Re: False positives(?) for spp_sip

["Joel Esler \(jesler\) via Snort-sigs" <snort-sigs () lists snort org>]

Bill —

Any comments on the below?

> On Apr 20, 2020, at 10:20 AM, Pettersson, Emil <emil.pettersson () sovos com> wrote:
>
> Just to be sure, I found that we have multiples of snort.conf (this is on pfSense I should add), there is I guess the 
> “main” one at /usr/local/etc/snort/snort.conf and then there are additional ones for each interface that we have 
> Snort enabled on (i.e. /usr/local/etc/snort/snort_2591_em0/snort.conf). The latter seems to overwrite any changes 
> whenever the Snort service is restarted so I can’t comment out the SIP pre-processor there, not sure if this is 
> needed or if only the former is used to determine what rules are used?
>  
> From: Joel Esler (jesler) <jesler () cisco com> 
> Sent: Friday, 17 April 2020 17:23
> To: Pettersson, Emil <emil.pettersson () sovos com>
> Cc: snort-sigs () lists snort org
> Subject: Re: [Snort-sigs] False positives(?) for spp_sip
>  
>  
>
>
> On Apr 17, 2020, at 10:23 AM, Pettersson, Emil <emil.pettersson () sovos com <mailto:emil.pettersson () sovos com>> 
> wrote:
>  
> Thank you Joel, so I would just comment out the entire block below then?
>  
>  
> Yes
>  
>
>
> For reference, do you know if changes such as these would get overwritten during updates? I know we have some 
> customization we’ve done for Snort logging (mainly in /usr/local/pkg/snort/snort_check_for_rule_updates.php) and for 
> these we end up redoing these changes if Snort package is updated, just wanted to make sure we include in our 
> routines if the same goes for the snort.conf file.
>  
> snort.conf should be compared every time you update Snort.  Using diff or something similar to make sure we didn’t 
> add any additional options, etc.
>
>
>  
> preprocessor sip: max_sessions 40000, \
>    ports { 5060 5061 5600 }, \
>    methods { invite \
>              cancel \
>              ack \
>              bye \
>              register \
>              options \
>              refer \
>              subscribe \
>              update \
>              join \
>              info \
>              message \
>              notify \
>              benotify \
>              do \
>              qauth \
>              sprack \
>              publish \
>              service \
>              unsubscribe \
>              prack }, \
>    max_uri_len 512, \
>    max_call_id_len 80, \
>    max_requestName_len 20, \
>    max_from_len 256, \
>    max_to_len 256, \
>    max_via_len 1024, \
>    max_contact_len 512, \
>    max_content_len 2048
>  
> From: Joel Esler (jesler) <jesler () cisco com <mailto:jesler () cisco com>> 
> Sent: Friday, 17 April 2020 15:20
> To: Pettersson, Emil <emil.pettersson () sovos com <mailto:emil.pettersson () sovos com>>
> Cc: snort-sigs () lists snort org <mailto:snort-sigs () lists snort org>
> Subject: Re: [Snort-sigs] False positives(?) for spp_sip
>  
> Hello Emil,
>  
> If you are not running SIP on your network, then yes, comment out the SIP preprocessor and that will solve your 
> problem.  This can be done in your snort.conf file.
>
> Sent from my  iPad
>
>
>
> On Apr 17, 2020, at 09:01, Pettersson, Emil <emil.pettersson () sovos com <mailto:emil.pettersson () sovos com>> 
> wrote:
>
>  
> Hi,
>  
> We’ve been getting a few blocks for traffic from customers, from looking into the logs if I’m understanding correctly 
> these are getting caught by spp_sip due to traffic in these instances having source port 5060 (they’re doing a few 
> thousand/day with random source port span).
> Apr 17 09:33:31 snort[17881]: [140:3:2] (spp_sip) URI is too long [Classification: Potentially Bad Traffic] 
> [Priority: 2] {TCP} [SOURCE_IP]:5060 -> [DESTINATION_IP]:443
> There is no actual SIP traffic expected to go in or out from this network, so regardless of anything else I believe 
> there’s no real reason to have these rules enabled? However I am unsure of what the correct way would be to disable 
> them?
> - This message and any attachments thereto contain information that may be privileged, confidential or otherwise 
> protected from disclosure and is the property of Sovos Compliance, LLC. It is intended only for the person to whom it 
> is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, 
> disseminate, distribute, or use this message, any attachments thereto or any part thereof. If you receive this 
> message in error, please delete all copies of this message and attachments. Sovos Compliance, LLC. has implemented 
> anti-virus software on its computers and servers, however, it is the recipient's own responsibility to ensure that 
> all attachments are scanned for viruses prior to usage. _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists snort org <mailto:Snort-sigs () lists snort org>
> https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs>
>
> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort!
>
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette 
> <https://snort.org/faq/what-is-the-mailing-list-etiquette>
>
> Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to 
> catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging 
> <https://snort.org/downloads/#rule-downloads";>emerging> threats</a>!
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists snort org <mailto:Snort-sigs () lists snort org>
> https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs>
>
> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort!
>
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette 
> <https://snort.org/faq/what-is-the-mailing-list-etiquette>
>
> Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to 
> catch the most <a href=" https://snort.org/downloads/#rule-downloads 
> <https://snort.org/downloads/#rule-downloads>">emerging threats</a>!
>  
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists snort org <mailto:Snort-sigs () lists snort org>
> https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs>
>
> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort!
>
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette 
> <https://snort.org/faq/what-is-the-mailing-list-etiquette>
>
> Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to 
> catch the most <a href=" https://snort.org/downloads/#rule-downloads 
> <https://snort.org/downloads/#rule-downloads>">emerging threats</a>!

Attachment: smime.p7s
Description:

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!