@bmeeks said in Question on STUN traffic no ndefault ports:
content:"|00 01|"; depth:2; content:"|21 12 a4 42|"; distance:2; within:4;
The rule is simply looking for a particular pattern of bytes within a given range of bytes in the packet's payload (in this rule, it's looking for the Magic Cookie byte sequence 2112 a442):
content:"|00 01|"; depth:2; content:"|21 12 a4 42|"; distance:2; within:4;
Here is a description of the STUN protocol down at the byte level: https://subspace.com/resources/stun-101-subspace.
It is entirely possible for some given DNS or NTP payload to randomly match on that sequence of bytes. The problem with these types of rules is they are never absolute. That's why the rule is in the ET INFO category -- it can't be 100% certain with no doubt that the traffic is correctly identified every time.
So, TLDR, the rule is really sort of meaningless in my opinion. It cannot absolutely say some given traffic is STUN, and there is lots of legitimate traffic that uses port numbers less than 1024. And any packet payload might just randomly happen to contain a triggering byte sequence from time to time, most especially when the packet payload is encrypted.