[Bro-Dev] #690: GTP de-tunneling
Bro Tracker
bro at tracker.bro-ids.org
Mon Nov 21 09:17:00 PST 2011
#690: GTP de-tunneling
------------------------+---------------------
Reporter: robin | Type: Problem
Status: new | Priority: Normal
Milestone: 2.1 | Component: Bro
Version: git/master |
------------------------+---------------------
----- Forwarded message from "Langer, Carsten (NSN - DE/Duesseldorf)"
-----
From: "Langer, Carsten (NSN - DE/Duesseldorf)"
[...]
I lately developed a GTP (GPRS Tunneling Protocol) de-tunneling
functionality for bro-ids, which I want to share with you in the hope
that you might find it helpful.
[...]
Please find attached a patched version of the Sessions.cc, where from
line 601 to 701 I have introduced the de-GTP stuff. This is based on
bro-ids v1.5.3. I found that patching this one single location was
good enough for my purpose.
It works for me, however I could only test it against a couple of
network traces that I have, so if you are interested to re-use the
patch, please give it a try against other sets of data as well. I
added 3 weird-warnings (lines 614, 674, 691) if something goes wrong
within the patch, but haven't updated anything in the weird.bro
script.
[...]
As I'm not using the bro-ids for network security analysis but for
application performance analysis, [...] I did
not take any measures against recursive GTP tunnels.
----- End forwarded message -----
[attachment:"Sessions_patched_for_gtp-detunneling.cc"]
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/690>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
More information about the bro-dev
mailing list