Snort mailing list archives
Re: new SIP preproc on snort v2.9.1 never firing?
From: rmkml <rmkml () yahoo fr>
Date: Wed, 7 Sep 2011 17:07:16 +0200 (CEST)
Thx Alex, I have missed updating preprocessor.rules file: fixed. Regards Rmkml On Wed, 7 Sep 2011, Alex Kirk wrote:
Yes, with the default snort.conf:
akirk@sf:~/snort-2.9.1.1$ ./src/snort -c etc/snort.2910.conf -q -A cmg -N --daq dump --daq-var load-mode=read-file -Q
-r ~/pcaps/empty_call_id.pcap
03/31-15:37:31.923920 [**] [140:4:1] (spp_sip) Empty call-Id [**] [Classification: Potentially Bad Traffic] [Priority: 2]
{UDP} 10.1.2.3:5060 -> 10.9.8.7:5060
03/31-15:37:31.923920 02:01:02:03:04:05 -> 02:09:08:07:06:05 type:0x800 len:0x1A7
10.1.2.3:5060 -> 10.9.8.7:5060 UDP TTL:64 TOS:0x0 ID:1 IpLen:20 DgmLen:409
Len: 381
49 4E 56 49 54 45 20 73 69 70 3A 34 33 32 31 40 INVITE sip:4321@
31 39 32 2E 31 36 38 2E 31 2E 38 37 3B 75 73 65 192.168.1.87;use
72 3D 70 68 6F 6E 65 20 53 49 50 2F 32 2E 30 0D r=phone SIP/2.0.
0A 56 69 61 3A 20 53 49 50 2F 32 2E 30 2F 55 44 .Via: SIP/2.0/UD
50 20 31 39 32 2E 31 36 38 2E 31 2E 34 38 3A 35 P 192.168.1.48:5
30 36 30 3B 62 72 61 6E 63 68 3D 7A 39 68 47 34 060;branch=z9hG4
62 4B 2D 6A 37 67 74 72 6A 67 77 65 34 30 39 3B bK-j7gtrjgwe409;
72 70 6F 72 74 0D 0A 46 72 6F 6D 3A 20 31 31 31 rport..From: 111
20 3C 73 69 70 3A 31 31 31 40 31 39 32 2E 31 36 <sip:111@192.16
38 2E 31 2E 33 36 3E 3B 74 61 67 3D 34 6D 6B 36 8.1.36>;tag=4mk6
7A 73 34 34 72 35 0D 0A 54 6F 3A 20 3C 73 69 70 zs44r5..To: <sip
3A 34 33 32 31 40 31 39 32 2E 31 36 38 2E 31 2E :4321@192.168.1.
38 37 3B 75 73 65 72 3D 70 68 6F 6E 65 3E 0D 0A 87;user=phone>..
43 61 6C 6C 2D 49 44 3A 0D 0A 43 53 65 71 3A 20 Call-ID:..CSeq:
31 20 49 4E 56 49 54 45 0D 0A 4D 61 78 2D 46 6F 1 INVITE..Max-Fo
72 77 61 72 64 73 3A 20 37 30 0D 0A 43 6F 6E 74 rwards: 70..Cont
61 63 74 3A 20 3C 73 69 70 3A 31 31 31 40 31 39 act: <sip:111@19
32 2E 31 36 38 2E 31 2E 34 38 3A 35 30 36 30 3B 2.168.1.48:5060;
6C 69 6E 65 3D 62 72 31 6D 76 76 64 66 3E 0D 0A line=br1mvvdf>..
41 63 63 65 70 74 3A 20 61 70 70 6C 69 63 61 74 Accept: applicat
69 6F 6E 2F 73 64 70 0D 0A 43 6F 6E 74 65 6E 74 ion/sdp..Content
2D 54 79 70 65 3A 20 61 70 70 6C 69 63 61 74 69 -Type: applicati
6F 6E 2F 73 64 70 0D 0A 43 6F 6E 74 65 6E 74 2D on/sdp..Content-
4C 65 6E 67 74 68 3A 20 30 0D 0A 0D 0A Length: 0....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
You're probably not getting alerts because you don't have appropriate traffic flowing through your network.
On Wed, Sep 7, 2011 at 9:26 AM, rmkml <rmkml () yahoo fr> wrote:
Hi Alex,
Already decommented this line:
include $PREPROC_RULE_PATH/preprocessor.rules
Im curious if you have already SIP preproc fired?
Regards
Rmkml
http://twitter.com/rmkml
On Wed, 7 Sep 2011, Alex Kirk wrote:
include $PREPROC_RULE_PATH/preprocessor.rules is your friend, it's commented out by default.
On Wed, Sep 7, 2011 at 4:26 AM, rmkml <rmkml () yahoo fr> wrote:
Hi Alex,
How to enable this please?
It's not enabled on snort.conf default?
But SIP preproc stats (snort verbose mode) work:
...
SIP Preprocessor Statistics
Total sessions: 28
Preprocessor events: 31
Total dialogs: 47
Requests: 195
invite: 39
cancel: 11
ack: 22
bye: 9
...
Regards
Rmkml
On Tue, 6 Sep 2011, Alex Kirk wrote:
Do you have the preprocessor rules enabled?
On Tue, Sep 6, 2011 at 5:32 PM, rmkml <rmkml () yahoo fr> wrote:
Hi,
Im continue testing last snort v2.9.1, but new SIP preproc never firing.
Anyone have alert with SIP preproc ? (GID 140)
Im tested with default snort.conf:
...
PortVar 'SIP_PORTS' defined : [ 5060:5061 5600 ]
...
Loading dynamic preprocessor library
dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... done
...
SIP config:
Max number of sessions: 10000 (Default)
Status: ENABLED
Ignore media channel: DISABLED
Max URI length: 512
Max Call ID length: 80
Max Request name length: 20 (Default)
Max From length: 256 (Default)
Max To length: 256 (Default)
Max Via length: 1024 (Default)
Max Contact length: 512
Max Content length: 1024 (Default)
Ports:
5060 5061 5600
Methods:
invite cancel ack bye register options refer subscribe update join info message notify benotify do
qauth sprack publish service unsubscribe prack
...
o" )~ Version 2.9.1 IPv6 GRE (Build 71)
...
Preprocessor Object: SF_SIP (IPV6) Version 1.1 <Build 1>
...
Im reduced sip length but sip preproc never firing again.
Im read doc/README.sip and of course enabled udp on stream5 (default snort.conf).
Tested with nessus,nmap,many scanner, replay traffic, sipp...
Regards
Rmkml
http://twitter.com/rmkml------------------------------------------------------------------------------ Using storage to extend the benefits of virtualization and iSCSI Virtualization increases hardware utilization and delivers a new level of agility. Learn what those decisions are and how to modernize your storage and backup environments for virtualization. http://www.accelacomm.com/jaw/sfnl/114/51434361/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- new SIP preproc on snort v2.9.1 never firing? rmkml (Sep 06)
- Re: new SIP preproc on snort v2.9.1 never firing? Alex Kirk (Sep 06)
- Re: new SIP preproc on snort v2.9.1 never firing? rmkml (Sep 07)
- Re: new SIP preproc on snort v2.9.1 never firing? Alex Kirk (Sep 07)
- Re: new SIP preproc on snort v2.9.1 never firing? rmkml (Sep 07)
- Re: new SIP preproc on snort v2.9.1 never firing? Alex Kirk (Sep 07)
- Re: new SIP preproc on snort v2.9.1 never firing? rmkml (Sep 07)
- Re: new SIP preproc on snort v2.9.1 never firing? rmkml (Sep 07)
- Re: new SIP preproc on snort v2.9.1 never firing? Alex Kirk (Sep 06)