Re: SIP scanner sig

[Y M <snort () outlook com>]

Yes, that would make sense and I haven't tried to take out/adjust the thresholds.

Just to shed some light, I was specifically looking at one of our own IP addresses and this sip packet jumped in the 
middle out of no where, no sip packets before or after it. This explains why the rules didn't fire, at least in this 
particular case, because of the thresholds.

I will try to look more into this as soon as I can.

Thanks again for the explanation.
YM

Sent from a Phone
________________________________
From: Alex McDonnell<mailto:amcdonnell () sourcefire com>
Sent: ‎10/‎1/‎2013 7:13 PM
To: Y M<mailto:snort () outlook com>
Cc: snort-sigs<mailto:snort-sigs () lists sourceforge net>
Subject: Re: [Snort-sigs] SIP scanner sig

We ran the tool and wrote those rules to cover the tool. The one thing that
our rules have is a threshold, assuming a large number of events going
through for a scan. If you take that out one of the rules should fire on
each event.

thanks
Alex McDonnell
VRT


On Tue, Oct 1, 2013 at 11:44 AM, Y M <snort () outlook com> wrote:

> Hi Alex,
>
> Thanks for the information. However, none of the rules you mentioned did
> actually fire, nor production neither my test environments. That's why I
> thought I would write a rule for it. If you guys find out that it does fire
> on the existing rules, then just simply ignore mine.
>
> Thanks again.
> YM
>
> ------------------------------
> Date: Tue, 1 Oct 2013 11:38:19 -0400
> Subject: Re: [Snort-sigs] SIP scanner sig
> From: amcdonnell () sourcefire com
> To: snort () outlook com
> CC: snort-sigs () lists sourceforge net
>
>
> Hi YM.
>
> we have rules that cover sipvicious, if those help. SIDS 27899-27904
>
> thanks
> Alex McDonnell
> VRT
>
>
> On Tue, Oct 1, 2013 at 11:17 AM, Y M <snort () outlook com> wrote:
>
> Caught this one live today. I can't share the pcap, sorry for that.
>
> alert udp $EXTERNAL_NET any -> $HOME_NET $SIP_PORTS (msg:"INDICATOR-SCAN
> Sipvicious SIP scanner detected"; flow:to_server; sip_method:options;
> content:"User-Agent|3A| friendly-scanner|0D0A|"; fast_pattern:only;
> content:"From|3A| |22|sipvicious|22|"; metadata:ruleset community;
> classtype:misc-activity; sid:100051; rev:1;)
>
> The sip_method may not be necessary to generalize the signature, any
> ideas? I can't download the scanner and verify at the moment.
>
> Thanks.
> YM
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!