Snort mailing list archives
Re: False positives(?) for spp_sip
From: "Joel Esler \(jesler\) via Snort-sigs" <snort-sigs () lists snort org>
Date: Mon, 20 Apr 2020 15:27:03 +0000
Bill — Any comments on the below?
On Apr 20, 2020, at 10:20 AM, Pettersson, Emil <emil.pettersson () sovos com> wrote: Just to be sure, I found that we have multiples of snort.conf (this is on pfSense I should add), there is I guess the “main” one at /usr/local/etc/snort/snort.conf and then there are additional ones for each interface that we have Snort enabled on (i.e. /usr/local/etc/snort/snort_2591_em0/snort.conf). The latter seems to overwrite any changes whenever the Snort service is restarted so I can’t comment out the SIP pre-processor there, not sure if this is needed or if only the former is used to determine what rules are used? From: Joel Esler (jesler) <jesler () cisco com> Sent: Friday, 17 April 2020 17:23 To: Pettersson, Emil <emil.pettersson () sovos com> Cc: snort-sigs () lists snort org Subject: Re: [Snort-sigs] False positives(?) for spp_sip On Apr 17, 2020, at 10:23 AM, Pettersson, Emil <emil.pettersson () sovos com <mailto:emil.pettersson () sovos com>> wrote: Thank you Joel, so I would just comment out the entire block below then? Yes For reference, do you know if changes such as these would get overwritten during updates? I know we have some customization we’ve done for Snort logging (mainly in /usr/local/pkg/snort/snort_check_for_rule_updates.php) and for these we end up redoing these changes if Snort package is updated, just wanted to make sure we include in our routines if the same goes for the snort.conf file. snort.conf should be compared every time you update Snort. Using diff or something similar to make sure we didn’t add any additional options, etc. preprocessor sip: max_sessions 40000, \ ports { 5060 5061 5600 }, \ methods { invite \ cancel \ ack \ bye \ register \ options \ refer \ subscribe \ update \ join \ info \ message \ notify \ benotify \ do \ qauth \ sprack \ publish \ service \ unsubscribe \ prack }, \ max_uri_len 512, \ max_call_id_len 80, \ max_requestName_len 20, \ max_from_len 256, \ max_to_len 256, \ max_via_len 1024, \ max_contact_len 512, \ max_content_len 2048 From: Joel Esler (jesler) <jesler () cisco com <mailto:jesler () cisco com>> Sent: Friday, 17 April 2020 15:20 To: Pettersson, Emil <emil.pettersson () sovos com <mailto:emil.pettersson () sovos com>> Cc: snort-sigs () lists snort org <mailto:snort-sigs () lists snort org> Subject: Re: [Snort-sigs] False positives(?) for spp_sip Hello Emil, If you are not running SIP on your network, then yes, comment out the SIP preprocessor and that will solve your problem. This can be done in your snort.conf file. Sent from my iPad On Apr 17, 2020, at 09:01, Pettersson, Emil <emil.pettersson () sovos com <mailto:emil.pettersson () sovos com>> wrote: Hi, We’ve been getting a few blocks for traffic from customers, from looking into the logs if I’m understanding correctly these are getting caught by spp_sip due to traffic in these instances having source port 5060 (they’re doing a few thousand/day with random source port span). Apr 17 09:33:31 snort[17881]: [140:3:2] (spp_sip) URI is too long [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} [SOURCE_IP]:5060 -> [DESTINATION_IP]:443 There is no actual SIP traffic expected to go in or out from this network, so regardless of anything else I believe there’s no real reason to have these rules enabled? However I am unsure of what the correct way would be to disable them? - This message and any attachments thereto contain information that may be privileged, confidential or otherwise protected from disclosure and is the property of Sovos Compliance, LLC. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message, any attachments thereto or any part thereof. If you receive this message in error, please delete all copies of this message and attachments. Sovos Compliance, LLC. has implemented anti-virus software on its computers and servers, however, it is the recipient's own responsibility to ensure that all attachments are scanned for viruses prior to usage. _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org <mailto:Snort-sigs () lists snort org> https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette <https://snort.org/faq/what-is-the-mailing-list-etiquette> Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging <https://snort.org/downloads/#rule-downloads">emerging> threats</a>! _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org <mailto:Snort-sigs () lists snort org> https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette <https://snort.org/faq/what-is-the-mailing-list-etiquette> Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads <https://snort.org/downloads/#rule-downloads>">emerging threats</a>! _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org <mailto:Snort-sigs () lists snort org> https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette <https://snort.org/faq/what-is-the-mailing-list-etiquette> Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads <https://snort.org/downloads/#rule-downloads>">emerging threats</a>!
Attachment:
smime.p7s
Description:
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- False positives(?) for spp_sip Pettersson, Emil (Apr 17)
- Re: False positives(?) for spp_sip Joel Esler (jesler) via Snort-sigs (Apr 17)
- Re: False positives(?) for spp_sip Pettersson, Emil (Apr 17)
- Re: False positives(?) for spp_sip Joel Esler (jesler) via Snort-sigs (Apr 17)
- Re: False positives(?) for spp_sip Pettersson, Emil (Apr 20)
- Re: False positives(?) for spp_sip Joel Esler (jesler) via Snort-sigs (Apr 20)
- Re: False positives(?) for spp_sip wkitty42--- via Snort-sigs (Apr 20)
- Re: False positives(?) for spp_sip Pettersson, Emil (Apr 17)
- Re: False positives(?) for spp_sip Joel Esler (jesler) via Snort-sigs (Apr 17)
- <Possible follow-ups>
- Re: False positives(?) for spp_sip Al Lewis (allewi) via Snort-sigs (Apr 17)