Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: new SIP preproc on snort v2.9.1 never firing?

From: rmkml <rmkml () yahoo fr>
Date: Wed, 7 Sep 2011 15:26:27 +0200 (CEST)
Hi Alex,
Already decommented this line:
 include $PREPROC_RULE_PATH/preprocessor.rules

Im curious if you have already SIP preproc fired?
Regards
Rmkml

http://twitter.com/rmkml


On Wed, 7 Sep 2011, Alex Kirk wrote:


include $PREPROC_RULE_PATH/preprocessor.rules is your friend, it's commented out by default.

On Wed, Sep 7, 2011 at 4:26 AM, rmkml <rmkml () yahoo fr> wrote:
      Hi Alex,
      How to enable this please?
      It's not enabled on snort.conf default?
      But SIP preproc stats (snort verbose mode) work:
       ...
       SIP Preprocessor Statistics
       Total sessions: 28
       Preprocessor events: 31
       Total  dialogs: 47
       Requests: 195
               invite:   39
               cancel:   11
                  ack:   22
                  bye:   9
       ...
      Regards
      Rmkml



On Tue, 6 Sep 2011, Alex Kirk wrote:

      Do you have the preprocessor rules enabled?

      On Tue, Sep 6, 2011 at 5:32 PM, rmkml <rmkml () yahoo fr> wrote:
           Hi,
           Im continue testing last snort v2.9.1, but new SIP preproc never firing.
           Anyone have alert with SIP preproc ? (GID 140)

           Im tested with default snort.conf:
            ...
            PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]
            ...
            Loading dynamic preprocessor library 
dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... done
            ...
            SIP config:
             Max number of sessions: 10000 (Default)
             Status: ENABLED
             Ignore media channel: DISABLED
             Max URI length: 512
             Max Call ID length: 80
             Max Request name length: 20 (Default)
             Max From length: 256 (Default)
             Max To length: 256 (Default)
             Max Via length: 1024 (Default)
             Max Contact length: 512
             Max Content length: 1024 (Default)
             Ports:
                   5060    5061    5600
             Methods:
              invite cancel ack bye register options refer subscribe update join info message notify benotify do qauth 
sprack publish service unsubscribe prack
           ...
             o"  )~   Version 2.9.1 IPv6 GRE (Build 71)
           ...
                      Preprocessor Object: SF_SIP (IPV6)  Version 1.1  <Build 1>
           ...

           Im reduced sip length but sip preproc never firing again.

           Im read doc/README.sip and of course enabled udp on stream5 (default snort.conf).
           Tested with nessus,nmap,many scanner, replay traffic, sipp...
           Regards
           Rmkml

           http://twitter.com/rmkml
------------------------------------------------------------------------------
Using storage to extend the benefits of virtualization and iSCSI
Virtualization increases hardware utilization and delivers a new level of
agility. Learn what those decisions are and how to modernize your storage 
and backup environments for virtualization.
http://www.accelacomm.com/jaw/sfnl/114/51434361/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: