GTP Inspect Inspector

GTP Inspect Inspector Overview

Type

Inspector (service)

Usage

Inspect

Instance Type

Multiton

Other Inspectors Required

stream_udp

Enabled

false

The General Service Packet Radio (GPRS) Tunneling Protocol (GTP) provides communication over a GTP core network.

The gtp_inspect inspector detects anomalies in GTP traffic and forwards command channel signaling messages to the rules engine for inspection.

GTP Inspect Inspector Parameters

GTP Inspect service and ports configuration

The binder inspector defines the GTP Inspect service and ports configuration. For more information, see the Binder Inspector Overview.

Example: 
[
   {
       "when": {
           "service": "gtp_inspect",
           "role": any
       },
       "use": {
           "type": "gtp_inspect"
       }
   },
   {
       "when": {
           "proto": "tcp",
           "role": "server",
           "ports": "2123 2152 3386"
       },
       "use": {
           "type": "gtp_inspect"
       }
   }
]

version

Specifies a valid GTP version.

Type: integer

Valid values: 0, 1, 2

Default value: 2

messages[]

Specifies an array of information about valid GTP messages.

Type: array (object)

Example: 
{
    messages: [
        {
            "type": 0,
            "name": ""
        }
    ]
}

messages[].type

Specifies a valid GTP message type. See GTP Message Types table.

Type: integer

Valid range: 0 to 255

Default value: None

messages[].name

Specifies a valid GTP message name. See GTP Message Types table.

Type: string

Valid values: A valid GTP message name

Default value: None

infos[]

Specifies an array of GTP information elements.

Type: array (object)

Example: 
{
    infos: [
        {
            "type": 0,
            "name": "echo_request",
            "length": 0
        }
    ]
}

infos[].type

Specifies a valid GTP element type code. See GTP Information Elements table.

Type: integer

Valid range: 0 to 255

Default value: 0

infos[].name

Specifies a valid GTP element name.

Type: string

Valid values: Valid GTP information element names. See GTP Information Elements table.

infos[].length

Specifies the length of a valid GTP information element.

Type: integer

Valid range: 0 to 255

Default value: 0

GTP Inspect Inspector Rules

Enable the gtp_inspect inspector rules to generate events and, in an inline deployment, drop offending packets.

Table 1. GTP Inspector Rules

GID:SID

Rule Message
143:1

message length is invalid

143:2

information element length is invalid

143:3

information elements are out of order

143:4

TEID is missing

GTP Inspect Inspector Intrusion Rule Options

The gtp_inspect inspector intrusion rule options allow you to inspect the GTP command channel for the GTP version, message type, and information elements.

You cannot use GTP options in combination with content or byte_jump. You must use gtp_version in each rule that uses gtp_info or gtp_type.

gtp_version

Check the specified GTP version against the version of the GTP control messages.

Type: integer

Syntax: gtp_version: <version>;

Valid values: 0, 1, 2

Examples: gtp_version: 1;

gtp_type

Each GTP message is identified by a message type, which is comprised of both a numeric value and a string. Check the specified GTP types against the type of the GTP messages.

You can specify a defined decimal value for a message type, a defined string, or a comma-separated list of either or both in any combination, as seen in the following example:

Type: string

Syntax: gtp_type: <message_type>;

Valid values: Listed in the GTP Message Types table. See GTP Message Types table.

Examples: gtp_type: "10, 11, echo_request";

The system uses an OR operation to match each value or string that you list. The order in which you list values and strings does not matter. Any single value or string in the list matches the keyword. The system generates an error if you attempt to save a rule that includes an unrecognized string or an out-of-range value.

Note that different GTP versions sometimes use different values for the same message type. For example, the sgsn_context_request message type has a value of 50 in GTPv0 and GTPv1, but a value of 130 in GTPv2.

The gtp_type option matches different values depending on the version number in the packet. For instance the sgsn_context_request message matches the value 50 in a GTPv0 or GTPv1 packet and the value 130 in a GTPv2 packet. The option does not match a packet when the message type value in the packet is not a known value for the version specified in the packet.

If you specify an integer for the message type, the option matches if the message type matches the value in the GTP packet, regardless of the version specified in the packet.

gtp_message_type is a numeric value or keyword from the GTP Message Types table.

Table 2. GTP Message Types

Type

Name for Version 0

Name for Version 1

Name for Version 2

1

echo_request

echo_request

echo_request

2

echo_response

echo_response

echo_response

3

version_not_supported

version_not_supported

version_not_supported

4

node_alive_request

node_alive_request

N/A

5

node_alive_response

node_alive_response

N/A

6

redirection_request

redirection_request

N/A

7

redirection_response

redirection_response

N/A

16

create_pdp_context_request

create_pdp_context_request

N/A

17

create_pdp_context_response

create_pdp_context_response

N/A

18

update_pdp_context_request

update_pdp_context_request

N/A

19

update_pdp_context_response

update_pdp_context_response

N/A

20

delete_pdp_context_request

delete_pdp_context_request

N/A

21

delete_pdp_context_response

delete_pdp_context_response

N/A

22

create_aa_pdp_context_request

init_pdp_context_activation_request

N/A

23

create_aa_pdp_context_response

init_pdp_context_activation_response

N/A

24

delete_aa_pdp_context_request

N/A

N/A

25

delete_aa_pdp_context_response

N/A

N/A

26

error_indication

error_indication

N/A

27

pdu_notification_request

pdu_notification_request

N/A

28

pdu_notification_response

pdu_notification_response

N/A

29

pdu_notification_reject_request

pdu_notification_reject_request

N/A

30

pdu_notification_reject_response

pdu_notification_reject_response

N/A

31

N/A

supported_ext_header_notification

N/A

32

send_routing_info_request

send_routing_info_request

create_session_request

33

send_routing_info_response

send_routing_info_response

create_session_response

34

failure_report_request

failure_report_request

modify_bearer_request

35

failure_report_response

failure_report_response

modify_bearer_response

36

note_ms_present_request

note_ms_present_request

delete_session_request

37

note_ms_present_response

note_ms_present_response

delete_session_response

38

N/A

N/A

change_notification_request

39

N/A

N/A

change_notification_response

48

identification_request

identification_request

N/A

49

identification_response

identification_response

N/A

50

sgsn_context_request

sgsn_context_request

N/A

51

sgsn_context_response

sgsn_context_response

N/A

52

sgsn_context_ack

sgsn_context_ack

N/A

53

N/A

forward_relocation_request

N/A

54

N/A

forward_relocation_response

N/A

55

N/A

forward_relocation_complete

N/A

56

N/A

relocation_cancel_request

N/A

57

N/A

relocation_cancel_response

N/A

58

N/A

forward_srns_contex

N/A

59

N/A

forward_relocation_complete_ack

N/A

60

N/A

forward_srns_contex_ack

N/A

64

N/A

N/A

modify_bearer_command

65

N/A

N/A

modify_bearer_failure_indication

66

N/A

N/A

delete_bearer_command

67

N/A

N/A

delete_bearer_failure_indication

68

N/A

N/A

bearer_resource_command

69

N/A

N/A

bearer_resource_failure_indication

70

N/A

ran_info_relay

downlink_failure_indication

71

N/A

N/A

trace_session_activation

72

N/A

N/A

trace_session_deactivation

73

N/A

N/A

stop_paging_indication

95

N/A

N/A

create_bearer_request

96

N/A

mbms_notification_request

create_bearer_response

97

N/A

mbms_notification_response

update_bearer_request

98

N/A

mbms_notification_reject_request

update_bearer_response

99

N/A

mbms_notification_reject_response

delete_bearer_request

100

N/A

create_mbms_context_request

delete_bearer_response

101

N/A

create_mbms_context_response

delete_pdn_request

102

N/A

update_mbms_context_request

delete_pdn_response

103

N/A

update_mbms_context_response

N/A

104

N/A

delete_mbms_context_request

N/A

105

N/A

delete_mbms_context_response

N/A

112

N/A

mbms_register_request

N/A

113

N/A

mbms_register_response

N/A

114

N/A

mbms_deregister_request

N/A

115

N/A

mbms_deregister_response

N/A

116

N/A

mbms_session_start_request

N/A

117

N/A

mbms_session_start_response

N/A

118

N/A

mbms_session_stop_request

N/A

119

N/A

mbms_session_stop_response

N/A

120

N/A

mbms_session_update_request

N/A

121

N/A

mbms_session_update_response

N/A

128

N/A

ms_info_change_request

identification_request

129

N/A

ms_info_change_response

identification_response

130

N/A

N/A

sgsn_context_request

131

N/A

N/A

sgsn_context_response

132

N/A

N/A

sgsn_context_ack

133

N/A

N/A

forward_relocation_request

134

N/A

N/A

forward_relocation_response

135

N/A

N/A

forward_relocation_complete

136

N/A

N/A

forward_relocation_complete_ack

137

N/A

N/A

forward_access

138

N/A

N/A

forward_access_ack

139

N/A

N/A

relocation_cancel_request

140

N/A

N/A

relocation_cancel_response

141

N/A

N/A

configuration_transfer_tunnel

149

N/A

N/A

detach

150

N/A

N/A

detach_ack

151

N/A

N/A

cs_paging

152

N/A

N/A

ran_info_relay

153

N/A

N/A

alert_mme

154

N/A

N/A

alert_mme_ack

155

N/A

N/A

ue_activity

156

N/A

N/A

ue_activity_ack

160

N/A

N/A

create_forward_tunnel_request

161

N/A

N/A

create_forward_tunnel_response

162

N/A

N/A

suspend

163

N/A

N/A

suspend_ack

164

N/A

N/A

resume

165

N/A

N/A

resume_ack

166

N/A

N/A

create_indirect_forward_tunnel_request

167

N/A

N/A

create_indirect_forward_tunnel_response

168

N/A

N/A

delete_indirect_forward_tunnel_request

169

N/A

N/A

delete_indirect_forward_tunnel_response

170

N/A

N/A

release_access_bearer_request

171

N/A

N/A

release_access_bearer_response

176

N/A

N/A

downlink_data

177

N/A

N/A

downlink_data_ack

179

N/A

N/A

pgw_restart

180

N/A

N/A

pgw_restart_ack

200

N/A

N/A

update_pdn_request

201

N/A

N/A

update_pdn_response

211

N/A

N/A

modify_access_bearer_request

212

N/A

N/A

modify_access_bearer_response

231

N/A

N/A

mbms_session_start_request

232

N/A

N/A

mbms_session_start_response

233

N/A

N/A

mbms_session_update_request

234

N/A

N/A

mbms_session_update_response

235

N/A

N/A

mbms_session_stop_request

236

N/A

N/A

mbms_session_stop_response

240

data_record_transfer_request

data_record_transfer_request

N/A

241

data_record_transfer_response

data_record_transfer_response

N/A

254

N/A

end_marker

N/A

255

pdu

pdu

N/A

gtp_info

A GTP message can include multiple information elements, each of which is identified by both a defined numeric value and a defined string. You can use the gtp_info option to start inspection at the beginning of a specified information element, and restrict inspection to that information element.

You can specify either the defined decimal value or the defined string for an information element. You can specify a single value or string, and you can use multiple gtp_info options in a rule to inspect multiple information elements.

When a message includes multiple information elements of the same type, all are inspected for a match. When information elements occur in an invalid order, only the last instance is inspected.

Depending on the version, a GTP message can use different values for the same information element. For example, the cause information element has a value of 1 in GTPv0 and GTPv1, but a value of 2 in GTPv2.

The gtp_info option matches different values depending on the version number in the packet. In the example above, the keyword matches the information element value 1 in a GTPv0 or GTPv1 packet and the value 2 in a GTPv2 packet. The option does not match a packet when the information element value in the packet is not a known value for the version specified in the packet.

If you specify an integer for the information element, the option matches if the message type matches the value in the GTP packet, regardless of the version specified in the packet.

Type: string

Syntax: gtp_info: <identifier>;

Valid values: Listed in the GTP Information Elements table.

Examples: gtp_info: "qos";

Table 3. GTP Information Elements

Type

Name for Version 0

Name for Version 1

Name for Version 2

1

cause

cause

imsi

2

imsi

imsi

cause

3

rai

rai

recovery

4

tlli

tlli

N/A

5

p_tmsi

p_tmsi

N/A

6

qos

N/A

N/A

8

recording_required

recording_required

N/A

9

authentication

authentication

N/A

10

N/A

N/A

N/A

11

map_cause

map_cause

N/A

12

p_tmsi_sig

p_tmsi_sig

N/A

13

ms_validated

ms_validated

N/A

14

recovery

recovery

N/A

15

selection_mode

selection_mode

N/A

16

flow_label_data_1

teid_1

N/A

17

flow_label_signalling

teid_control

N/A

18

flow_label_data_2

teid_2

N/A

19

ms_unreachable

teardown_ind

N/A

20

N/A

nsapi

N/A

21

N/A

ranap

N/A

22

N/A

rab_context

N/A

23

N/A

radio_priority_sms

N/A

24

N/A

radio_priority

N/A

25

N/A

packet_flow_id

N/A

26

N/A

charging_char

N/A

27

N/A

trace_ref

N/A

28

N/A

trace_type

N/A

29

N/A

ms_unreachable

N/A

71

N/A

N/A

apn

72

N/A

N/A

ambr

73

N/A

N/A

ebi

74

N/A

N/A

ip_addr

75

N/A

N/A

mei

76

N/A

N/A

msisdn

77

N/A

N/A

indication

78

N/A

N/A

pco

79

N/A

N/A

paa

80

N/A

N/A

bearer_qos

80

N/A

N/A

flow_qos

82

N/A

N/A

rat_type

83

N/A

N/A

serving_network

84

N/A

N/A

bearer_tft

85

N/A

N/A

tad

86

N/A

N/A

uli

87

N/A

N/A

f_teid

88

N/A

N/A

tmsi

89

N/A

N/A

cn_id

90

N/A

N/A

s103pdf

91

N/A

N/A

s1udf

92

N/A

N/A

delay_value

93

N/A

N/A

bearer_context

94

N/A

N/A

charging_id

95

N/A

N/A

charging_char

96

N/A

N/A

trace_info

97

N/A

N/A

bearer_flag

99

N/A

N/A

pdn_type

100

N/A

N/A

pti

101

N/A

N/A

drx_parameter

103

N/A

N/A

gsm_key_tri

104

N/A

N/A

umts_key_cipher_quin

105

N/A

N/A

gsm_key_cipher_quin

106

N/A

N/A

umts_key_quin

107

N/A

N/A

eps_quad

108

N/A

N/A

umts_key_quad_quin

109

N/A

N/A

pdn_connection

110

N/A

N/A

pdn_number

111

N/A

N/A

p_tmsi

112

N/A

N/A

p_tmsi_sig

113

N/A

N/A

hop_counter

114

N/A

N/A

ue_time_zone

115

N/A

N/A

trace_ref

116

N/A

N/A

complete_request_msg

117

N/A

N/A

guti

118

N/A

N/A

f_container

119

N/A

N/A

f_cause

120

N/A

N/A

plmn_id

121

N/A

N/A

target_id

123

N/A

N/A

packet_flow_id

124

N/A

N/A

rab_contex

125

N/A

N/A

src_rnc_pdcp

126

N/A

N/A

udp_src_port

127

charge_id

charge_id

apn_restriction

128

end_user_address

end_user_address

selection_mode

129

mm_context

mm_context

src_id

130

pdp_context

pdp_context

N/A

131

apn

apn

change_report_action

132

protocol_config

protocol_config

fq_csid

133

gsn

gsn

channel

134

msisdn

msisdn

emlpp_pri

135

N/A

qos

node_type

136

N/A

authentication_qu

fqdn

137

N/A

tft

ti

138

N/A

target_id

mbms_session_duration

139

N/A

utran_trans

mbms_service_area

140

N/A

rab_setup

mbms_session_id

141

N/A

ext_header

mbms_flow_id

142

N/A

trigger_id

mbms_ip_multicast

143

N/A

omc_id

mbms_distribution_ack

144

N/A

ran_trans

rfsp_index

145

N/A

pdp_context_pri

uci

146

N/A

addi_rab_setup

csg_info

147

N/A

sgsn_number

csg_id

148

N/A

common_flag

cmi

149

N/A

apn_restriction

service_indicator

150

N/A

radio_priority_lcs

detach_type

151

N/A

rat_type

ldn

152

N/A

user_loc_info

node_feature

153

N/A

ms_time_zone

mbms_time_to_transfer

154

N/A

imei_sv

throttling

155

N/A

camel

arp

156

N/A

mbms_ue_context

epc_timer

157

N/A

tmp_mobile_group_id

signalling_priority_indication

158

N/A

rim_routing_addr

tmgi

159

N/A

mbms_config

mm_srvcc

160

N/A

mbms_service_area

flags_srvcc

161

N/A

src_rnc_pdcp

nmbr

162

N/A

addi_trace_info

N/A

163

N/A

hop_counter

N/A

164

N/A

plmn_id

N/A

165

N/A

mbms_session_id

N/A

166

N/A

mbms_2g3g_indicator

N/A

167

N/A

enhanced_nsapi

N/A

168

N/A

mbms_session_duration

N/A

169

N/A

addi_mbms_trace_info

N/A

170

N/A

mbms_session_repetition_num

N/A

171

N/A

mbms_time_to_data

N/A

173

N/A

bss

N/A

174

N/A

cell_id

N/A

175

N/A

pdu_num

N/A

177

N/A

mbms_bearer_capab

N/A

178

N/A

rim_routing_disc

N/A

179

N/A

list_pfc

N/A

180

N/A

ps_xid

N/A

181

N/A

ms_info_change_report

N/A

182

N/A

direct_tunnel_flags

N/A

183

N/A

correlation_id

N/A

184

N/A

bearer_control_mode

N/A

185

N/A

mbms_flow_id

N/A

186

N/A

mbms_ip_multicast

N/A

187

N/A

mbms_distribution_ack

N/A

188

N/A

reliable_inter_rat_handover

N/A

189

N/A

rfsp_index

N/A

190

N/A

fqdn

N/A

191

N/A

evolved_allocation1

N/A

192

N/A

evolved_allocation2

N/A

193

N/A

extended_flags

N/A

194

N/A

uci

N/A

195

N/A

csg_info

N/A

196

N/A

csg_id

N/A

197

N/A

cmi

N/A

198

N/A

apn_ambr

N/A

199

N/A

ue_network

N/A

200

N/A

ue_ambr

N/A

201

N/A

apn_ambr_nsapi

N/A

202

N/A

ggsn_backoff_timer

N/A

203

N/A

signalling_priority_indication

N/A

204

N/A

signalling_priority_indication_nsapi

N/A

205

N/A

high_bitrate

N/A

206

N/A

max_mbr

N/A

251

charging_gateway_addr

charging_gateway_addr

N/A

255

private_extension

private_extension

private_extension