Cisco Cisco Firepower Management Center 4000
32-62
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
To specify the GTP version:
Access:
Admin/Intrusion Admin
Step 1
On the Create Rule page, select
gtp_version
in the drop-down list and click
Add Option.
The
gtp_version
keyword appears.
Step 2
Specify
0
,
1
, or
2
to identify the GTP version.
gtp_type
Each GTP message is identified by a message type, which is comprised of both a numeric value and a
string. You can use the
string. You can use the
gtp_type
keyword in combination with the
gtp_version
keyword to inspect
traffic for specific GTP message types.
You can specify a defined decimal value for a message type, a defined string, or a comma-separated list
of either or both in any combination, as seen in the following example:
of either or both in any combination, as seen in the following example:
10, 11, echo_request
The system uses an OR operation to match each value or string that you list. The order in which you list
values and strings does not matter. Any single value or string in the list matches the keyword. You receive
an error if you attempt to save a rule that includes an unrecognized string or an out-of-range value.
values and strings does not matter. Any single value or string in the list matches the keyword. You receive
an error if you attempt to save a rule that includes an unrecognized string or an out-of-range value.
Note in the table that different GTP versions sometimes use different values for the same message type.
For example, the
For example, the
sgsn_context_request
message type has a value of 50 in GTPv0 and GTPv1, but a
value of 130 in GTPv2.
The
gtp_type
keyword matches different values depending on the version number in the packet. In the
example above, the keyword matches the message type value 50 in a GTPv0 or GTPv1 packet and the
value 130 in a GTPv2 packet. The keyword does not match a packet when the message type value in the
packet is not a known value for the version specified in the packet.
value 130 in a GTPv2 packet. The keyword does not match a packet when the message type value in the
packet is not a known value for the version specified in the packet.
If you specify an integer for the message type, the keyword matches if the message type in the keyword
matches the value in the GTP packet, regardless of the version specified in the packet.
matches the value in the GTP packet, regardless of the version specified in the packet.
The following table lists the defined values and strings recognized by the system for each GTP message
type.
type.
Table 32-40
GTP Message Types
Value Version 0
Version 1
Version 2
1
echo_request
echo_request
echo_request
2
echo_response
echo_response
echo_response
3
version_not_supported
version_not_supported
version_not_supported
4
node_alive_request
node_alive_request
N/A
5
node_alive_response
node_alive_response
N/A
6
redirection_request
redirection_request
N/A
7
redirection_response
redirection_response
N/A
16
create_pdp_context_request
create_pdp_context_request
N/A
17
create_pdp_context_response
create_pdp_context_response
N/A
18
update_pdp_context_request
update_pdp_context_request
N/A