Snort - OK to turn off sip preprocessor rules if there's no VOIP?



  • I'm seeing various sip preprocessor alerts inbound on port 5060.  They're probably attack attempts, but there are no VOIP services on my network and port 5060 is not open to any traffic.  Is there any reason I shouldn't turn these rules off to reduce the noise level?



  • You could also disable via :-

    Services -> Snort -> Preprocessors and Flow -> INTERFACE -> INTERFACE Preprocs

    Untick Enable SIP Detection



  • You can turn if off, but if any of your enabled rules use keywords or rule options specific to the SIP preprocessor, then you will get errors when Snort starts up and it will not start successfully.  I would suggest simply disabling the rues generating the "noise" and leave the default preprocessor set enabled.

    Bill



  • @bmeeks:

    You can turn if off, but if any of your enabled rules use keywords or rule options specific to the SIP preprocessor, then you will get errors when Snort starts up and it will not start successfully.  I would suggest simply disabling the rues generating the "noise" and leave the default preprocessor set enabled.

    Yes, that's what I meant: disable the individual rules, not the whole rule set.

    Thanks.


Log in to reply