Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort - OK to turn off sip preprocessor rules if there's no VOIP?

    IDS/IPS
    3
    4
    1.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dwasifar
      last edited by

      I'm seeing various sip preprocessor alerts inbound on port 5060.  They're probably attack attempts, but there are no VOIP services on my network and port 5060 is not open to any traffic.  Is there any reason I shouldn't turn these rules off to reduce the noise level?

      1 Reply Last reply Reply Quote 0
      • NogBadTheBadN
        NogBadTheBad
        last edited by

        You could also disable via :-

        Services -> Snort -> Preprocessors and Flow -> INTERFACE -> INTERFACE Preprocs

        Untick Enable SIP Detection

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          You can turn if off, but if any of your enabled rules use keywords or rule options specific to the SIP preprocessor, then you will get errors when Snort starts up and it will not start successfully.  I would suggest simply disabling the rues generating the "noise" and leave the default preprocessor set enabled.

          Bill

          1 Reply Last reply Reply Quote 0
          • D
            dwasifar
            last edited by

            @bmeeks:

            You can turn if off, but if any of your enabled rules use keywords or rule options specific to the SIP preprocessor, then you will get errors when Snort starts up and it will not start successfully.  I would suggest simply disabling the rues generating the "noise" and leave the default preprocessor set enabled.

            Yes, that's what I meant: disable the individual rules, not the whole rule set.

            Thanks.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.