GTP decoder extracts payload inside the GTP Protocol Data Unit (PDU); GTP preprocessor inspects all the signaling messages and provide keywords for further inspection. These components work separately; you can use either or both depending on your needs. All of three versions (GTPv0, GTPv1, and GTPv2) are supported.
This article focuses on how to use GTP decoder and GTP preprocessor effectively.
When the decoder is enabled and configured as below:
The decoder strips the GTP headers and parses the inner IP/TCP/UDP encapsulated packets. Therefore all rules and detection work as if there was no GTP header.
Most GTP packets look like this
IP -> UDP -> GTP -> IP -> TCP -> HTTP
If you had a standard HTTP rule:
alert tcp any any -> any $HTTP_PORTS (msg: "Test HTTP"; flow:to_server,established; content:"SOMETHINGEVIL"; http_uri; .... sid:X; rev:Y;)"
It would alert on the inner HTTP data that is encapsulated in GTP.
In addition to decode, it also provides alerts for GTP in GTP and invalid header length.
Different from GTP decoder, GTP preprocessor examines all signaling messages.
After it is enabled using:
It will inspect all the control channel messages. It can provide alerts about invalid message length, information element length, and out of order information elements.
GTP preprocessor also provides several rule options to help customize inspection.
drop udp any any -> any any ( msg: "GTPv0 is not supported!"; gtp_version:0; sid:1000000)
This rule blocks all the GTP version 0 messages when the network does not support GTP version 0 any more.
By using gtp_type, you can write rules to alert/block some message types that your communication network does not support.
drop udp any any -> any any ( msg: "Location messages are not supported!"; gtp_type: send_routing_info_request, send_routing_info_response ; sid:2000000)
Since location management messages are optional, some networks do not support them. This rule prevents the attackers against those messages.
gtp_infoprovides more fine grain control, you can inspect the information elements inside the message. Using
gtp_infowith content keyword together, you can control what information element is allowed in your network.
alert udp any any -> any any ( msg: "MS is not validated!"; gtp_version:1; gtp_info:ms_validated; content: "|0d0e|"; sid:3000000)
This rule checks whether Serving GPRS Support Node (SGSN) has successfully authenticated the Mobile Station (MS). If not, an alert will be generated.
If you are using GTP decoder and preprocessor in your network, please share your experience with us.