[Snort-sigs] SIP scanner sig

Alex McDonnell amcdonnell at ...435...
Tue Oct 1 12:13:42 EDT 2013


We ran the tool and wrote those rules to cover the tool. The one thing that
our rules have is a threshold, assuming a large number of events going
through for a scan. If you take that out one of the rules should fire on
each event.

thanks
Alex McDonnell
VRT


On Tue, Oct 1, 2013 at 11:44 AM, Y M <snort at ...3751...> wrote:

> Hi Alex,
>
> Thanks for the information. However, none of the rules you mentioned did
> actually fire, nor production neither my test environments. That's why I
> thought I would write a rule for it. If you guys find out that it does fire
> on the existing rules, then just simply ignore mine.
>
> Thanks again.
> YM
>
> ------------------------------
> Date: Tue, 1 Oct 2013 11:38:19 -0400
> Subject: Re: [Snort-sigs] SIP scanner sig
> From: amcdonnell at ...435...
> To: snort at ...3751...
> CC: snort-sigs at lists.sourceforge.net
>
>
> Hi YM.
>
> we have rules that cover sipvicious, if those help. SIDS 27899-27904
>
> thanks
> Alex McDonnell
> VRT
>
>
> On Tue, Oct 1, 2013 at 11:17 AM, Y M <snort at ...3751...> wrote:
>
> Caught this one live today. I can't share the pcap, sorry for that.
>
> alert udp $EXTERNAL_NET any -> $HOME_NET $SIP_PORTS (msg:"INDICATOR-SCAN
> Sipvicious SIP scanner detected"; flow:to_server; sip_method:options;
> content:"User-Agent|3A| friendly-scanner|0D0A|"; fast_pattern:only;
> content:"From|3A| |22|sipvicious|22|"; metadata:ruleset community;
> classtype:misc-activity; sid:100051; rev:1;)
>
> The sip_method may not be necessary to generalize the signature, any
> ideas? I can't download the scanner and verify at the moment.
>
> Thanks.
> YM
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131001/07ba3bc5/attachment.html>


More information about the Snort-sigs mailing list