I don't know why the sip pcap file is not being detected

trymp · June 16, 2023, 5:10am

my enviornment
4.15.0-197-generic #208-Ubuntu SMP
Suricata 6.0.10

rule: alert udp any any → any any (msg:“sig05”; sid:25; rev:3; sip.method; content:“INVITE”

sip is enabled in the config file
#/usr/local/bin/suricata -c /usr/local/etc/suricata/suricata.yaml -k none -r pkt.pcap -v

pkt.pcap (normal SIP invite pcap file) blow summary >>
INVITE sip:2002@192.168.0.29 SIP/2.0
Via: SIP/2.0/UDP 192.168.0.3:48308;rport;branch=z9hG4bKPjnw.Ns5Nd86tq5oRiAk-eY5Vvm.Z.4tFF
Max-Forwards: 70
From: sip:2001@192.168.0.29;tag=HQS4BopRcefslHoG-U5Je3oHE4w4HMpk
To: sip:2002@192.168.0.29
Contact: sip:2001@192.168.0.3:48308;ob
Call-ID: DtcbMSTfb0AluOfXc8Am82Mq5k3NK82L…

but not detect(not alert) .

Thank you for your help in resolving the issue.

jufajardini · June 19, 2023, 11:39pm

Hi there welcome to our forum ^^

So, you see other alerts, but not just for sip?

I’ve noticed that in your rule you have alert udp if you change that to alert sip, does the alert show?

You could also try to get one of the sip tests in our suricata-verify framework and see if those run, so we could try to understand if this is an issue with Suri as a whole, with the pcap or with the rule you’re trying to match on.

Here is a suricata-verify test for the sip.method rule keyword: suricata-verify/tests/sip-method at master · OISF/suricata-verify · GitHub

Hope that helps

trymp · June 21, 2023, 1:29am

This problem is what I did wrong.
The pap file I used is not on the 5060 port.
suricata completed sip decoding only on port 5060.

jufajardini · June 21, 2023, 2:32pm

I see!

Thanks for adding this info. I digged a bit and from my tests you should be able to inform Suricata on which ports you’d like it to inspect, for SIP. In order to do that, on the suricata.yaml configuration file, go to the sip section under the app-layer one, and then you can edit it to look something like this, but adjusting to your needs:

    sip: 
      enabled: yes
      tcp: 
        enabled: yes
        detection-ports:
          dp: 5060, 5061, 48038
      udp: 
        enabled: yes
        detection-ports:
          dp: 5060, 5061, 48038

If you do test this, let us know if that worked

trymp · June 22, 2023, 12:55am

your reply message , thanks. ~^^

DeliChip · January 18, 2024, 1:10am

Apologies for brining back this old topic but it relates, are there are known rule sets for SIP traffic using Suricata?

This post and my suricata.yaml

which has

sip: #enabled: no
Leads me to believe the software is not setup to alert/block of common SIP attacks.

jufajardini · January 18, 2024, 3:13pm

I see that the ET open ruleset has some rules for SIP.

Our documentation also lists some SIP rule keywords: 8.29. SIP Keywords — Suricata 8.0.0-dev documentation

More than that would require more research…

DeliChip · January 19, 2024, 12:21am

I use FreeSWITCH (which uses lua) so this was also interesting - 16.1. Lua usage in Suricata — Suricata 6.0.4 documentation Although Im not sure how much it would help with SIP flooding/ DDOS threats.

Thanks for this and yes I’ll need to do more research, hopefully the ET ruleset will suffice but Ill take a look.