GTP Specific Options

There exists a general-packet-radio-service tunneling protocol (GTP) service inspector that enables GTP control channel inspection in Snort. There are three GTP-specific rule options: gtp_info, gtp_type, and gtp_version.

gtp_info

The gtp_info rule option is used to check the "Information Element" field of GTP packets. This option takes in a single argument that can be either an integer or a string that maps to one of the info elements defined in the snort_defaults.lua file. Please note that the information element values do vary depending on the GTP version.

Note: Both the integer and string info values should not be enclosed in double quotes when supplied to this option.

Format:

gtp_info:info_element;

Examples:

gtp_info:16;
gtp_info:packet_flow_id;

gtp_type

The gtp_type rule option is used to check for specific GTP Message Type values. This rule option takes in a "type list" that is one or more type values separated by spaces. The type values can either be an integer or a string that corresponds to one of the table entries in the snort_defaults.lua file. Please note that the type values do vary depending on the GTP version.

Additionally, the entire type list should also be enclosed in double quotes.

If more than one type is provided, Snort will trigger an event if any one of them is seen on the wire.

Format:

gtp_type:"type[ type]…";

Examples:

gtp_type:"255 16";
gtp_type:"255 create_pdp_context_request";

gtp_version

The gtp_version option is used to check GTP version numbers. This option takes just a single option—an integer that is the version to look for. Valid version number arguments include 0, 1, and 2.

Format:

gtp_version:version_num;

Examples:

gtp_version:1;
gtp_version:2;