Snort mailing list archives
Re: Question on VoIP rule unquoted To header
From: Alex McDonnell <amcdonnell () sourcefire com>
Date: Tue, 17 Dec 2019 12:24:21 -0500
Got it, thanks. Rule has been updated. Alex On Tue, Dec 17, 2019 at 2:08 AM sandeep al <alsandeep () gmail com> wrote:
Thanks Alex for replying. The unquoted To header which is blocked by snort rule is here To: sip:3001@192.168.3.170:5060;tag=36HH3Q7UpBBHc According to RFC section-20 which describes the valid Header https://tools.ietf.org/html/rfc3261#section-20 we have the following explanation The Contact, From, and To header fields contain a URI. If the URI contains a comma, question mark or semicolon, the URI MUST be enclosed in angle brackets (< and >). Any URI parameters are contained within these brackets. If the URI is not enclosed in angle brackets, any semicolon-delimited parameters are header-parameters, not URI parameters. As per the above explanation any semicolon delimited parameter are (valid)header-parameters if not part of URI parameters. Thanks On Fri, Dec 13, 2019 at 9:46 PM Alex McDonnell <amcdonnell () sourcefire com> wrote:Hey, do you have a pcap of the traffic? From your email I can't see what the actual "To header" is. From the rfc you linked this is valid: To: The Operator <sip:operator () cs columbia edu>;tag=287447 t: sip:+12125551212 () server phone2net com the To header above won't alert because there's a "<" 0x3c. The sip number is on the t: line. From the rule format it looks like you're using snort 3 right? Alex On Fri, Dec 13, 2019 at 10:56 AM sandeep al via Snort-sigs < snort-sigs () lists snort org> wrote:Hi I have question on Snort VOIP rule to block unquoted To Header alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS ( msg:"PROTOCOL-VOIP To header unquoted tokens in field attempt"; flow:to_server,established; content:"To|3A|",fast_pattern,nocase; http_header; pcre:"/^To\x3A\s+[^\r\n\x22\x3C]*[\x3B\x27\x2C]/smi"; metadata:policy max-detect-ips drop; service:sip; reference:url, www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20341; rev:4; ) In the SIP RFC 3261 section https://tools.ietf.org/html/rfc3261#section-20.39 we have To header with this format which is valid *sip:+12125551212 () server phone2net com <sip%3A%2B12125551212 () server phone2net com> * But when we get response the tag will be attached to header(;tag=387447) and it is *blocked by the above snort rule* as unquoted string. *sip:+12125551212 () server phone2net com <sip%3A%2B12125551212 () server phone2net com>;tag=387447* It looks like valid message but blocked is there anything I am missing ? or Is it OK to disable/modify the rule to accept the Message. Thanks _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Question on VoIP rule unquoted To header sandeep al via Snort-sigs (Dec 13)
- Re: Question on VoIP rule unquoted To header Alex McDonnell (Dec 13)
- Re: Question on VoIP rule unquoted To header sandeep al via Snort-sigs (Dec 16)
- Re: Question on VoIP rule unquoted To header Alex McDonnell (Dec 17)
- Re: Question on VoIP rule unquoted To header sandeep al via Snort-sigs (Dec 16)
- Re: Question on VoIP rule unquoted To header Alex McDonnell (Dec 13)