Snort mailing list archives
Re: SIP preprocessor: false positives on DNS traffic
From: Hui Cao <hcao () sourcefire com>
Date: Mon, 19 Aug 2013 13:20:54 -0400
Hi Bram, Thanks for reporting this. We will take a look at this issue. Best, Hui. On Fri, Aug 16, 2013 at 8:56 AM, Bram <bram-fabeg () mail wizbit be> wrote:
Hi,
It appears that the SIP preprocessor generates alerts on DNS traffic which
happens to be using port 5060, 5061 or 5600.
Attached is a capture file which consist of a dns query.
The dns query happens to be using source port 5060 (randomly chosen).
On the dns response the alert 'SIP_EVENT_EMPTY_REQUEST_URI' is generated.
Config:
dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
preprocessor stream5_global: track_tcp yes, \
track_udp yes, \
track_icmp no
preprocessor stream5_tcp: ports both 53
preprocessor stream5_udp: timeout 180
preprocessor dns: ports { 53 } enable_rdata_overflow
preprocessor sip: max_sessions 10000, \
ports { 5060 5061 5600 }, \
methods { invite \
cancel \
ack \
bye \
register \
options \
refer \
subscribe \
update \
join \
info \
message \
notify \
benotify \
do \
qauth \
sprack \
publish \
service \
unsubscribe \
prack }, \
max_uri_len 512, \
max_call_id_len 256, \
max_requestName_len 20, \
max_from_len 256, \
max_to_len 256, \
max_via_len 1024, \
max_contact_len 512, \
max_content_len 2048
alert ( msg: "SIP_EVENT_EMPTY_REQUEST_URI"; sid: 2; gid: 140; rev:
1; metadata: rule-type preproc ; )
output alert_fast: stdout
Running it:
$ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/ -r
/tmp/140_2_1.cap 2>&1 | grep '140:'
07/28-21:40:12.713181 [**] [140:2:1] (spp_sip) Empty request URI
[**] [Priority: 0] {UDP} 192.48.79.30:53 -> 10.10.1.1:5060
Looking in the code: ./src/dynamic-preprocessors/sip/sip_parser.c:
'sip_startline_parse' shows:
When the packet starts with 'SIP/' then it is assumed to be a SIP Response.
If this is the case then it will check the version and if the version is
invalid it generates the alert 'SIP_EVENT_INVALID_VERSION'
It then proceeds to check the status code. If no status code is found no
alert is generated (judging by the code)
If a status code is found and invalid then the alert
'SIP_EVENT_BAD_STATUS_CODE' is generated.
When the packet does not start with 'SIP/' it assumes this is a request.
It first looks for the method, and then extracts the URI.
When the URI is empty the alert 'SIP_EVENT_EMPTY_REQUEST_URI' is generated.
When the URI is longer than 'maxUriLen' then the alert 'SIP_EVENT_BAD_URI'
is generated.
It then proceeds to check if 'SIP/' with a version number is found.
This can (and does) results in false positive...
I'm not sure what the proper fix for this is..
Checking the 'SIP/' keyword before generating the 'SIP_EVENT_BAD_URI' alert
will break the alert (it was added for CVE-2007-1306 which is a SIP request
without SIP keyword/version).
It should probably check if this is a DNS request/response but I'm not sure
that is proper fix...
Best regards,
Bram
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- SIP preprocessor: false positives on DNS traffic Bram (Aug 16)
- Re: SIP preprocessor: false positives on DNS traffic Hui Cao (Aug 19)