drop udp $EXTERNAL_NET 3478 → $HOME_NET any (msg:“ET INFO Session Traversal Utilities for NAT (STUN Binding Response)”; content:"|01 01|"; depth:2; content:"|21 12 a4 42|"; distance:2; within:4; reference:url,tools.ietf.org/html/rfc5389; classtype:attempted-user ; sid:2016150 ; rev:2; metadata:created_at 2013_01_04, updated_at 2013_01_04;)
You would have to check the actual traffic, ideally via pcap what difference is between the two attempts.
Thanks for your information Andreas… Will verify it…
STUN behavior should also check whether it is working on TCP and for Classic STUN (RFC 3489). However, if the purpose is to block only Teams, it may be appropriate to identify the traffic generated for calls in Teams rather than STUN, which is a common protocol.