This is a common problem in Snort, but I'm not sure why the rule triggers at all.
The rule below comes from the Debian repositories. Apparently it is designed to trigger when there are more than 300 hits on port 5060, and will only alert once every 60 seconds if it continues.
/etc/snort/rules/community-sip.rules (whitespace added, other rules removed):
...
alert ip any any -> any 5060 (
msg:"COMMUNITY SIP TCP/IP message flooding directed to SIP proxy";
threshold: type both, track by_src, count 300, seconds 60;
classtype:attempted-dos;
sid:100000160;
rev:2;
)
...
http://manual.snort.org/node35.html
But the rule seems to trigger on stuff which has nothing to do with port 5060 at all. E.g., here's an alert:
e.g.,
[**] [1:100000160:2] COMMUNITY SIP TCP/IP message flooding directed to SIP proxy [**]
[Classification: Attempted Denial of Service] [Priority: 2]
08/06-12:19:07.399163 1.2.3.4:61253 -> 5.6.7.8:22
TCP TTL:55 TOS:0x10 ID:59727 IpLen:20 DgmLen:52 DF
***A**** Seq: 0xE2B759E9 Ack: 0xB01D0B90 Win: 0xFFFF TcpLen: 32
TCP Options (3) => NOP NOP TS: 129954676 287277196
Some Googling reveals that people say "this is a bad rule", but I can't see how.
I think I got this one. There was no information I could find on "alert ip" and port numbers in the documentation on snort.org.
The following says that this is a common mistake in authoring snort rules:
http://leonward.wordpress.com/2009/06/07/dumbpig-automated-checking-for-snort-rulesets/
I fixed it by duplicating the rule, specifying TCP and UDP and changing the rule SIDs. I repeated this for multiple rules in the community-sip.rules file.
e.g.,
The alerts are quiet now. Some test rules (with lower counts) trigger properly when I test them.