Snort mailing list archives
Re: new SIP preproc on snort v2.9.1 never firing?
From: rmkml <rmkml () yahoo fr>
Date: Wed, 7 Sep 2011 15:26:27 +0200 (CEST)
Hi Alex, Already decommented this line: include $PREPROC_RULE_PATH/preprocessor.rules Im curious if you have already SIP preproc fired? Regards Rmkml http://twitter.com/rmkml On Wed, 7 Sep 2011, Alex Kirk wrote:
include $PREPROC_RULE_PATH/preprocessor.rules is your friend, it's commented out by default. On Wed, Sep 7, 2011 at 4:26 AM, rmkml <rmkml () yahoo fr> wrote: Hi Alex, How to enable this please? It's not enabled on snort.conf default? But SIP preproc stats (snort verbose mode) work: ... SIP Preprocessor Statistics Total sessions: 28 Preprocessor events: 31 Total dialogs: 47 Requests: 195 invite: 39 cancel: 11 ack: 22 bye: 9 ... Regards Rmkml On Tue, 6 Sep 2011, Alex Kirk wrote: Do you have the preprocessor rules enabled? On Tue, Sep 6, 2011 at 5:32 PM, rmkml <rmkml () yahoo fr> wrote: Hi, Im continue testing last snort v2.9.1, but new SIP preproc never firing. Anyone have alert with SIP preproc ? (GID 140) Im tested with default snort.conf: ... PortVar 'SIP_PORTS' defined : [ 5060:5061 5600 ] ... Loading dynamic preprocessor library dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... done ... SIP config: Max number of sessions: 10000 (Default) Status: ENABLED Ignore media channel: DISABLED Max URI length: 512 Max Call ID length: 80 Max Request name length: 20 (Default) Max From length: 256 (Default) Max To length: 256 (Default) Max Via length: 1024 (Default) Max Contact length: 512 Max Content length: 1024 (Default) Ports: 5060 5061 5600 Methods: invite cancel ack bye register options refer subscribe update join info message notify benotify do qauth sprack publish service unsubscribe prack ... o" )~ Version 2.9.1 IPv6 GRE (Build 71) ... Preprocessor Object: SF_SIP (IPV6) Version 1.1 <Build 1> ... Im reduced sip length but sip preproc never firing again. Im read doc/README.sip and of course enabled udp on stream5 (default snort.conf). Tested with nessus,nmap,many scanner, replay traffic, sipp... Regards Rmkml http://twitter.com/rmkml
------------------------------------------------------------------------------ Using storage to extend the benefits of virtualization and iSCSI Virtualization increases hardware utilization and delivers a new level of agility. Learn what those decisions are and how to modernize your storage and backup environments for virtualization. http://www.accelacomm.com/jaw/sfnl/114/51434361/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- new SIP preproc on snort v2.9.1 never firing? rmkml (Sep 06)
- Re: new SIP preproc on snort v2.9.1 never firing? Alex Kirk (Sep 06)
- Re: new SIP preproc on snort v2.9.1 never firing? rmkml (Sep 07)
- Re: new SIP preproc on snort v2.9.1 never firing? Alex Kirk (Sep 07)
- Re: new SIP preproc on snort v2.9.1 never firing? rmkml (Sep 07)
- Re: new SIP preproc on snort v2.9.1 never firing? Alex Kirk (Sep 07)
- Re: new SIP preproc on snort v2.9.1 never firing? rmkml (Sep 07)
- Re: new SIP preproc on snort v2.9.1 never firing? rmkml (Sep 07)
- Re: new SIP preproc on snort v2.9.1 never firing? Alex Kirk (Sep 06)