20 delete_pdp_context_request
21 delete_pdp_context_response
22 init_pdp_context_activation_request
23 init_pdp_context_activation_response
26 error_indication
27 pdu_notification_request
28 pdu_notification_response
29 pdu_notification_reject_request
30 pdu_notification_reject_response
31 supported_ext_header_notification
32 send_routing_info_request
33 send_routing_info_response
34 failure_report_request
35 failure_report_response
36 note_ms_present_request
37 note_ms_present_response
48 identification_request
49 identification_response
50 sgsn_context_request
51 sgsn_context_response
52 sgsn_context_ack
53 forward_relocation_request
54 forward_relocation_response
55 forward_relocation_complete
56 relocation_cancel_request
57 relocation_cancel_response
58 forward_srns_contex
59 forward_relocation_complete_ack
60 forward_srns_contex_ack
70 ran_info_relay
96 mbms_notification_request
97 mbms_notification_response
98 mbms_notification_reject_request
99 mbms_notification_reject_response
100 create_mbms_context_request
101 create_mbms_context_response
102 update_mbms_context_request
103 update_mbms_context_response
104 delete_mbms_context_request
105 delete_mbms_context_response
112 mbms_register_request
113 mbms_register_response
114 mbms_deregister_request
115 mbms_deregister_response
116 mbms_session_start_request
117 mbms_session_start_response
118 mbms_session_stop_request
119 mbms_session_stop_response
120 mbms_session_update_request
121 mbms_session_update_response
128 ms_info_change_request
129 ms_info_change_response
240 data_record_transfer_request
241 data_record_transfer_response
254 end_marker
255 pdu
GTPv2 message types:
Value Message Type
**********************************************
1 echo_request
2 echo_response
3 version_not_supported
32 create_session_request
33 create_session_response
34 modify_bearer_request
35 modify_bearer_response
36 delete_session_request
37 delete_session_response
38 change_notification_request
39 change_notification_response
64 modify_bearer_command
65 modify_bearer_failure_indication
66 delete_bearer_command
67 delete_bearer_failure_indication
68 bearer_resource_command
69 bearer_resource_failure_indication
70 downlink_failure_indication
71 trace_session_activation
72 trace_session_deactivation
73 stop_paging_indication
95 create_bearer_request
96 create_bearer_response
97 update_bearer_request
98 update_bearer_response
99 delete_bearer_request
100 delete_bearer_response
101 delete_pdn_request
102 delete_pdn_response
128 identification_request
129 identification_response
130 sgsn_context_request
131 sgsn_context_response
132 sgsn_context_ack
133 forward_relocation_request
134 forward_relocation_response
135 forward_relocation_complete
136 forward_relocation_complete_ack
137 forward_access
138 forward_access_ack
139 relocation_cancel_request
140 relocation_cancel_response
141 configuration_transfer_tunnel
149 detach
150 detach_ack
151 cs_paging
152 ran_info_relay
153 alert_mme
154 alert_mme_ack
155 ue_activity
156 ue_activity_ack
160 create_forward_tunnel_request
161 create_forward_tunnel_response
162 suspend
163 suspend_ack
164 resume
165 resume_ack
166 create_indirect_forward_tunnel_request
167 create_indirect_forward_tunnel_response
168 delete_indirect_forward_tunnel_request
169 delete_indirect_forward_tunnel_response
170 release_access_bearer_request
171 release_access_bearer_response
176 downlink_data
177 downlink_data_ack
179 pgw_restart
180 pgw_restart_ack
200 update_pdn_request
201 update_pdn_response
211 modify_access_bearer_request
212 modify_access_bearer_response
231 mbms_session_start_request
232 mbms_session_start_response
233 mbms_session_update_request
234 mbms_session_update_response
235 mbms_session_stop_request
236 mbms_session_stop_response
gtp_info
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The gtp_info keyword is used to check for specific GTP information element.
This keyword restricts the search to the information element field. User can
input information element value, an integer in [0, 255], or a string defined
in the Table below. If the information element used in this rule is not
listed in the preprocessor configuration, an error will be thrown.
When there are several information elements with the same type in the message,
this keyword restricts the search to the total consecutive buffer. Because
the standard requires same types group together, this feature will be
available for all valid messages. In the case of "out of order information
elements", this keyword restricts the search to the last buffer.
Similar to message type, same information element might have different
information element value in different GTP versions. For example, "cause" has
value 1 in GTPv0 and GTPv1, but 2 in GTPv2. gtp_info will match to different
value depending on the version number in the packet. When an information
element is not defined in a version, any packet in that version will always
return "No match".
If an integer is used to specify information element type, every GTP packet
is evaluated, no matter what version the packet is. If the message type
matches the value in packet, it will return "Match".
Syntax:
gtp_info:<ie>;
ie = "0-255"|
"rai" | "tmsi"...
Examples:
gtp_info: 16;
gtp_info: tmsi
GTPv0 information elements:
Value Information elements
***********************************************
1 cause
2 imsi
3 rai
4 tlli
5 p_tmsi
6 qos
8 recording_required
9 authentication
11 map_cause
12 p_tmsi_sig
13 ms_validated
14 recovery
15 selection_mode
16 flow_label_data_1
17 flow_label_signalling
18 flow_label_data_2
19 ms_unreachable
127 charge_id
128 end_user_address
129 mm_context
130 pdp_context
131 apn
132 protocol_config
133 gsn
134 msisdn
251 charging_gateway_addr
255 private_extension
GTPv1 information elements:
Value Information elements
***********************************************
1 cause
2 imsi
3 rai
4 tlli
5 p_tmsi
8 recording_required
9 authentication
11 map_cause
12 p_tmsi_sig
13 ms_validated
14 recovery
15 selection_mode
16 teid_1
17 teid_control
18 teid_2
19 teardown_ind
20 nsapi
21 ranap
22 rab_context
23 radio_priority_sms
24 radio_priority
25 packet_flow_id
26 charging_char
27 trace_ref
28 trace_type
29 ms_unreachable
127 charge_id
128 end_user_address
129 mm_context
130 pdp_context
131 apn
132 protocol_config
133 gsn
134 msisdn
135 qos
136 authentication_qu
137 tft
138 target_id
139 utran_trans
140 rab_setup
141 ext_header
142 trigger_id
143 omc_id
144 ran_trans
145 pdp_context_pri
146 addi_rab_setup
147 sgsn_number
148 common_flag
149 apn_restriction
150 radio_priority_lcs
151 rat_type
152 user_loc_info
153 ms_time_zone
154 imei_sv
155 camel
156 mbms_ue_context
157 tmp_mobile_group_id
158 rim_routing_addr
159 mbms_config
160 mbms_service_area
161 src_rnc_pdcp
162 addi_trace_info
163 hop_counter
164 plmn_id
165 mbms_session_id
166 mbms_2g3g_indicator
167 enhanced_nsapi
168 mbms_session_duration
169 addi_mbms_trace_info
170 mbms_session_repetition_num
171 mbms_time_to_data
173 bss
174 cell_id
175 pdu_num
177 mbms_bearer_capab
178 rim_routing_disc
179 list_pfc
180 ps_xid
181 ms_info_change_report
182 direct_tunnel_flags
183 correlation_id
184 bearer_control_mode
185 mbms_flow_id
186 mbms_ip_multicast
187 mbms_distribution_ack
188 reliable_inter_rat_handover
189 rfsp_index
190 fqdn
191 evolved_allocation1
192 evolved_allocation2
193 extended_flags
194 uci
195 csg_info
196 csg_id
197 cmi
198 apn_ambr
199 ue_network
200 ue_ambr
201 apn_ambr_nsapi
202 ggsn_backoff_timer
203 signalling_priority_indication
204 signalling_priority_indication_nsapi
205 high_bitrate
206 max_mbr
251 charging_gateway_addr
255 private_extension
GTPv2 information elements:
Value Information elements
***********************************************
1 imsi
1 echo_request
2 cause
2 echo_response
3 recovery
3 version_not_supported
4 node_alive_request
5 node_alive_response
6 redirection_request
7 redirection_response
16 create_pdp_context_request
17 create_pdp_context_response
18 update_pdp_context_request
19 update_pdp_context_response
20 delete_pdp_context_request
21 delete_pdp_context_response
22 create_aa_pdp_context_request
23 create_aa_pdp_context_response
24 delete_aa_pdp_context_request
25 delete_aa_pdp_context_response
26 error_indication
27 pdu_notification_request
28 pdu_notification_response
29 pdu_notification_reject_request
30 pdu_notification_reject_response
32 send_routing_info_request
33 send_routing_info_response
34 failure_report_request
35 failure_report_response
36 note_ms_present_request
37 note_ms_present_response
48 identification_request
49 identification_response
50 sgsn_context_request
51 sgsn_context_response
52 sgsn_context_ack
71 apn
72 ambr
73 ebi
74 ip_addr
75 mei
76 msisdn
77 indication
78 pco
79 paa
80 bearer_qos
81 flow_qos
82 rat_type
83 serving_network
84 bearer_tft
85 tad
86 uli
87 f_teid
88 tmsi
89 cn_id
90 s103pdf
91 s1udf
92 delay_value
93 bearer_context
94 charging_id
95 charging_char
96 trace_info
97 bearer_flag
99 pdn_type
100 pti
101 drx_parameter
103 gsm_key_tri
104 umts_key_cipher_quin
105 gsm_key_cipher_quin
106 umts_key_quin
107 eps_quad
108 umts_key_quad_quin
109 pdn_connection
110 pdn_number
111 p_tmsi
112 p_tmsi_sig
113 hop_counter
114 ue_time_zone
115 trace_ref
116 complete_request_msg
117 guti
118 f_container
119 f_cause
120 plmn_id
121 target_id
123 packet_flow_id
124 rab_contex
125 src_rnc_pdcp
126 udp_src_port
127 apn_restriction
128 selection_mode
129 src_id
131 change_report_action
132 fq_csid
133 channel
134 emlpp_pri
135 node_type
136 fqdn
137 ti
138 mbms_session_duration
139 mbms_service_area
140 mbms_session_id
141 mbms_flow_id
142 mbms_ip_multicast
143 mbms_distribution_ack
144 rfsp_index
145 uci
146 csg_info
147 csg_id
148 cmi
149 service_indicator
150 detach_type
151 ldn
152 node_feature
153 mbms_time_to_transfer
154 throttling
155 arp
156 epc_timer
157 signalling_priority_indication
158 tmgi
159 mm_srvcc
160 flags_srvcc
161 mmbr
240 data_record_transfer_request
241 data_record_transfer_response
255 private_extension
255 pdu
gtp_version
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The gtp_version keyword is used to check for specific GTP version.
Because different GTP version defines different message types and information
elements, this keyword should combine with gtp_type and gtp_info.
Syntax:
gtp_version:<version>;
version = "0, 1, 2'
Example:
gtp_version: 1;