A new OSSEC version has been released. Along with a number of updates, OSSEC now includes the Asterisk rules that were first published in my hakin9 article and then here. The rest of the updates are described in the Changelog.

Grab it now.

This post is an echo on the previous post which describes how to configure snort to detect SIP attacks. This time we look at detecting attacks at the PBX's end rather than by monitoring network traffic. OSSEC allows us to do just this - it is a host intrusion detection system that can do matching on log files and actively react to attack.

By default OSSEC does not have support for Asterisk. To add this functionality place a new xml file called asterisk.xml in the OSSEC rules directory (typically at /var/ossec/rules/). This file contains rules for the following violations:

• User/Extension enumeration
• Password cracking attacks
  

The actual rules file can be downloaded here.

This rules file needs to be referenced from the main configuration usually found in /var/ossec/etc/ossec.conf. This can be done by adding the following line to this file:

<include>asterisk.xml</include>

Then we need to add a decoder entry so that OSSEC can extract the offending IP address. This is done by including the below section to the decoder definition file usually found at /var/ossec/etc/decoder.conf:

<decoder name="asterisk">
<program_name>^asterisk</program_name>
</decoder>

<decoder name="asterisk-denied">
<parent>asterisk</parent>
<prematch>Registration from </prematch>
<regex offset="after_prematch">failed for '(\d+.\d+.\d+.\d+)'</regex>
<order>srcip</order>
</decoder>

Do not forget to restart OSSEC. Typically done by executing the following command:

/etc/init.d/ossec restart

Finally - it is important to make sure that Asterisk is configured to log to syslog and restarted. The next commands to execute are:

echo "syslog.local0 => notice,warning,error" >> /etc/asterisk/logger.conf

/etc/init.d/asterisk restart

Note: Check out Laureano's post on how to just reload the logger configuration.

That's it. Note that this has been tested on a Trixbox VM and your Asterisk configuration might require some modifications since it appears that Asterisk log files are not so standard.

Oh, and to test these rules you can obviously use SIPVicious tool suite ;-)

This post is an echo on the previous post which describes how to configure snort to detect SIP attacks. This time we look at detecting attacks at the PBX's end rather than by monitoring network traffic. OSSEC allows us to do just this - it is a host intrusion detection system that can do matching on log files and actively react to attack.

By default OSSEC does not have support for Asterisk. To add this functionality place a new xml file called asterisk.xml in the OSSEC rules directory (typically at /var/ossec/rules/). This file contains rules for the following violations:

• User/Extension enumeration
• Password cracking attacks
  

The actual rules file can be downloaded here.

This rules file needs to be referenced from the main configuration usually found in /var/ossec/etc/ossec.conf. This can be done by adding the following line to this file:

<include>asterisk.xml</include>

Then we need to add a decoder entry so that OSSEC can extract the offending IP address. This is done by including the below section to the decoder definition file usually found at /var/ossec/etc/decoder.conf:

<decoder name="asterisk">
<program_name>^asterisk</program_name>
</decoder>

<decoder name="asterisk-denied">
<parent>asterisk</parent>
<prematch>Registration from </prematch>
<regex offset="after_prematch">failed for '(\d+.\d+.\d+.\d+)'</regex>
<order>srcip</order>
</decoder>

Do not forget to restart OSSEC. Typically done by executing the following command:

/etc/init.d/ossec restart

Finally - it is important to make sure that Asterisk is configured to log to syslog and restarted. The next commands to execute are:

echo "syslog.local0 => notice,warning,error" >> /etc/asterisk/logger.conf

/etc/init.d/asterisk restart

Note: Check out Laureano's post on how to just reload the logger configuration.

That's it. Note that this has been tested on a Trixbox VM and your Asterisk configuration might require some modifications since it appears that Asterisk log files are not so standard.

Oh, and to test these rules you can obviously use SIPVicious tool suite ;-)

Open Source Host-based Intrusion Detection System. Performs log analysis, interity checking, Windows registry monitoring, rootkit detection, real-time alerting and active response.`

Its goal is to provide a comprehensive compilation of tools which, when working together, grant a network/security administrator with detailed view over each and every aspect of his networks/hosts/physical access devices/server/etc...