I don't know why the sip pcap file is not being detected

my enviornment
4.15.0-197-generic #208-Ubuntu SMP
Suricata 6.0.10

rule: alert udp any any → any any (msg:“sig05”; sid:25; rev:3; sip.method; content:“INVITE”:wink:

sip is enabled in the config file
#/usr/local/bin/suricata -c /usr/local/etc/suricata/suricata.yaml -k none -r pkt.pcap -v

pkt.pcap (normal SIP invite pcap file) blow summary >>
INVITE sip:2002@ SIP/2.0
Via: SIP/2.0/UDP;rport;branch=z9hG4bKPjnw.Ns5Nd86tq5oRiAk-eY5Vvm.Z.4tFF
Max-Forwards: 70
From: sip:2001@;tag=HQS4BopRcefslHoG-U5Je3oHE4w4HMpk
To: sip:2002@
Contact: sip:2001@;ob
Call-ID: DtcbMSTfb0AluOfXc8Am82Mq5k3NK82L…

but not detect(not alert) .

Thank you for your help in resolving the issue.

Hi there welcome to our forum ^^

So, you see other alerts, but not just for sip?

I’ve noticed that in your rule you have alert udp if you change that to alert sip, does the alert show?

You could also try to get one of the sip tests in our suricata-verify framework and see if those run, so we could try to understand if this is an issue with Suri as a whole, with the pcap or with the rule you’re trying to match on.

Here is a suricata-verify test for the sip.method rule keyword: suricata-verify/tests/sip-method at master · OISF/suricata-verify · GitHub

Hope that helps :slight_smile:

This problem is what I did wrong.
The pap file I used is not on the 5060 port.
suricata completed sip decoding only on port 5060.

I see!

Thanks for adding this info. I digged a bit and from my tests you should be able to inform Suricata on which ports you’d like it to inspect, for SIP. In order to do that, on the suricata.yaml configuration file, go to the sip section under the app-layer one, and then you can edit it to look something like this, but adjusting to your needs:

      enabled: yes
        enabled: yes
          dp: 5060, 5061, 48038
        enabled: yes
          dp: 5060, 5061, 48038

If you do test this, let us know if that worked :slight_smile:

1 Like

your reply message , thanks. ~^^

1 Like

Apologies for brining back this old topic but it relates, are there are known rule sets for SIP traffic using Suricata?

This post and my suricata.yaml

which has

sip: #enabled: no
Leads me to believe the software is not setup to alert/block of common SIP attacks.

I see that the ET open ruleset has some rules for SIP.

Our documentation also lists some SIP rule keywords: 8.29. SIP Keywords — Suricata 8.0.0-dev documentation

More than that would require more research…

1 Like

I use FreeSWITCH (which uses lua) so this was also interesting - 16.1. Lua usage in Suricata — Suricata 6.0.4 documentation Although Im not sure how much it would help with SIP flooding/ DDOS threats.

Thanks for this and yes I’ll need to do more research, hopefully the ET ruleset will suffice but Ill take a look.

1 Like