Rule "ET VOIP INVITE Message Flood UDP" triggered

Hi,

This rule is being triggered:

## alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP INVITE Message Flood UDP"; content:"INVITE"; depth:6; threshold: type both , track by_src, count 100, seconds 60; reference:url,doc.emergingthreats.net/2009698; classtype:attempted-dos; sid:2009698; rev:1; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

The rule should trigger when it detects >=100 packets in 60 seconds, but the logs only show 1 packet and the rule is being triggered anyway.

"app_proto":"sip","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":435,"bytes_toclient":0

Can you include the entire alert instead of a partial line?

{"timestamp":"2022-05-26T13:03:02.367332+0100","flow_id":1139748701117156,"in_iface":"enp2s0f1","event_type":"alert","vlan":[x],"src_ip":"x","src_port":5218,"dest_ip":"x","dest_port":5060,"proto":"UDP","community_id":"1:l+MotXIB6yBwded2+MzymYVNPus=","alert":{"action":"allowed","gid":1,"signature_id":2009698,"rev":1,"signature":"ET VOIP INVITE Message Flood UDP","category":"Attempted Denial of Service","severity":1,"metadata":{"created_at":["2010_07_30"],"updated_at":["2010_07_30"]}},"sip":{"method":"INVITE","uri":"sip:100@x","version":"SIP/2.0","request_line":"INVITE sip:100@x SIP/2.0"},"app_proto":"sip","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":435,"bytes_toclient":0,"start":"2022-05-26T13:03:02.367332+0100"}"stream":0

Hi,

The rule:
alert udp $EXTERNAL_NET any → $HOME_NET 5060 (msg:“ET VOIP INVITE Message Flood UDP”; content:“INVITE”; depth:6; threshold: type both , track by_src, count 100, seconds 60; reference:url,doc.emergingthreats.net/2009698; classtype:attempted-dos; sid:2009698; rev:1; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

This rule uses thresholding, “threshold: type both , track by_src, count 100, seconds 60;”

This means that in 60 seconds, if a single source IP generates 100 packets matching the content “INVITE” on udp port 5060, suricata will generate 1 alert in that 60 seconds.

for reference: 6.31. Thresholding Keywords — Suricata 6.0.5 documentation

Hope that helps!

JT

1 Like

Sure, i understand that. The problem is that the rule is being generated while the source generates only 1 packet. Has it can be seen on the alert log:

{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":435,"bytes_toclient":0,"start":"2022-05-26T13:03:02.367332+0100"}"stream":0

Correct, as I understand it, suricata will only log 1 alert and associated metadata (based on your suricata.yaml configuration) of the packet that triggers the alert via threshold configuration in the rule.

So it only logs the very last packet that triggers the rule? Instead of logging the specific information about how many packets (could be 100, 200, 300, etc…) have been generated to trigger the rule?

That’s correct, as I understand it.

JT

But it does not make sense. If this is the way, how can i know how many packets triggered the alert?

There are a couple ways.

You could look at the number of alerts and calculate the number of packets over time based on the thresholds in the alerts.

You could also, depending on how you are storing the json data, look at your flow data and determine how many packets based on whatever filter you wish to apply.

Hope that helps,

JT