Cisco Cisco FirePOWER Appliance 7030
25-51
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Configuring the GTP Command Channel
Configuring the GTP Command Channel
License:
Protection
The General Service Packet Radio (GPRS) Tunneling Protocol (GTP) provides communication over a
GTP core network. The GTP preprocessor detects anomalies in GTP traffic and forwards command
channel signalling messages to the rules engine for inspection. You can use the
GTP core network. The GTP preprocessor detects anomalies in GTP traffic and forwards command
channel signalling messages to the rules engine for inspection. You can use the
gtp_version
,
gtp_type
,
and
gtp_info
rule keywords to inspect GTP command channel traffic for exploits.
A single configuration option allows you to modify the default setting for the ports that the preprocessor
inspects for GTP command channel messages.
inspects for GTP command channel messages.
Note the following information regarding the use of the GTP preprocessor:
•
The GTP preprocessor requires UDP stream configuration. When you enable the GTP preprocessor
and UDP stream configuration is disabled, you are prompted whether to enable UDP stream
configuration when you save the policy.
and UDP stream configuration is disabled, you are prompted whether to enable UDP stream
configuration when you save the policy.
•
Both the GTP command channel configuration and UDP stream configuration advanced settings
must be enabled to allow processing of rules using GTP keywords. When either is disabled and you
enable rules that use GTP keywords, you are prompted whether to enable the advanced setting when
you save the policy. See
must be enabled to allow processing of rules using GTP keywords. When either is disabled and you
enable rules that use GTP keywords, you are prompted whether to enable the advanced setting when
you save the policy. See
.
You must enable the GTP preprocessor rules in the following table if you want them to generate events.
See
See
for information on enabling rules.
You can use the following procedure to modify the ports the GTP preprocessor monitors for GTP
command messages.
command messages.
To configure the GTP command channel:
Access:
Admin/Intrusion Admin
140:24
Generates an event when the SIP version is not 1, 1.1, or 2.0.
140:25
Generates an event when the method specified in the CSeq header and the method
field do not match in a SIP request.
field do not match in a SIP request.
140:26
Generates an event when the preprocessor does not recognize the method named
in the SIP request method field.
in the SIP request method field.
Table 25-8
Additional SIP Preprocessor Rules (continued)
Preprocessor Rule
GID:SID
GID:SID
Description
Table 25-9
GTP Preprocessor Rules
Preprocessor Rule
GID:SID
GID:SID
Description
143:1
Generates an event when the preprocessor detects an invalid message length.
143:2
Generates an event when the preprocessor detects an invalid information element
length.
length.
143:3
Generates an event when the preprocessor detects information elements that are
out of order.
out of order.