[Snort-sigs] FP on 3677 (SIP UDP Cseq overflow)

Jeff Kell jeff-kell at ...922...
Tue Jun 7 06:58:27 EDT 2005

I suspect the sig may be off-by-one (perhaps?) in it's checking, or else this was tailored specifically to trigger on packets that would trip Ethereal (but are otherwise valid SIP):

Rule:  EXPLOIT SIP UDP CSeq overflow attempt
Sid:  3677
Detailed Information:
   content:"CSeq|3A|"; nocase; isdataat:16,relative; content:!"|0A|"; within:16;
False Positives:  triggered by packets such as this:

Via: SIP/2.0/UDP;rport;branch=z9hG4bK5BDD50FEB26C4C33ABD1D1414D753778
From: Theresa <sip:7177 at ...3084...>;tag=1875065834
To: Theresa <sip:7177 at ...3084...>
Contact: "Theresa" <sip:7177 at ...3085...:5060>
Call-ID: EF3C3821E5124AC9AEB770CF5B36E14F at ...3084...
CSeq: 37264 REGISTER
Expires: 1800
Max-Forwards: 70
User-Agent: X-Lite release 1103m
Content-Length: 0
Corrective Action:
Is the last "within: 16" a byte too large? (haven't checked the protocol refs).  The 0x0A would fall in the 16th position...


More information about the Snort-sigs mailing list