Snort mailing list archives
Re: new SIP preproc on snort v2.9.1 never firing?
From: Alex Kirk <akirk () sourcefire com>
Date: Wed, 7 Sep 2011 09:14:33 -0400
include $PREPROC_RULE_PATH/preprocessor.rules is your friend, it's commented out by default. On Wed, Sep 7, 2011 at 4:26 AM, rmkml <rmkml () yahoo fr> wrote:
Hi Alex, How to enable this please? It's not enabled on snort.conf default? But SIP preproc stats (snort verbose mode) work: ... SIP Preprocessor Statistics Total sessions: 28 Preprocessor events: 31 Total dialogs: 47 Requests: 195 invite: 39 cancel: 11 ack: 22 bye: 9 ... Regards Rmkml On Tue, 6 Sep 2011, Alex Kirk wrote: Do you have the preprocessor rules enabled?On Tue, Sep 6, 2011 at 5:32 PM, rmkml <rmkml () yahoo fr> wrote: Hi, Im continue testing last snort v2.9.1, but new SIP preproc never firing. Anyone have alert with SIP preproc ? (GID 140) Im tested with default snort.conf: ... PortVar 'SIP_PORTS' defined : [ 5060:5061 5600 ] ... Loading dynamic preprocessor library dynamic-preprocessors/build/** usr/local/lib/snort_**dynamicpreprocessor//libsf_**sip_preproc.so... done ... SIP config: Max number of sessions: 10000 (Default) Status: ENABLED Ignore media channel: DISABLED Max URI length: 512 Max Call ID length: 80 Max Request name length: 20 (Default) Max From length: 256 (Default) Max To length: 256 (Default) Max Via length: 1024 (Default) Max Contact length: 512 Max Content length: 1024 (Default) Ports: 5060 5061 5600 Methods: invite cancel ack bye register options refer subscribe update join info message notify benotify do qauth sprack publish service unsubscribe prack ... o" )~ Version 2.9.1 IPv6 GRE (Build 71) ... Preprocessor Object: SF_SIP (IPV6) Version 1.1 <Build 1> ... Im reduced sip length but sip preproc never firing again. Im read doc/README.sip and of course enabled udp on stream5 (default snort.conf). Tested with nessus,nmap,many scanner, replay traffic, sipp... Regards Rmkml http://twitter.com/rmkml ------------------------------**------------------------------** ------------------ Malware Security Report: Protecting Your Business, Customers, and the Bottom Line. Protect your business and customers by understanding the threat from malware and how it can impact your online business. http://www.accelacomm.com/jaw/**sfnl/114/51427462/<http://www.accelacomm.com/jaw/sfnl/114/51427462/> ______________________________**_________________ Snort-sigs mailing list Snort-sigs@lists.sourceforge.**net<Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/**lists/listinfo/snort-sigs<https://lists.sourceforge.net/lists/listinfo/snort-sigs> http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! -- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com
-- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com
------------------------------------------------------------------------------ Using storage to extend the benefits of virtualization and iSCSI Virtualization increases hardware utilization and delivers a new level of agility. Learn what those decisions are and how to modernize your storage and backup environments for virtualization. http://www.accelacomm.com/jaw/sfnl/114/51434361/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- new SIP preproc on snort v2.9.1 never firing? rmkml (Sep 06)
- Re: new SIP preproc on snort v2.9.1 never firing? Alex Kirk (Sep 06)
- Re: new SIP preproc on snort v2.9.1 never firing? rmkml (Sep 07)
- Re: new SIP preproc on snort v2.9.1 never firing? Alex Kirk (Sep 07)
- Re: new SIP preproc on snort v2.9.1 never firing? rmkml (Sep 07)
- Re: new SIP preproc on snort v2.9.1 never firing? Alex Kirk (Sep 07)
- Re: new SIP preproc on snort v2.9.1 never firing? rmkml (Sep 07)
- Re: new SIP preproc on snort v2.9.1 never firing? rmkml (Sep 07)
- Re: new SIP preproc on snort v2.9.1 never firing? Alex Kirk (Sep 06)