Snort mailing list archives
SIP preprocessor: false positives on DNS traffic
From: Bram <bram-fabeg () mail wizbit be>
Date: Fri, 16 Aug 2013 14:56:56 +0200
Hi,It appears that the SIP preprocessor generates alerts on DNS traffic which happens to be using port 5060, 5061 or 5600.
Attached is a capture file which consist of a dns query.
The dns query happens to be using source port 5060 (randomly chosen).
On the dns response the alert 'SIP_EVENT_EMPTY_REQUEST_URI' is generated.
Config:
dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
preprocessor stream5_global: track_tcp yes, \
track_udp yes, \
track_icmp no
preprocessor stream5_tcp: ports both 53
preprocessor stream5_udp: timeout 180
preprocessor dns: ports { 53 } enable_rdata_overflow
preprocessor sip: max_sessions 10000, \
ports { 5060 5061 5600 }, \
methods { invite \
cancel \
ack \
bye \
register \
options \
refer \
subscribe \
update \
join \
info \
message \
notify \
benotify \
do \
qauth \
sprack \
publish \
service \
unsubscribe \
prack }, \
max_uri_len 512, \
max_call_id_len 256, \
max_requestName_len 20, \
max_from_len 256, \
max_to_len 256, \
max_via_len 1024, \
max_contact_len 512, \
max_content_len 2048
alert ( msg: "SIP_EVENT_EMPTY_REQUEST_URI"; sid: 2; gid: 140; rev: 1;
metadata: rule-type preproc ; )
output alert_fast: stdout
Running it:
$ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/ -r
/tmp/140_2_1.cap 2>&1 | grep '140:'
07/28-21:40:12.713181 [**] [140:2:1] (spp_sip) Empty request URI
[**] [Priority: 0] {UDP} 192.48.79.30:53 -> 10.10.1.1:5060
Looking in the code: ./src/dynamic-preprocessors/sip/sip_parser.c: 'sip_startline_parse' shows:
When the packet starts with 'SIP/' then it is assumed to be a SIP Response.If this is the case then it will check the version and if the version is invalid it generates the alert 'SIP_EVENT_INVALID_VERSION' It then proceeds to check the status code. If no status code is found no alert is generated (judging by the code) If a status code is found and invalid then the alert 'SIP_EVENT_BAD_STATUS_CODE' is generated.
When the packet does not start with 'SIP/' it assumes this is a request. It first looks for the method, and then extracts the URI. When the URI is empty the alert 'SIP_EVENT_EMPTY_REQUEST_URI' is generated.When the URI is longer than 'maxUriLen' then the alert 'SIP_EVENT_BAD_URI' is generated.
It then proceeds to check if 'SIP/' with a version number is found. This can (and does) results in false positive... I'm not sure what the proper fix for this is..Checking the 'SIP/' keyword before generating the 'SIP_EVENT_BAD_URI' alert will break the alert (it was added for CVE-2007-1306 which is a SIP request without SIP keyword/version). It should probably check if this is a DNS request/response but I'm not sure that is proper fix...
Best regards, Bram ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
Attachment:
140_2_1.cap
Description:
------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- SIP preprocessor: false positives on DNS traffic Bram (Aug 16)
- Re: SIP preprocessor: false positives on DNS traffic Hui Cao (Aug 19)