IPS Inbound SIP Trying blocked

Question

Default IPS rule has defined: 
 PROTOCOL-VOIP inbound 100 Trying message 20404 protocol-voip 1 - Critical Windows, Linux, Unix... Server Drop packet 
 Thus the following is received: 
 2021-03-09 14:33:02IPSmessageid="07002" log_type="IDP" log_component="Signatures" log_subtype="Drop" ips_policy="" ips_policy_id="3" fw_rule_id="7" user="" sig_id="20404" message="PROTOCOL-VOIP inbound 100 Trying message" classification="Generic Protocol Command Decode" rule_priority="1" src_ip="192.168.100.104" src_country="R1" dst_ip="xxx" dst_country="DEU" protocol="TCP" src_port="52314" dst_port="5060" OS="BSD,Linux,Mac,Other,Solaris,Unix,Windows" category="protocol-voip" victim="Server" 
 Isnt this a pretty common traffic? Clients sends invite to ITSP Voip Server and it responds with Trying....

emmosophos · Answer

Hello Thomas, 
 Thank you for contacting the Sophos Community. 
 According to the Snort documentation, this event is generated when an attempt is made to send a Malformed communication to a VoIP device. 
 So probably the packet that the device is sending might be corrupted. 
 https://www.snort.org/rule_docs/1-12074 
 https://www.3cx.com/pbx/sip-responses/ 
 Regards,