[Snort-sigs] SIP scanner sig

Y M snort at ...3751...
Tue Oct 1 12:38:04 EDT 2013


Yes, that would make sense and I haven't tried to take out/adjust the thresholds.

Just to shed some light, I was specifically looking at one of our own IP addresses and this sip packet jumped in the middle out of no where, no sip packets before or after it. This explains why the rules didn't fire, at least in this particular case, because of the thresholds.

I will try to look more into this as soon as I can.

Thanks again for the explanation.
YM

Sent from a Phone
________________________________
From: Alex McDonnell<mailto:amcdonnell at ...435...>
Sent: ‎10/‎1/‎2013 7:13 PM
To: Y M<mailto:snort at ...3751...>
Cc: snort-sigs<mailto:snort-sigs at lists.sourceforge.net>
Subject: Re: [Snort-sigs] SIP scanner sig

We ran the tool and wrote those rules to cover the tool. The one thing that
our rules have is a threshold, assuming a large number of events going
through for a scan. If you take that out one of the rules should fire on
each event.

thanks
Alex McDonnell
VRT


On Tue, Oct 1, 2013 at 11:44 AM, Y M <snort at ...3751...> wrote:

> Hi Alex,
>
> Thanks for the information. However, none of the rules you mentioned did
> actually fire, nor production neither my test environments. That's why I
> thought I would write a rule for it. If you guys find out that it does fire
> on the existing rules, then just simply ignore mine.
>
> Thanks again.
> YM
>
> ------------------------------
> Date: Tue, 1 Oct 2013 11:38:19 -0400
> Subject: Re: [Snort-sigs] SIP scanner sig
> From: amcdonnell at ...435...
> To: snort at ...3751...
> CC: snort-sigs at lists.sourceforge.net
>
>
> Hi YM.
>
> we have rules that cover sipvicious, if those help. SIDS 27899-27904
>
> thanks
> Alex McDonnell
> VRT
>
>
> On Tue, Oct 1, 2013 at 11:17 AM, Y M <snort at ...3751...> wrote:
>
> Caught this one live today. I can't share the pcap, sorry for that.
>
> alert udp $EXTERNAL_NET any -> $HOME_NET $SIP_PORTS (msg:"INDICATOR-SCAN
> Sipvicious SIP scanner detected"; flow:to_server; sip_method:options;
> content:"User-Agent|3A| friendly-scanner|0D0A|"; fast_pattern:only;
> content:"From|3A| |22|sipvicious|22|"; metadata:ruleset community;
> classtype:misc-activity; sid:100051; rev:1;)
>
> The sip_method may not be necessary to generalize the signature, any
> ideas? I can't download the scanner and verify at the moment.
>
> Thanks.
> YM
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131001/5a062827/attachment.html>


More information about the Snort-sigs mailing list