snort-sigs September 2011 archive
Main Archive Page > Month Archives  > snort-sigs archives
snort-sigs: Re: [Snort-sigs] new SIP preproc on snort v2.9.1 nev

Re: [Snort-sigs] new SIP preproc on snort v2.9.1 never firing?

From: Alex Kirk <akirk_at_nospam>
Date: Tue Sep 06 2011 - 23:52:30 GMT
To: rmkml <rmkml@yahoo.fr>

Do you have the preprocessor rules enabled?

On Tue, Sep 6, 2011 at 5:32 PM, rmkml <rmkml@yahoo.fr> wrote:

> Hi,
> Im continue testing last snort v2.9.1, but new SIP preproc never firing.
> Anyone have alert with SIP preproc ? (GID 140)
>
> Im tested with default snort.conf:
> ...
> PortVar 'SIP_PORTS' defined : [ 5060:5061 5600 ]
> ...
> Loading dynamic preprocessor library
> dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so...
> done
> ...
> SIP config:
> Max number of sessions: 10000 (Default)
> Status: ENABLED
> Ignore media channel: DISABLED
> Max URI length: 512
> Max Call ID length: 80
> Max Request name length: 20 (Default)
> Max From length: 256 (Default)
> Max To length: 256 (Default)
> Max Via length: 1024 (Default)
> Max Contact length: 512
> Max Content length: 1024 (Default)
> Ports:
> 5060 5061 5600
> Methods:
> invite cancel ack bye register options refer subscribe update join info
> message notify benotify do qauth sprack publish service unsubscribe prack
> ...
> o" )~ Version 2.9.1 IPv6 GRE (Build 71)
> ...
> Preprocessor Object: SF_SIP (IPV6) Version 1.1 <Build 1>
> ...
>
> Im reduced sip length but sip preproc never firing again.
>
> Im read doc/README.sip and of course enabled udp on stream5 (default
> snort.conf).
> Tested with nessus,nmap,many scanner, replay traffic, sipp...
> Regards
> Rmkml
>
> http://twitter.com/rmkml
>
>
> ------------------------------------------------------------------------------
> Malware Security Report: Protecting Your Business, Customers, and the
> Bottom Line. Protect your business and customers by understanding the
> threat from malware and how it can impact your online business.
> http://www.accelacomm.com/jaw/sfnl/114/51427462/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>

-- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk@sourcefire.com

------------------------------------------------------------------------------
Malware Security Report: Protecting Your Business, Customers, and the
Bottom Line. Protect your business and customers by understanding the
threat from malware and how it can impact your online business.
http://www.accelacomm.com/jaw/sfnl/114/51427462/

_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!