Bug #8355: sip: protocol detection incorrectly matches ssdp traffic - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #8355

open

sip: protocol detection incorrectly matches ssdp traffic

Added by Giuseppe Longo 3 days ago. Updated 2 days ago.

Status:

New

Priority:

Normal

Assignee:

Giuseppe Longo

Target version:

9.0.0-beta1

Affected Versions:

git main

Effort:

Difficulty:

Label:

Description

SIP protocol detection registers bare method names (e.g., NOTIFY, SUBSCRIBE) as pattern-matching keywords.
Since SSDP uses some of the same methods but the version string HTTP/1.1 instead of SIP/2.0, SSDP traffic can be incorrectly identified as SIP.

History
Notes

Actions

Copy link

Updated by Giuseppe Longo 2 days ago · Edited

Example below:


{
  "timestamp": "2014-02-27T19:44:43.164211+0100",
  "flow_id": 986757542077835,
  "event_type": "flow",
  "src_ip": "192.168.1.1",
  "src_port": 9489,
  "dest_ip": "239.255.255.250",
  "dest_port": 1900,
  "ip_v": 4,
  "proto": "UDP",
  "app_proto": "sip",
  "flow": {
    ...
  }
}

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #8355

sip: protocol detection incorrectly matches ssdp traffic

Updated by Giuseppe Longo 2 days ago · Edited