Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: new SIP preproc on snort v2.9.1 never firing?

From: Alex Kirk <akirk () sourcefire com>
Date: Wed, 7 Sep 2011 09:14:33 -0400
include $PREPROC_RULE_PATH/preprocessor.rules is your friend, it's commented
out by default.

On Wed, Sep 7, 2011 at 4:26 AM, rmkml <rmkml () yahoo fr> wrote:


Hi Alex,
How to enable this please?
It's not enabled on snort.conf default?
But SIP preproc stats (snort verbose mode) work:
 ...
 SIP Preprocessor Statistics
 Total sessions: 28
 Preprocessor events: 31
 Total  dialogs: 47
 Requests: 195
         invite:   39
         cancel:   11
            ack:   22
            bye:   9
 ...
Regards
Rmkml



On Tue, 6 Sep 2011, Alex Kirk wrote:

 Do you have the preprocessor rules enabled?


On Tue, Sep 6, 2011 at 5:32 PM, rmkml <rmkml () yahoo fr> wrote:
     Hi,
     Im continue testing last snort v2.9.1, but new SIP preproc never
firing.
     Anyone have alert with SIP preproc ? (GID 140)

     Im tested with default snort.conf:
      ...
      PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]
      ...
      Loading dynamic preprocessor library dynamic-preprocessors/build/**
usr/local/lib/snort_**dynamicpreprocessor//libsf_**sip_preproc.so... done
      ...
      SIP config:
       Max number of sessions: 10000 (Default)
       Status: ENABLED
       Ignore media channel: DISABLED
       Max URI length: 512
       Max Call ID length: 80
       Max Request name length: 20 (Default)
       Max From length: 256 (Default)
       Max To length: 256 (Default)
       Max Via length: 1024 (Default)
       Max Contact length: 512
       Max Content length: 1024 (Default)
       Ports:
             5060    5061    5600
       Methods:
        invite cancel ack bye register options refer subscribe update join
info message notify benotify do qauth sprack publish service unsubscribe
prack
     ...
       o"  )~   Version 2.9.1 IPv6 GRE (Build 71)
     ...
                Preprocessor Object: SF_SIP (IPV6)  Version 1.1  <Build 1>
     ...

     Im reduced sip length but sip preproc never firing again.

     Im read doc/README.sip and of course enabled udp on stream5 (default
snort.conf).
     Tested with nessus,nmap,many scanner, replay traffic, sipp...
     Regards
     Rmkml

     http://twitter.com/rmkml

     ------------------------------**------------------------------**
------------------
     Malware Security Report: Protecting Your Business, Customers, and the
     Bottom Line. Protect your business and customers by understanding the
     threat from malware and how it can impact your online business.
     http://www.accelacomm.com/jaw/**sfnl/114/51427462/<http://www.accelacomm.com/jaw/sfnl/114/51427462/>
     ______________________________**_________________
     Snort-sigs mailing list
     Snort-sigs@lists.sourceforge.**net<Snort-sigs () lists sourceforge net>
     
https://lists.sourceforge.net/**lists/listinfo/snort-sigs<https://lists.sourceforge.net/lists/listinfo/snort-sigs>
     http://www.snort.org


     Please visit http://blog.snort.org for the latest news about Snort!




--
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk () sourcefire com





-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk () sourcefire com

------------------------------------------------------------------------------
Using storage to extend the benefits of virtualization and iSCSI
Virtualization increases hardware utilization and delivers a new level of
agility. Learn what those decisions are and how to modernize your storage 
and backup environments for virtualization.
http://www.accelacomm.com/jaw/sfnl/114/51434361/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: