[Snort-sigs] sid:3677 SIP UDP overflow - false positives

Rich Adamson radamson at ...908...
Thu Jul 21 13:16:47 EDT 2005


7-21-05
FYI...

The following rule triggers hundreds of false positives:

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"EXPLOIT SIP UDP CSeq overflow attempt"; 
content:"CSeq|3A|"; nocase; isdataat:16,relative; content:!"|0A|"; within:16; 
reference:url,www.ethereal.com/news/item_20050504_01.html; classtype:attempted-dos; sid:3677; 
rev:2;)

The reference tends to suggest the rule was intended to identify a
buffer overflow associated with Ethereal v0.10.0 through v0.10.10 (a
packet sniffer).

However for anyone using Voice over IP, a standard/stock Cisco SIP
phone generates a sip packet every ten minutes that triggers the rule.
In large organizations using VoIP, the rule will fire by the hundreds.

Proposal:
1. either add the keyword "ethereal" in the msg (to avoid confusion
with other sip overflow attempts, or,
2. tune the rule to be more specific to the ethereal problem, or,
3. delete the rule entirely since it has very little real value to
any organization and only serves to inflat the number of rules in snort.

In the real world, the chances of anyone running a vulnerable ethereal
instance on a production Internet-accessible box that would be actually 
impacted by someone attempting to take advantage of the issue is either 
slim or totally non-existant. References suggest that no such attempts
have been seen in the wild (and are not likely to see any). Therefore, 
I'd suggest removing it from the rules totally.

Rich







More information about the Snort-sigs mailing list