Snort mailing list archives
Re: Exception to a rule pulled by pulledpork
From: Ilja Schumacher <ilja.schumacher () gmail com>
Date: Tue, 1 Apr 2014 10:08:42 +0200
Thanks for the hints. I figured this out. The Issue was with pulledpork ignoring my conf files for a reason. All the tutorials and docs say that you just have to fill threshold.conf and modifysid.conf and it will work automagically. Unfortunately the latest version of pulledpork i downloaded has a pulledpork.conf file that has commented all other conf files. Uncommenting them solved the issue. My fault. @Jeremy; 2012296 "\$EXTERNAL_NET" ![192.168.1.0/24,<mysiptrunkprovidersIP>]" is exactly what i have right now in there. Thanks. (Sorry for strange thread listing. My Email client messed up replying to the correct adresses. Mailing it again so people can lookup the solution.) 2014-03-31 17:56 GMT+02:00 Jeremy Hoel <jthoel () gmail com>: Can you try just using:
2012296 "\$EXTERNAL_NET" ![192.168.1.0/24,<mysiptrunkprovidersIP>]" Note, also, not ';' at the end of the line. Otherwise, that looks all good. On Mon, Mar 31, 2014 at 5:21 AM, Ilja Schumacher < ilja.schumacher () gmail com> wrote:Thanks for the hint: The Rule bothering me is: 2012296 - ET VOIP Modified Sipvicious Asterisk PBX User-Agent (emerging-voip.rules) It is firing on every incoming SIP call. So I added this to modifysid.conf: 2012296 "alert udp \$EXTERNAL_NET" "alert udp ![192.168.1.0/24, <mysiptrunkprovidersIP>]"; The I tried to let pulledpork process the rules once again with pulledpork.pl -c /etc/pulledpork/pulledpork.conf -n -P After it finished I still see the following in my snort.rules file generated by pulledpork: alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP Modified Sipvicious Asterisk PBX User-Agent"; content:"|0d 0a|User-Agent|3A| Asterisk PBX"; nocase; fast_pattern:only; threshold: type limit, count 1, seconds 60, track by_src; reference:url, blog.sipvicious.org/2010/11/distributed-sip-scanning-during.html; classtype:attempted-recon; sid:2012296; rev:1;) So unfortunately it did not do anything stated in modifysid.conf. Do you have any clue why? Cheers, Ilja 2014-03-31 9:08 GMT+02:00 Jeremy Hoel <jthoel () gmail com>: threshold.conf, or modifysid.conf to adjust the rule and exclude or limitto rule to just the IPs you want to track. On Mon, Mar 31, 2014 at 2:58 AM, Ilja Schumacher < ilja.schumacher () gmail com> wrote:Hello guys, I have a snort that is spamming me with SIP Attack alerts because I have an asterisk and an external SIP trunk that uses SIP peering. Additionally i have my firewall drop any Sip-port Packets that do not come from the siptrunk IP. (So pretty safe but i do not want to disable the rule completely for the case of my firewall failing. Not very likely but still possible) How can i tell snort that inbound SIP from that one specific IP is ok while not modifying the rule of pulledpork because it will overwrite it anyways in next update. Or will it not? Many thanks for your help in advance. Cheers Ilja ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Exception to a rule pulled by pulledpork Ilja Schumacher (Apr 01)