sorted by: recent | see :
popular
Content Tagged with snort + rules
Detecting SIP attacks with Snort
Update: Put the snort rules here for easy download.
Protecting the network from VoIP threats is only half of the story. The rest involves detecting that your system is under attack. Intrusion Detection Systems such as Snort can be configured to help with this task. Currently the one can find some SIP related rules in the latest Community Snort Rules. These rules are able to detect attacks (generated with tools like svwar and svcrack) that create a large number of INVITE or REGISTER SIP requests as well as "401 Unauthorized" SIP responses.
In this post we present some extra snort rules that are not yet available in any public Snort ruleset (i.e. a SIPVicious exclusive ;-)).
Rule for alerting of OPTIONS scan or flood attack:
The above rule is able to detect svmap when launched against a network as large as 30 hosts or more.
Detecting 4xx SIP responses:
The presence of a large number of 4xx SIP responses usually indicates that there is an ongoing attack. The reason behind this is that SIP responses with these are listed as "Client error" such as "User Not Found" or "Forbidden" messages. These messages usually generated in bulks when an extension enumeration or bruteforce attack is underway.
Detecting ghost calls:
A large number of ringing phones - especially something like 100 rings in 1 minute - can indicate that something is wrong on certain IP Phone networks ;-)
Protecting the network from VoIP threats is only half of the story. The rest involves detecting that your system is under attack. Intrusion Detection Systems such as Snort can be configured to help with this task. Currently the one can find some SIP related rules in the latest Community Snort Rules. These rules are able to detect attacks (generated with tools like svwar and svcrack) that create a large number of INVITE or REGISTER SIP requests as well as "401 Unauthorized" SIP responses.
In this post we present some extra snort rules that are not yet available in any public Snort ruleset (i.e. a SIPVicious exclusive ;-)).
Rule for alerting of OPTIONS scan or flood attack:
alert ip any any -> $HOME_NET $SIP_PROXY_PORTS \
(msg:"OPTIONS SIP scan"; content:"OPTIONS"; depth:7; \
threshold: type both , track by_src, count 30, seconds 3; \
sid:5000004; rev:1;)
The above rule is able to detect svmap when launched against a network as large as 30 hosts or more.
Detecting 4xx SIP responses:
alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS \
(msg:"Excessive number of SIP 4xx Responses - possible user or password guessing attack"; \
pcre:"/^SIP\/2.0 4\d{2}"; \
threshold: type both, track by_src, count 100, seconds 60; \
sid:5000009; rev:1;)
The presence of a large number of 4xx SIP responses usually indicates that there is an ongoing attack. The reason behind this is that SIP responses with these are listed as "Client error" such as "User Not Found" or "Forbidden" messages. These messages usually generated in bulks when an extension enumeration or bruteforce attack is underway.
Detecting ghost calls:
alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS \
(msg:"Ghost call attack"; \
content:"SIP/2.0 180"; depth:11; \
threshold: type both, track by_src, count 100, seconds 60; \
sid:5000009; rev:1;)
A large number of ringing phones - especially something like 100 rings in 1 minute - can indicate that something is wrong on certain IP Phone networks ;-)
Detecting SIP attacks with Snort
Update: Put the snort rules here for easy download.
Protecting the network from VoIP threats is only half of the story. The rest involves detecting that your system is under attack. Intrusion Detection Systems such as Snort can be configured to help with this task. Currently the one can find some SIP related rules in the latest Community Snort Rules. These rules are able to detect attacks (generated with tools like svwar and svcrack) that create a large number of INVITE or REGISTER SIP requests as well as "401 Unauthorized" SIP responses.
In this post we present some extra snort rules that are not yet available in any public Snort ruleset (i.e. a SIPVicious exclusive ;-)).
Rule for alerting of OPTIONS scan or flood attack:
The above rule is able to detect svmap when launched against a network as large as 30 hosts or more.
Detecting 4xx SIP responses:
The presence of a large number of 4xx SIP responses usually indicates that there is an ongoing attack. The reason behind this is that SIP responses with these are listed as "Client error" such as "User Not Found" or "Forbidden" messages. These messages usually generated in bulks when an extension enumeration or bruteforce attack is underway.
Detecting ghost calls:
A large number of ringing phones - especially something like 100 rings in 1 minute - can indicate that something is wrong on certain IP Phone networks ;-)
Protecting the network from VoIP threats is only half of the story. The rest involves detecting that your system is under attack. Intrusion Detection Systems such as Snort can be configured to help with this task. Currently the one can find some SIP related rules in the latest Community Snort Rules. These rules are able to detect attacks (generated with tools like svwar and svcrack) that create a large number of INVITE or REGISTER SIP requests as well as "401 Unauthorized" SIP responses.
In this post we present some extra snort rules that are not yet available in any public Snort ruleset (i.e. a SIPVicious exclusive ;-)).
Rule for alerting of OPTIONS scan or flood attack:
alert ip any any -> $HOME_NET $SIP_PROXY_PORTS \
(msg:"OPTIONS SIP scan"; content:"OPTIONS"; depth:7; \
threshold: type both , track by_src, count 30, seconds 3; \
sid:5000004; rev:1;)
The above rule is able to detect svmap when launched against a network as large as 30 hosts or more.
Detecting 4xx SIP responses:
alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS \
(msg:"Excessive number of SIP 4xx Responses - possible user or password guessing attack"; \
pcre:"/^SIP\/2.0 4\d{2}"; \
threshold: type both, track by_src, count 100, seconds 60; \
sid:5000009; rev:1;)
The presence of a large number of 4xx SIP responses usually indicates that there is an ongoing attack. The reason behind this is that SIP responses with these are listed as "Client error" such as "User Not Found" or "Forbidden" messages. These messages usually generated in bulks when an extension enumeration or bruteforce attack is underway.
Detecting ghost calls:
alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS \
(msg:"Ghost call attack"; \
content:"SIP/2.0 180"; depth:11; \
threshold: type both, track by_src, count 100, seconds 60; \
sid:5000009; rev:1;)
A large number of ringing phones - especially something like 100 rings in 1 minute - can indicate that something is wrong on certain IP Phone networks ;-)
Detecting SIP attacks with Snort
Update: Put the snort rules here for easy download.
Protecting the network from VoIP threats is only half of the story. The rest involves detecting that your system is under attack. Intrusion Detection Systems such as Snort can be configured to help with this task. Currently the one can find some SIP related rules in the latest Community Snort Rules. These rules are able to detect attacks (generated with tools like svwar and svcrack) that create a large number of INVITE or REGISTER SIP requests as well as "401 Unauthorized" SIP responses.
In this post we present some extra snort rules that are not yet available in any public Snort ruleset (i.e. a SIPVicious exclusive ;-)).
Rule for alerting of OPTIONS scan or flood attack:
The above rule is able to detect svmap when launched against a network as large as 30 hosts or more.
Detecting 4xx SIP responses:
The presence of a large number of 4xx SIP responses usually indicates that there is an ongoing attack. The reason behind this is that SIP responses with these are listed as "Client error" such as "User Not Found" or "Forbidden" messages. These messages usually generated in bulks when an extension enumeration or bruteforce attack is underway.
Detecting ghost calls:
A large number of ringing phones - especially something like 100 rings in 1 minute - can indicate that something is wrong on certain IP Phone networks ;-)
Protecting the network from VoIP threats is only half of the story. The rest involves detecting that your system is under attack. Intrusion Detection Systems such as Snort can be configured to help with this task. Currently the one can find some SIP related rules in the latest Community Snort Rules. These rules are able to detect attacks (generated with tools like svwar and svcrack) that create a large number of INVITE or REGISTER SIP requests as well as "401 Unauthorized" SIP responses.
In this post we present some extra snort rules that are not yet available in any public Snort ruleset (i.e. a SIPVicious exclusive ;-)).
Rule for alerting of OPTIONS scan or flood attack:
alert ip any any -> $HOME_NET $SIP_PROXY_PORTS \
(msg:"OPTIONS SIP scan"; content:"OPTIONS"; depth:7; \
threshold: type both , track by_src, count 30, seconds 3; \
sid:5000004; rev:1;)
The above rule is able to detect svmap when launched against a network as large as 30 hosts or more.
Detecting 4xx SIP responses:
alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS \
(msg:"Excessive number of SIP 4xx Responses - possible user or password guessing attack"; \
pcre:"/^SIP\/2.0 4\d{2}"; \
threshold: type both, track by_src, count 100, seconds 60; \
sid:5000009; rev:1;)
The presence of a large number of 4xx SIP responses usually indicates that there is an ongoing attack. The reason behind this is that SIP responses with these are listed as "Client error" such as "User Not Found" or "Forbidden" messages. These messages usually generated in bulks when an extension enumeration or bruteforce attack is underway.
Detecting ghost calls:
alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS \
(msg:"Ghost call attack"; \
content:"SIP/2.0 180"; depth:11; \
threshold: type both, track by_src, count 100, seconds 60; \
sid:5000009; rev:1;)
A large number of ringing phones - especially something like 100 rings in 1 minute - can indicate that something is wrong on certain IP Phone networks ;-)
Detecting SIP attacks with Snort
Update: Put the snort rules here for easy download.
Protecting the network from VoIP threats is only half of the story. The rest involves detecting that your system is under attack. Intrusion Detection Systems such as Snort can be configured to help with this task. Currently the one can find some SIP related rules in the latest Community Snort Rules. These rules are able to detect attacks (generated with tools like svwar and svcrack) that create a large number of INVITE or REGISTER SIP requests as well as "401 Unauthorized" SIP responses.
In this post we present some extra snort rules that are not yet available in any public Snort ruleset (i.e. a SIPVicious exclusive ;-)).
Rule for alerting of OPTIONS scan or flood attack:
The above rule is able to detect svmap when launched against a network as large as 30 hosts or more.
Detecting 4xx SIP responses:
The presence of a large number of 4xx SIP responses usually indicates that there is an ongoing attack. The reason behind this is that SIP responses with these are listed as "Client error" such as "User Not Found" or "Forbidden" messages. These messages usually generated in bulks when an extension enumeration or bruteforce attack is underway.
Detecting ghost calls:
A large number of ringing phones - especially something like 100 rings in 1 minute - can indicate that something is wrong on certain IP Phone networks ;-)
Protecting the network from VoIP threats is only half of the story. The rest involves detecting that your system is under attack. Intrusion Detection Systems such as Snort can be configured to help with this task. Currently the one can find some SIP related rules in the latest Community Snort Rules. These rules are able to detect attacks (generated with tools like svwar and svcrack) that create a large number of INVITE or REGISTER SIP requests as well as "401 Unauthorized" SIP responses.
In this post we present some extra snort rules that are not yet available in any public Snort ruleset (i.e. a SIPVicious exclusive ;-)).
Rule for alerting of OPTIONS scan or flood attack:
alert ip any any -> $HOME_NET $SIP_PROXY_PORTS \
(msg:"OPTIONS SIP scan"; content:"OPTIONS"; depth:7; \
threshold: type both , track by_src, count 30, seconds 3; \
sid:5000004; rev:1;)
The above rule is able to detect svmap when launched against a network as large as 30 hosts or more.
Detecting 4xx SIP responses:
alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS \
(msg:"Excessive number of SIP 4xx Responses - possible user or password guessing attack"; \
pcre:"/^SIP\/2.0 4\d{2}"; \
threshold: type both, track by_src, count 100, seconds 60; \
sid:5000009; rev:1;)
The presence of a large number of 4xx SIP responses usually indicates that there is an ongoing attack. The reason behind this is that SIP responses with these are listed as "Client error" such as "User Not Found" or "Forbidden" messages. These messages usually generated in bulks when an extension enumeration or bruteforce attack is underway.
Detecting ghost calls:
alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS \
(msg:"Ghost call attack"; \
content:"SIP/2.0 180"; depth:11; \
threshold: type both, track by_src, count 100, seconds 60; \
sid:5000009; rev:1;)
A large number of ringing phones - especially something like 100 rings in 1 minute - can indicate that something is wrong on certain IP Phone networks ;-)
Pro-Linux: Intrusion Detection am Beispiel von Snort (Teil 3)
<sep/>Regel setzt sich aus zwei Teilen zusammen, dem sogenannten rule header und den rule options. Da Snort nicht mit Zeilenumbrüchen innerhalb der rules umgehen kann, ist es enorm wichtig<sep/>
Writing Snort Rules On EnGarde
Snort, writing rules, intrusion detection
Snort Installation and Basic Usage Part One
Snort usage, rules, intrusion detection
Emerging Threats - Home
Takes the place of bleedingthreats.net
SourceForge.net: SnortCenter 2.x
Modification of Stefan Dens's SnortCenter. This version has been modified to work with the current versions of Snort 2.x.
Page 1 | Next >>