On Wed, Jul 04, 2012 at 10:46:37PM +0200, Robert Kehl wrote: > The rules in community-sip.rules that use "ip any any -> any" are wrong in > my stumbling understanding of snort's rule syntax, as they trigger in every > case the content is involved, regardless of the port 5060 mentioned.
Thanks for your report. Googling this actually seems to be a common problem to some Snort users, see for example: https://groups.google.com/forum/#!msg/snortusers/hPX_WRjTUWY/eZckB3C00U8J[1-25] https://www.alienvault.com/forum/index.php?t=msg&goto=5575&S=cd14599b5bf0cd872c3643f18b7a53a9 https://www.alienvault.com/forum/index.php?t=msg&goto=3448&S=edb2a35e5f434a528c4e6bb2448226a7 > Especially the rule "COMMUNITY SIP TCP/IP message flooding directed to SIP > proxy" triggers very often, being a false positive then, as it does not > limit regarding the content of a packet in any way. These rules are very out of dated and are only provided as a reference for users. The default snort.conf configuration in Debian does not include this file anymore. In any case, to prevent users from shooting themselves in the foot I'm modifying the file as distributed in Debian to comment out the rules and add a warning, so that users enable it at their own risk > > Having disabled the questioned rules, snort behaves as expected, > beforehand, I got hundreds of false positives covering the real attacks. > > I think, a rule like this is wrong: > > alert ip any any -> any 5060 > > It acutally behaves like this one: > > alert ip any any -> any > > This results in numerous warnings on heavily used connections like an > OpenVPN connection (in my case). I believe this is probably because the rule should use 'tcp' or 'udp' instead of IP. > Despite the fact that most of the rules are heavily out-dated, but still > better than none, you should consider boiling down community-sip.rules to > the set below or kicking it completely. I'd suggest the latter, as I'm not > sure wether the remaining rules are correct, either. Implementing a recent > ET ruleset would improve the usage of snort on Debian, for sure, but this > is out of scope of this bug report. As said before, I'm commenting it out completely and adding a warning for users. Regards Javier
signature.asc
Description: Digital signature
