[Snort-sigs] SIP scanner sig

Y M snort at ...3751...
Tue Oct 1 11:17:19 EDT 2013

Caught this one live today. I can't share the pcap, sorry for that.
alert udp $EXTERNAL_NET any -> $HOME_NET $SIP_PORTS (msg:"INDICATOR-SCAN Sipvicious SIP scanner detected"; flow:to_server; sip_method:options; content:"User-Agent|3A| friendly-scanner|0D0A|"; fast_pattern:only; content:"From|3A| |22|sipvicious|22|"; metadata:ruleset community; classtype:misc-activity; sid:100051; rev:1;)
The sip_method may not be necessary to generalize the signature, any ideas? I can't download the scanner and verify at the moment.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131001/3b495c91/attachment.html>

More information about the Snort-sigs mailing list