Snort is processing VOIP/SIP media packets
Hopefully someone can help here. We have SNORT running on LAN interface, I see this is recommended across the Internet, but this does contradict BMeeks quick setup guide.
We also run HAProxy, and I see having SNORT on LAN none of the HAProxy traffic is inspected, so will move to WAN. I do however like seeing which local host is being targeted so if perhaps running on both WAN and LAN desirable?
That aside before I start processing all traffic we have an issue with the SIP preprocessor / Stream5 preprocessor.
I have created an alias for our VOIP servers and a port list alias for the signalling ports (5060,5061,5080,5081) and applied this aliases in the appropriate locations in the Variables tab.
I've reviewed the auto generated snort.conf file and see under the SIP preprocessor ignore_call_channel is set.
This should tell Snort via the Stream5 API not to inspect the UDP traffic containing the voice/video data.
Depite this being enable when a call is active we see the CPU usage increase from 1% at idle to around 20/30%, this increases with each additional call. This suggests the UDP traffic for voice data is still being inspected.
I've tried adding our UDP media ports 16384:32768 to the ports alias so that Snort knows which ports the media is sent, but after doing this Snort will not start on the LAN interface. Also a bit of googling suggests this should not be necessary. I also see in the variables tab SIP_Proxy_Ports which the defaults should cover our needs, but when reviewing the snort.conf file I cannot see any reference to this entry, nor does adding an alias to it make any changes to snort.conf.
I thought this might be the cause, perhaps a bug, so I manually in the advanced settings pass through added the line 'portvar SIP_PROXY_PORTS [5060:5080,16384:32768]', whilst Snort did start without issue, it made no difference, still high CPU usage during a call.
Can anyone shed any light on what I'm doing wrong here? Anymore info required let me know.
Running pfSense 2.2.4-RELEASE (amd64) and Snort PKG 184.108.40.206
Just tested this on a fresh pfSense 2.3.2 install with Snort 220.127.116.11_14 and the issue persists, so hasn't been fixed in the latest releases, assuming it is a bug of course and not something I am missing.
Just to update, I have used a BPF file to bypass Snort on the media ports to the VOIP hosts.
This has resolved the CPU issue, although this is a workaround rather than a fix so I would still appreciate any input.
To achieve this I created /etc/snort.bpf with the following contents
not (host 10.0.200.161 and udp portrange 16384-32768)
and added the following line to the advanced configuration pass-through
config bpf_file: /etc/snort.bpf
saved the configuration and restarted snort. Now calls do not hog the CPU.