Re: False positives(?) for spp_sip

[Nitish Hejmadi via Snort-sigs <snort-sigs () lists snort org>]

Could be Mis- configuration of Voip or video conferencing from clients side . Considering how many people are doing 
that now days .
We seen a lot of blocks on our VC too

Just for safety I run the blocked IP address through a automated threat hunting tool to make sure they are not 
targeting any other resources or services 



Nitish Hejmadi
Founder & Strategist

T 416 620 5535   


www.honeyteksystems.com

> On Apr 17, 2020, at 9:08 AM, Pettersson, Emil <emil.pettersson () sovos com> wrote:
>
> 
> Hi,
>  
> We’ve been getting a few blocks for traffic from customers, from looking into the logs if I’m understanding correctly 
> these are getting caught by spp_sip due to traffic in these instances having source port 5060 (they’re doing a few 
> thousand/day with random source port span).
> Apr 17 09:33:31 snort[17881]: [140:3:2] (spp_sip) URI is too long [Classification: Potentially Bad Traffic] 
> [Priority: 2] {TCP} [SOURCE_IP]:5060 -> [DESTINATION_IP]:443
> There is no actual SIP traffic expected to go in or out from this network, so regardless of anything else I believe 
> there’s no real reason to have these rules enabled? However I am unsure of what the correct way would be to disable 
> them?
> - This message and any attachments thereto contain information that may be privileged, confidential or otherwise 
> protected from disclosure and is the property of Sovos Compliance, LLC. It is intended only for the person to whom it 
> is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, 
> disseminate, distribute, or use this message, any attachments thereto or any part thereof. If you receive this 
> message in error, please delete all copies of this message and attachments. Sovos Compliance, LLC. has implemented 
> anti-virus software on its computers and servers, however, it is the recipient's own responsibility to ensure that 
> all attachments are scanned for viruses prior to usage. _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists snort org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
> href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!