Snort mailing list archives
Re: Question on VoIP rule unquoted To header
From: Alex McDonnell <amcdonnell () sourcefire com>
Date: Fri, 13 Dec 2019 11:15:31 -0500
Hey, do you have a pcap of the traffic? From your email I can't see what the actual "To header" is.
From the rfc you linked this is valid:
To: The Operator <sip:operator () cs columbia edu>;tag=287447 t: sip:+12125551212 () server phone2net com the To header above won't alert because there's a "<" 0x3c. The sip number is on the t: line.
From the rule format it looks like you're using snort 3 right?
Alex On Fri, Dec 13, 2019 at 10:56 AM sandeep al via Snort-sigs < snort-sigs () lists snort org> wrote:
Hi I have question on Snort VOIP rule to block unquoted To Header alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS ( msg:"PROTOCOL-VOIP To header unquoted tokens in field attempt"; flow:to_server,established; content:"To|3A|",fast_pattern,nocase; http_header; pcre:"/^To\x3A\s+[^\r\n\x22\x3C]*[\x3B\x27\x2C]/smi"; metadata:policy max-detect-ips drop; service:sip; reference:url, www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20341; rev:4; ) In the SIP RFC 3261 section https://tools.ietf.org/html/rfc3261#section-20.39 we have To header with this format which is valid *sip:+12125551212 () server phone2net com <sip%3A%2B12125551212 () server phone2net com> * But when we get response the tag will be attached to header(;tag=387447) and it is *blocked by the above snort rule* as unquoted string. *sip:+12125551212 () server phone2net com <sip%3A%2B12125551212 () server phone2net com>;tag=387447* It looks like valid message but blocked is there anything I am missing ? or Is it OK to disable/modify the rule to accept the Message. Thanks _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Question on VoIP rule unquoted To header sandeep al via Snort-sigs (Dec 13)
- Re: Question on VoIP rule unquoted To header Alex McDonnell (Dec 13)
- Re: Question on VoIP rule unquoted To header sandeep al via Snort-sigs (Dec 16)
- Re: Question on VoIP rule unquoted To header Alex McDonnell (Dec 17)
- Re: Question on VoIP rule unquoted To header sandeep al via Snort-sigs (Dec 16)
- Re: Question on VoIP rule unquoted To header Alex McDonnell (Dec 13)