I don't know why the sip pcap file is not being detected

Rules
1

my enviornment
4.15.0-197-generic #208-Ubuntu SMP
Suricata 6.0.10

rule: alert udp any any → any any (msg:“sig05”; sid:25; rev:3; sip.method; content:“INVITE”:wink:

sip is enabled in the config file
#/usr/local/bin/suricata -c /usr/local/etc/suricata/suricata.yaml -k none -r pkt.pcap -v

pkt.pcap (normal SIP invite pcap file) blow summary >>
INVITE sip:2002@192.168.0.29 SIP/2.0
Via: SIP/2.0/UDP 192.168.0.3:48308;rport;branch=z9hG4bKPjnw.Ns5Nd86tq5oRiAk-eY5Vvm.Z.4tFF
Max-Forwards: 70
From: sip:2001@192.168.0.29;tag=HQS4BopRcefslHoG-U5Je3oHE4w4HMpk
To: sip:2002@192.168.0.29
Contact: sip:2001@192.168.0.3:48308;ob
Call-ID: DtcbMSTfb0AluOfXc8Am82Mq5k3NK82L…

but not detect(not alert) .

Thank you for your help in resolving the issue.

2

Hi there welcome to our forum ^^

So, you see other alerts, but not just for sip?

I’ve noticed that in your rule you have alert udp if you change that to alert sip, does the alert show?

You could also try to get one of the sip tests in our suricata-verify framework and see if those run, so we could try to understand if this is an issue with Suri as a whole, with the pcap or with the rule you’re trying to match on.

Here is a suricata-verify test for the sip.method rule keyword: suricata-verify/tests/sip-method at master · OISF/suricata-verify · GitHub

Hope that helps :slight_smile:

3

This problem is what I did wrong.
The pap file I used is not on the 5060 port.
suricata completed sip decoding only on port 5060.

4

I see!

Thanks for adding this info. I digged a bit and from my tests you should be able to inform Suricata on which ports you’d like it to inspect, for SIP. In order to do that, on the suricata.yaml configuration file, go to the sip section under the app-layer one, and then you can edit it to look something like this, but adjusting to your needs:

    sip: 
      enabled: yes
      tcp: 
        enabled: yes
        detection-ports:
          dp: 5060, 5061, 48038
      udp: 
        enabled: yes
        detection-ports:
          dp: 5060, 5061, 48038

If you do test this, let us know if that worked :slight_smile:

5

your reply message , thanks. ~^^

1 Like