(spp_sip) URI is too long

When this rule is triggered, it suggests that the SIP message being analyzed contains a URI (such as a web address or SIP identifier) that exceeds the length limitations specified in the protocol standards. This could be an indication of a malformed or potentially malicious SIP message. This rule is helpful for identifying abnormal or potentially harmful SIP traffic, which could be a result of misconfigurations, malformed requests, or attempts to exploit vulnerabilities in SIP-based systems. When this rule triggers, it's essential to investigate the specific SIP message to understand the nature of the excessive URI length. It might require analyzing the source and destination IP addresses, ports, and the content of the SIP message to determine if it's a legitimate request with an unusually long URI or if it's a malicious attempt to exploit a vulnerability in the SIP implementation.

Categories:

ID Number

9000020

Signature

MITRE ATT&CK Technique

Severity

Low

Recommendations/Investigative actions

If this alerts is popping many times as a false positive it can be disabled. In case that the alert is being triggered on an known IP need to verify the IP, if the ip is from the internet it is recommended to block the ip. Also it's recommended to run an Anti Virus scan on the targeted server and to make sure that all the softwares are updated