[Bro-Dev] #690: GTP de-tunneling

Bro Tracker bro at tracker.bro-ids.org
Mon Nov 21 09:17:00 PST 2011

#690: GTP de-tunneling
 Reporter:  robin       |       Type:  Problem
   Status:  new         |   Priority:  Normal
Milestone:  2.1         |  Component:  Bro
  Version:  git/master  |
 ----- Forwarded message from "Langer, Carsten (NSN - DE/Duesseldorf)"

 From: "Langer, Carsten (NSN - DE/Duesseldorf)"


 I lately developed a GTP (GPRS Tunneling Protocol) de-tunneling
 functionality for bro-ids, which I want to share with you in the hope
 that you might find it helpful.


 Please find attached a patched version of the Sessions.cc, where from
 line 601 to 701 I have introduced the de-GTP stuff. This is based on
 bro-ids v1.5.3. I found that patching this one single location was
 good enough for my purpose.

 It works for me, however I could only test it against a couple of
 network traces that I have, so if you are interested to re-use the
 patch, please give it a try against other sets of data as well. I
 added 3 weird-warnings (lines 614, 674, 691) if something goes wrong
 within the patch, but haven't updated anything in the weird.bro


 As I'm not using the bro-ids for network security analysis but for
 application performance analysis, [...] I did
 not take any measures against recursive GTP tunnels.

 ----- End forwarded message -----


Ticket URL: <http://tracker.bro-ids.org/bro/ticket/690>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker

More information about the bro-dev mailing list