False positives(?) for spp_sip

["Pettersson, Emil" <emil.pettersson () sovos com>]

Hi,

We’ve been getting a few blocks for traffic from customers, from looking into the logs if I’m understanding correctly 
these are getting caught by spp_sip due to traffic in these instances having source port 5060 (they’re doing a few 
thousand/day with random source port span).
Apr 17 09:33:31 snort[17881]: [140:3:2] (spp_sip) URI is too long [Classification: Potentially Bad Traffic] [Priority: 
2] {TCP} [SOURCE_IP]:5060 -> [DESTINATION_IP]:443
There is no actual SIP traffic expected to go in or out from this network, so regardless of anything else I believe 
there’s no real reason to have these rules enabled? However I am unsure of what the correct way would be to disable 
them?
- This message and any attachments thereto contain information that may be privileged, confidential or otherwise 
protected from disclosure and is the property of Sovos Compliance, LLC. It is intended only for the person to whom it 
is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, 
distribute, or use this message, any attachments thereto or any part thereof. If you receive this message in error, 
please delete all copies of this message and attachments. Sovos Compliance, LLC. has implemented anti-virus software on 
its computers and servers, however, it is the recipient's own responsibility to ensure that all attachments are scanned 
for viruses prior to usage.

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!