## VoIP Rules for Snort ## Based on http://sipvicious.org/resources/snortrules.txt ## Enhanced by edward fjellskaal @ redpill-linpro dot com ## August 2009 ## The rules are made to help guide people to deploy VoIP ## Snort rules into their network. They (might) need tweeking to ## fit your network! Dont use them, if you dont understand them :) #### For a small snort.conf (example start) #var SIP_PROXYS [192.168.1.0/24,192.168.20.0/24] #var SIP_PROXY_PORTS 5060 #preprocessor stream5_global: max_tcp 8192, track_tcp yes, \ # track_udp yes #preprocessor stream5_tcp: policy linux, use_static_footprint_sizes, \ # ports both 5060 #preprocessor stream5_udp: timeout 120,ignore_any_rules #config classification: attempted-user,Attempted User Privilege Gain,1 #### (example end) # Enumeration using OPTIONS alert tcp any any -> $SIP_PROXYS $SIP_PROXY_PORTS (msg:"OPTIONS SIP scan"; flow:to_server,established; content:"OPTIONS"; depth:7; threshold: type both, track by_src, count 30, seconds 3; classtype:attempted-user; sid:5000001; rev:1;) alert udp any any -> $SIP_PROXYS $SIP_PROXY_PORTS (msg:"OPTIONS SIP scan"; flow:to_server;content:"OPTIONS"; depth:7; threshold: type both, track by_src, count 30, seconds 3; classtype:attempted-user; sid:5000002; rev:1;) # Enumeration using REGISTER alert tcp any any -> $SIP_PROXYS $SIP_PROXY_PORTS (msg:"REGISTER SIP scan"; flow:to_server,established; content:"REGISTER"; depth:8; threshold: type both, track by_src, count 30, seconds 3; classtype:attempted-user; sid:5000003; rev:1;) alert udp any any -> $SIP_PROXYS $SIP_PROXY_PORTS (msg:"REGISTER SIP scan"; flow:to_server; content:"REGISTER"; depth:8; threshold: type both, track by_src, count 30, seconds 3; classtype:attempted-user; sid:5000004; rev:1;) # Enumeration using INVITE alert tcp any any -> $SIP_PROXYS $SIP_PROXY_PORTS (msg:"INVITE SIP scan"; flow:to_server,established; content:"INVITE"; depth:6; threshold: type both, track by_src, count 30, seconds 3; classtype:attempted-user; sid:5000005; rev:1;) alert udp any any -> $SIP_PROXYS $SIP_PROXY_PORTS (msg:"INVITE SIP scan"; flow:to_server; content:"INVITE"; depth:6; threshold: type both, track by_src, count 30, seconds 3; classtype:attempted-user; sid:5000006; rev:1;) # Excessive number of SIP 4xx Responses can indicate user/password bruteforce attack alert tcp $SIP_PROXYS $SIP_PROXY_PORTS -> any any (msg:"Excessive number of SIP 4xx Responses - possible user or password guessing attack"; flow:from_server,established; pcre:"/^SIP\/2.0 4\d{2}/"; threshold: type both, track by_src, count 10, seconds 6; classtype:attempted-user; sid:5000007; rev:1;) alert udp $SIP_PROXYS $SIP_PROXY_PORTS -> any any (msg:"Excessive number of SIP 4xx Responses - possible user or password guessing attack"; flow:from_server; pcre:"/^SIP\/2.0 4\d{2}/"; threshold: type both, track by_src, count 10, seconds 6; classtype:attempted-user; sid:5000008; rev:1;) # Large number of ringing phones can indicate a Ghost call attack. # Addjust to fit your needs. Default: 100 rings in 1 minute # (How many phones do you have? and how many do you think will call at once?) # Possible SIP responces (depend on your HW/SF/configurations) might be 100/180/183 etc. # Asterisk might use: "SIP/2.0 100 Trying" # SIP EXpress Router might use: "SIP/2.0 180 Ringing" # Snort, tcpdump or wireshark might be your friend here, but you need to set the matching content for YOUR network. alert tcp any any -> $SIP_PROXYS $SIP_PROXY_PORTS (msg:"Ghost call attack"; flow:from_server,established; content:"SIP/2.0 180"; depth:11; threshold: type both, track by_src, count 100, seconds 60; classtype:attempted-user; sid:5000009; rev:1;) alert udp any any -> $SIP_PROXYS $SIP_PROXY_PORTS (msg:"Ghost call attack"; flow:from_server; content:"SIP/2.0 180"; depth:11; threshold: type both, track by_src, count 100, seconds 60; classtype:attempted-user; sid:5000010; rev:1;)