[Snort-users] Exception to a rule pulled by pulledpork

Ilja Schumacher ilja.schumacher at ...11827...
Tue Apr 1 04:08:42 EDT 2014


Thanks for the hints. I figured this out.

The Issue was with pulledpork ignoring my conf files for a reason.
All the tutorials and docs say that you just have to fill threshold.conf
and modifysid.conf and it will work automagically.
Unfortunately the latest version of pulledpork i downloaded has a
pulledpork.conf file that has commented all other conf files.
Uncommenting them solved the issue. My fault.

@Jeremy; 2012296 "\$EXTERNAL_NET" ![192.168.1.0/24,<mysiptrunkprovidersIP>]"
is exactly what i have right now in there. Thanks.

(Sorry for strange thread listing. My Email client messed up replying to
the correct adresses. Mailing it again so people can lookup the solution.)


2014-03-31 17:56 GMT+02:00 Jeremy Hoel <jthoel at ...11827...>:

Can you try just using:
>
> 2012296 "\$EXTERNAL_NET" ![192.168.1.0/24,<mysiptrunkprovidersIP>]"
>
> Note, also, not ';' at the end of the line.
>
> Otherwise, that looks all good.
>
>
>
> On Mon, Mar 31, 2014 at 5:21 AM, Ilja Schumacher <
> ilja.schumacher at ...11827...> wrote:
>
>> Thanks for the hint:
>>
>> The Rule bothering me is:
>> 2012296 - ET VOIP Modified Sipvicious Asterisk PBX User-Agent
>> (emerging-voip.rules)
>> It is firing on every incoming SIP call.
>>
>> So I added this to modifysid.conf:
>>
>> 2012296 "alert udp \$EXTERNAL_NET" "alert udp ![192.168.1.0/24,
>> <mysiptrunkprovidersIP>]";
>>
>> The I tried to let pulledpork process the rules once again with
>> pulledpork.pl -c /etc/pulledpork/pulledpork.conf -n -P
>>
>> After it finished I still see the following in my snort.rules file
>> generated by pulledpork:
>>
>> alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP Modified
>> Sipvicious Asterisk PBX User-Agent"; content:"|0d 0a|User-Agent|3A|
>> Asterisk PBX"; nocase; fast_pattern:only; threshold: type limit, count 1,
>> seconds 60, track by_src; reference:url,
>> blog.sipvicious.org/2010/11/distributed-sip-scanning-during.html;
>> classtype:attempted-recon; sid:2012296; rev:1;)
>>
>> So unfortunately it did not do anything stated in modifysid.conf.
>>
>> Do you have any clue why?
>>
>> Cheers,
>> Ilja
>>
>>
>>
>> 2014-03-31 9:08 GMT+02:00 Jeremy Hoel <jthoel at ...11827...>:
>>
>> threshold.conf, or modifysid.conf to adjust the rule and exclude or limit
>>> to rule to just the IPs you want to track.
>>>
>>>
>>> On Mon, Mar 31, 2014 at 2:58 AM, Ilja Schumacher <
>>> ilja.schumacher at ...11827...> wrote:
>>>
>>>>
>>>> Hello guys,
>>>>
>>>> I have a snort that is spamming me with SIP Attack alerts because I
>>>> have an asterisk and an external SIP trunk that uses SIP peering.
>>>> Additionally i have my firewall drop any Sip-port Packets that do not come
>>>> from the siptrunk IP. (So pretty safe but i do not want to disable the rule
>>>> completely for the case of my firewall failing. Not very likely but still
>>>> possible)
>>>>
>>>> How can i tell snort that inbound SIP from that one specific IP is ok
>>>> while not modifying the rule of pulledpork because it will overwrite it
>>>> anyways in next update. Or will it not?
>>>>
>>>> Many thanks for your help in advance.
>>>>
>>>> Cheers
>>>> Ilja
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>>
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>
>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>> Snort news!
>>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140401/c895356b/attachment.html>


More information about the Snort-users mailing list