Bug #8355: sip: protocol detection incorrectly matches ssdp traffic - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #8355

open

GL GL

sip: protocol detection incorrectly matches ssdp traffic

Bug #8355: sip: protocol detection incorrectly matches ssdp traffic

Added by Giuseppe Longo about 2 months ago. Updated about 2 months ago.

Status:

New

Priority:

Normal

Assignee:

Giuseppe Longo

Target version:

9.0.0-beta1

Affected Versions:

git main

Effort:

Difficulty:

Label:

Description

SIP protocol detection registers bare method names (e.g., NOTIFY, SUBSCRIBE) as pattern-matching keywords.
Since SSDP uses some of the same methods but the version string HTTP/1.1 instead of SIP/2.0, SSDP traffic can be incorrectly identified as SIP.

GL Updated by Giuseppe Longo about 2 months ago · Edited Actions
Copy link
#1

Example below:


{
  "timestamp": "2014-02-27T19:44:43.164211+0100",
  "flow_id": 986757542077835,
  "event_type": "flow",
  "src_ip": "192.168.1.1",
  "src_port": 9489,
  "dest_ip": "239.255.255.250",
  "dest_port": 1900,
  "ip_v": 4,
  "proto": "UDP",
  "app_proto": "sip",
  "flow": {
    ...
  }
}

Actions

Copy link

Also available in: PDF Atom

Project

General

Profile

Suricata

Custom queries

Bug #8355

sip: protocol detection incorrectly matches ssdp traffic

GL Updated by Giuseppe Longo about 2 months ago · Edited Actions
Copy link
#1

Project

General

Profile

Suricata

Custom queries

Bug #8355

sip: protocol detection incorrectly matches ssdp traffic

GL Updated by Giuseppe Longo about 2 months ago · Edited ActionsCopy link #1

GL Updated by Giuseppe Longo about 2 months ago · Edited Actions
Copy link
#1