Snort Portscan Detection - Blocking VoIP
-
As the topic says Squid Portscan Detection when enabled blocks my VoIP ISP in a few seconds. Seems the ISP has multiple servers to which PAP2T ATA connects at different times. So for the time being I have Portscan Detection disabled.
Is there a solution to this?
-
Do you mean snort and not squid? You might want to correct the title of the thread if that is the case.
-
VoIP traffic will trip Snort's port scan rules if you have at least several phones, you'll just have to disable those rules.
-
Thanks for correcting my topic from Squid to Snort.
I have no voip rules enabled.
-
It's not any of the VoIP rules, it's the port scan rules being triggered by RTP generally.
-
OK. So whats the fix for it?
Is disabling port scan the only option? Doesn't it kinda beats the purpose?
-
Yes you have to disable the port scan rule it's triggering, which is the UDP port scan rule IIRC. RTP in volume looks like a UDP port scan. Some manual hacking of the rule to make it less prone to those false positives may suffice. That's more a question for Sourcefire, we don't have any involvement with the rules.
