Monday, January 16, 2012

GTP Decoder and Preprocessor

GPRS Tunneling Protocol (GTP) is a group of IP-based communications protocols used to carry General Packet Radio Service (GPRS) within Global System for Mobile Communications (GSM), Universal Mobile Telecommunications Service, (UMTS) and Long Term Evolution (LTE) networks. To help thwart the increasing number of attacks to those networks, we provide two components: GTP decoder and GTP preprocessor.

GTP decoder extracts payload inside the GTP Protocol Data Unit (PDU); GTP preprocessor inspects all the signaling messages and provide keywords for further inspection. These components work separately; you can use either or both depending on your needs. All of three versions (GTPv0, GTPv1, and GTPv2) are supported.

This article focuses on how to use GTP decoder and GTP preprocessor effectively.

GTP Decoder

When the decoder is enabled and configured as below:

config enable_gtp

The decoder strips the GTP headers and parses the inner IP/TCP/UDP encapsulated packets. Therefore all rules and detection work as if there was no GTP header.

Example:

Most GTP packets look like this

IP -> UDP -> GTP -> IP -> TCP -> HTTP

If you had a standard HTTP rule:

alert tcp any any -> any $HTTP_PORTS (msg: "Test HTTP"; flow:to_server,established; content:"SOMETHINGEVIL"; http_uri; .... sid:X; rev:Y;)"

It would alert on the inner HTTP data that is encapsulated in GTP.

In addition to decode, it also provides alerts for GTP in GTP and invalid header length.

GTP Preprocessor

Different from GTP decoder, GTP preprocessor examines all signaling messages.
After it is enabled using:

preprocessor gtp

It will inspect all the control channel messages. It can provide alerts about invalid message length, information element length, and out of order information elements.

GTP preprocessor also provides several rule options to help customize inspection.

drop udp any any -> any any ( msg: "GTPv0 is not supported!"; gtp_version:0; sid:1000000)

This rule blocks all the GTP version 0 messages when the network does not support GTP version 0 any more.

By using gtp_type, you can write rules to alert/block some message types that your communication network does not support.

drop udp any any -> any any ( msg: "Location messages are not supported!"; gtp_type: send_routing_info_request, send_routing_info_response ; sid:2000000)

Since location management messages are optional, some networks do not support them. This rule prevents the attackers against those messages.

In addition, gtp_info provides more fine grain control, you can inspect the information elements inside the message. Using gtp_info with content keyword together, you can control what information element is allowed in your network.

alert udp any any -> any any ( msg: "MS is not validated!"; gtp_version:1; gtp_info:ms_validated; content: "|0d0e|"; sid:3000000)

This rule checks whether Serving GPRS Support Node (SGSN) has successfully authenticated the Mobile Station (MS). If not, an alert will be generated.

If you are using GTP decoder and preprocessor in your network, please share your experience with us.