Netgate SG-1000 microFirewall

Author Topic: Snort - OK to turn off sip preprocessor rules if there's no VOIP?  (Read 168 times)

0 Members and 1 Guest are viewing this topic.

Offline dwasifar

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
I'm seeing various sip preprocessor alerts inbound on port 5060.  They're probably attack attempts, but there are no VOIP services on my network and port 5060 is not open to any traffic.  Is there any reason I shouldn't turn these rules off to reduce the noise level?

Offline NogBadTheBad

  • Sr. Member
  • ****
  • Posts: 502
  • Karma: +45/-0
    • View Profile
Re: Snort - OK to turn off sip preprocessor rules if there's no VOIP?
« Reply #1 on: February 04, 2018, 04:50:04 am »
You could also disable via :-

Services -> Snort -> Preprocessors and Flow -> INTERFACE -> INTERFACE Preprocs

Untick Enable SIP Detection

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3298
  • Karma: +862/-0
    • View Profile
Re: Snort - OK to turn off sip preprocessor rules if there's no VOIP?
« Reply #2 on: February 05, 2018, 03:17:18 pm »
You can turn if off, but if any of your enabled rules use keywords or rule options specific to the SIP preprocessor, then you will get errors when Snort starts up and it will not start successfully.  I would suggest simply disabling the rues generating the "noise" and leave the default preprocessor set enabled.

Bill

Offline dwasifar

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Re: Snort - OK to turn off sip preprocessor rules if there's no VOIP?
« Reply #3 on: February 07, 2018, 10:29:54 am »
You can turn if off, but if any of your enabled rules use keywords or rule options specific to the SIP preprocessor, then you will get errors when Snort starts up and it will not start successfully.  I would suggest simply disabling the rues generating the "noise" and leave the default preprocessor set enabled.

Yes, that's what I meant: disable the individual rules, not the whole rule set.

Thanks.