Snort mailing list archives
Re: new SIP preproc on snort v2.9.1 never firing?
From: rmkml <rmkml () yahoo fr>
Date: Wed, 7 Sep 2011 10:26:57 +0200 (CEST)
Hi Alex,
How to enable this please?
It's not enabled on snort.conf default?
But SIP preproc stats (snort verbose mode) work:
...
SIP Preprocessor Statistics
Total sessions: 28
Preprocessor events: 31
Total dialogs: 47
Requests: 195
invite: 39
cancel: 11
ack: 22
bye: 9
...
Regards
Rmkml
On Tue, 6 Sep 2011, Alex Kirk wrote:
Do you have the preprocessor rules enabled?
On Tue, Sep 6, 2011 at 5:32 PM, rmkml <rmkml () yahoo fr> wrote:
Hi,
Im continue testing last snort v2.9.1, but new SIP preproc never firing.
Anyone have alert with SIP preproc ? (GID 140)
Im tested with default snort.conf:
...
PortVar 'SIP_PORTS' defined : [ 5060:5061 5600 ]
...
Loading dynamic preprocessor library
dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... done
...
SIP config:
Max number of sessions: 10000 (Default)
Status: ENABLED
Ignore media channel: DISABLED
Max URI length: 512
Max Call ID length: 80
Max Request name length: 20 (Default)
Max From length: 256 (Default)
Max To length: 256 (Default)
Max Via length: 1024 (Default)
Max Contact length: 512
Max Content length: 1024 (Default)
Ports:
5060 5061 5600
Methods:
invite cancel ack bye register options refer subscribe update join info message notify benotify do qauth
sprack publish service unsubscribe prack
...
o" )~ Version 2.9.1 IPv6 GRE (Build 71)
...
Preprocessor Object: SF_SIP (IPV6) Version 1.1 <Build 1>
...
Im reduced sip length but sip preproc never firing again.
Im read doc/README.sip and of course enabled udp on stream5 (default snort.conf).
Tested with nessus,nmap,many scanner, replay traffic, sipp...
Regards
Rmkml
http://twitter.com/rmkml
------------------------------------------------------------------------------
Malware Security Report: Protecting Your Business, Customers, and the
Bottom Line. Protect your business and customers by understanding the
threat from malware and how it can impact your online business.
http://www.accelacomm.com/jaw/sfnl/114/51427462/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
--
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk () sourcefire com
------------------------------------------------------------------------------ Using storage to extend the benefits of virtualization and iSCSI Virtualization increases hardware utilization and delivers a new level of agility. Learn what those decisions are and how to modernize your storage and backup environments for virtualization. http://www.accelacomm.com/jaw/sfnl/114/51434361/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- new SIP preproc on snort v2.9.1 never firing? rmkml (Sep 06)
- Re: new SIP preproc on snort v2.9.1 never firing? Alex Kirk (Sep 06)
- Re: new SIP preproc on snort v2.9.1 never firing? rmkml (Sep 07)
- Re: new SIP preproc on snort v2.9.1 never firing? Alex Kirk (Sep 07)
- Re: new SIP preproc on snort v2.9.1 never firing? rmkml (Sep 07)
- Re: new SIP preproc on snort v2.9.1 never firing? Alex Kirk (Sep 07)
- Re: new SIP preproc on snort v2.9.1 never firing? rmkml (Sep 07)
- Re: new SIP preproc on snort v2.9.1 never firing? rmkml (Sep 07)
- Re: new SIP preproc on snort v2.9.1 never firing? Alex Kirk (Sep 06)