Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Question on VoIP rule unquoted To header

From: Alex McDonnell <amcdonnell () sourcefire com>
Date: Tue, 17 Dec 2019 12:24:21 -0500
Got it, thanks. Rule has been updated.

Alex

On Tue, Dec 17, 2019 at 2:08 AM sandeep al <alsandeep () gmail com> wrote:


Thanks Alex for replying.

The unquoted To header which is blocked by snort rule is here

  To: sip:3001@192.168.3.170:5060;tag=36HH3Q7UpBBHc


According to RFC section-20 which describes the valid Header
https://tools.ietf.org/html/rfc3261#section-20
we have the following explanation

The Contact, From, and To header fields contain a URI.  If the URI
   contains a comma, question mark or semicolon, the URI MUST be
   enclosed in angle brackets (< and >).  Any URI parameters are
   contained within these brackets.  If the URI is not enclosed in angle
   brackets, any semicolon-delimited parameters are header-parameters,
   not URI parameters.


As per the above explanation any semicolon delimited parameter are
(valid)header-parameters if not part of URI parameters.


Thanks



On Fri, Dec 13, 2019 at 9:46 PM Alex McDonnell <amcdonnell () sourcefire com>
wrote:


Hey, do you have a pcap of the traffic? From your email I can't see what
the actual "To header" is.

From the rfc you linked this is valid:

      To: The Operator <sip:operator () cs columbia edu>;tag=287447
      t: sip:+12125551212 () server phone2net com

the To header above won't alert because there's a "<" 0x3c. The sip
number is on the t: line.

From the rule format it looks like you're using snort 3 right?

Alex

On Fri, Dec 13, 2019 at 10:56 AM sandeep al via Snort-sigs <
snort-sigs () lists snort org> wrote:


Hi

I have question on Snort VOIP rule to block unquoted To Header

alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (
msg:"PROTOCOL-VOIP To header unquoted tokens in field attempt";
flow:to_server,established; content:"To|3A|",fast_pattern,nocase;
http_header; pcre:"/^To\x3A\s+[^\r\n\x22\x3C]*[\x3B\x27\x2C]/smi";
metadata:policy max-detect-ips drop; service:sip; reference:url,
www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20341;
rev:4; )

In the SIP RFC 3261 section
https://tools.ietf.org/html/rfc3261#section-20.39
we have To header with this format which is valid
  *sip:+12125551212 () server phone2net com
<sip%3A%2B12125551212 () server phone2net com> *

But when we get response the tag will be attached to header(;tag=387447) and
it is *blocked by the above snort rule* as unquoted string.
*sip:+12125551212 () server phone2net com
<sip%3A%2B12125551212 () server phone2net com>;tag=387447*

It looks like valid message but blocked is there anything I am missing ?
or
Is it OK to disable/modify the rule to accept the Message.

Thanks
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules:
https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make
sure to stay up to date to catch the most <a href="
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!




_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: