Package: snort-rules-default
Version: 2.8.5.2-8
Severity: important
The rules in community-sip.rules that use "ip any any -> any" are wrong in my
stumbling understanding of snort's rule syntax, as they trigger in every case
the content is involved, regardless of the port 5060 mentioned. Especially the
rule "COMMUNITY SIP TCP/IP message flooding directed to SIP proxy" triggers
very often, being a false positive then, as it does not limit regarding the
content of a packet in any way.
Having disabled the questioned rules, snort behaves as expected, beforehand, I
got hundreds of false positives covering the real attacks.
I think, a rule like this is wrong:
alert ip any any -> any 5060
It acutally behaves like this one:
alert ip any any -> any
This results in numerous warnings on heavily used connections like an OpenVPN
connection (in my case).
Despite the fact that most of the rules are heavily out-dated, but still better
than none, you should consider boiling down community-sip.rules to the set
below or kicking it completely. I'd suggest the latter, as I'm not sure wether
the remaining rules are correct, either. Implementing a recent ET ruleset would
improve the usage of snort on Debian, for sure, but this is out of scope of
this bug report.
Nonetheless, thanks for making snort available on Debian!
With kind regards,
Robert Kehl
-- System Information:
Debian Release: 6.0.5
APT prefers stable
APT policy: (990, 'stable'), (501, 'testing'), (450, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages snort-rules-default depends on:
ii adduser 3.112+nmu2 add and remove users and groups
ii debconf [debconf-2.0] 1.5.36.1 Debian configuration management sy
Versions of packages snort-rules-default recommends:
ii oinkmaster 2.0-2 Snort rules manager
Versions of packages snort-rules-default suggests:
ii snort 2.8.5.2-8 flexible Network Intrusion Detecti
-- Configuration Files:
/etc/snort/rules/community-sip.rules changed:
alert udp $DNS_SERVERS 53 -> any any (msg:"COMMUNITY SIP DNS No such name
treshold - Abnormaly high count of No such name responses"; content:"|83|";
offset:3; depth:1; threshold: type both, track by_dst, count 100, seconds 60;
classtype:attempted-dos; sid:100000161; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"COMMUNITY EXPLOIT SIP UDP
Softphone overflow attempt"; content:"|3B|branch|3D|"; content:"a|3D|";
pcre:"/^a\x3D[^\n]{1000,}/smi"; reference:bugtraq,16213;
reference:cve,2006-0189; classtype:misc-attack; sid:100000223; rev:1;)
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
