6 Replies Latest reply on Nov 18, 2011 3:23 PM by ecornwell

    Strange Alert - SIP Message Flooding

    ecornwell

      Hello,

      We just got LEM and are getting it up and running and have run into something strange.  We've been seeing a lot of this error:

      COMMUNITY SIP TCP/IP message flooding directed to SIP proxy

      The source and destinations are the LEM box and a server with the agent installed.  I also noticed it with our IPS box as well.   In the period of a few minutes I saw 17 of them.

      I saw that there was a false positive related to snort.  What's the best way to clean this up?

       

      Thanks!

        • Re: Strange Alert - SIP Message Flooding
          michoudi

          I have this same problem. Also need some guidance on how to deal with these alerts.

          • Re: Strange Alert - SIP Message Flooding
            nicole pauls

            Hey All,

            This looks like the Snort IDS which is running on the appliances by default. You can disable any rules that might be triggering false positives, or tweak them if you want to adjust their settings. 

            This KB article includes links to other false positives and where to disable/modify them, and includes how to download and modify the rules on the appliance: Snort IDS Best Practices. This should probably be added to that list.

            The "COMMUNITY SIP TCP/IP message flooding directed to SIP proxy" is in the community-sip.rules file. It's detecting what it thinks is excessive SIP traffic (over 300 messages in 60 seconds from the same source). You will want to:

            1. Download the rules from the appliance to a Windows file share using the CMC service > copysnortrules command
              1. The rules/config files are separated by interface. If you've only got one interface dedicated to your appliance, you will edit the "eth0" files.
            2. Edit the rules/community-sip.rules file in a text editor
            3. TO DISABLE the rule: Comment out the rule by placing a "# " before the line with the rule in question (line 12):
              1. # Rule for alerting common TCP/UDP flood attack:
                # alert ip any any -> any 5060 (msg:"COMMUNITY SIP TCP/IP message flooding directed to SIP proxy"; threshold: type both, track by_src, count 300,
                seconds 60; classtype:attempted-dos; sid:100000160; rev:2;)
            4. TO MODIFY the threshold in the rule: change the "count" and "seconds" values (300 and 60 by default)
              1. # Rule for alerting common TCP/UDP flood attack:
                alert ip any any -> any 5060 (msg:"COMMUNITY SIP TCP/IP  message flooding directed to SIP proxy"; threshold: type both, track  by_src, count 300,
                seconds 60; classtype:attempted-dos; sid:100000160; rev:2;)
            5. Save the changes.
            6. Copy the rules back to the appliance using the service > loadsnortrules command in the CMC. 
            7. Snort will be restarted and this should be disabled immediately.

            If you'd like to disable Snort entirely, you can:

            1. Download the rules from the appliance to a Windows file share using the CMC service > copysnortrules command
              1. The rules/config files are separated by interface. If you've only got one  interface dedicated to your appliance, you will edit the "eth0" files.
            2. Edit the snort.debian.conf file in a text editor
            3. Change the DEBIAN_SNORT_INTERFACE value from "eth0" to "disabled":
              1. DEBIAN_SNORT_INTERFACE="disabled"
            4. Save the changes.
            5. Copy the rules back to the appliance using the service > loadsnortrules command in the CMC. 
            6. Snort will attempt to restart and fail (because the interface is set to disabled), but won't be running. To enable it again, change "disabled" back to "eth0" (or whatever the name of the interface is, matching the directory structure).

            Hope that helps.