Snort mailing list archives
Re: GRE PPTP/EAP inspection
From: rmkml <rmkml () ligfy org>
Date: Fri, 27 Mar 2020 00:10:03 +0100 (CET)
Hello, Sorry not fire on snort v2, but fire on snort v3 with this rule: alert ip any any -> any any (msg:"EAP Request"; ip_proto:47; dsize:>260; content:"|c2 27 01|", offset 0; sid:1;) Best Regards @Rmkml ----- Mail original ----- De: "Teodor Lupan via Snort-sigs" <snort-sigs () lists snort org> À: snort-sigs () lists snort org Envoyé: Jeudi 26 Mars 2020 21:37:09 Objet: Re: [Snort-sigs] GRE PPTP/EAP inspection Thanks for idea! I have compiled latest version with the indicated flag and it's the same.... It sees the packets correctly, but still content matching is not possible [image: image.png] On Thu, Mar 26, 2020 at 7:13 PM James Lay via Snort-sigs < snort-sigs () lists snort org> wrote:
Compiling with: --enable-non-ether-decoders should get you what you need. James On Thu, 2020-03-26 at 12:38 -0400, Alex McDonnell wrote: I went down this rabbit hole and I thin I figured out this is probably a case of similarly named protocols. PPTP is point to point tunneling protocol from https://www.ietf.org/rfc/rfc2637.txt and is a TCP protocol. Your PCAP has a PPP point to point protocol which is a layer 2 protocol thus why I think Snort cannot dump the raw data from it. Alex McDonnell Talos On Thu, Mar 26, 2020 at 10:16 AM Teodor Lupan via Snort-sigs < snort-sigs () lists snort org> wrote: Hi everybody! I am trying to match on a GRE/PPTP packet with a specific content "|c2 27 01|" which translates to an EAP code Request, with a signature like: alert ip any any -> any any (msg:"EAP Request"; ip_proto:47; dsize: > 260; content: "|c2 27 01|"; offset: 0; rawbytes;) According to https://www.snort.org/faq/readme-gre this should have worked, the GRE decoder is enabled, but still the payload seems to be encapsulated as I am unable to match on rawbytes content... or maybe I am missing something. Do you have any suggestions to make this work? (I have attached a pcap) Thanks! _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>! _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>! _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>! _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- GRE PPTP/EAP inspection Teodor Lupan via Snort-sigs (Mar 26)
- Re: GRE PPTP/EAP inspection Alex McDonnell (Mar 26)
- Re: GRE PPTP/EAP inspection James Lay via Snort-sigs (Mar 26)
- Re: GRE PPTP/EAP inspection Teodor Lupan via Snort-sigs (Mar 26)
- Re: GRE PPTP/EAP inspection rmkml (Mar 26)
- Re: GRE PPTP/EAP inspection Al Lewis (allewi) via Snort-sigs (Mar 26)
- Re: GRE PPTP/EAP inspection Al Lewis (allewi) via Snort-sigs (Mar 26)
- Re: GRE PPTP/EAP inspection Teodor Lupan via Snort-sigs (Mar 27)
- Re: GRE PPTP/EAP inspection Al Lewis (allewi) via Snort-sigs (Mar 27)
- Re: GRE PPTP/EAP inspection James Lay via Snort-sigs (Mar 26)
- Re: GRE PPTP/EAP inspection Alex McDonnell (Mar 26)