Deployment of Snort IDS in SIP based VoIP environments
Download
Report
Transcript Deployment of Snort IDS in SIP based VoIP environments
Deployment of Snort IDS in
SIP based VoIP environments
Jiří Markl
Jaroslav Dočkal
Motivation and targets
Evident advantages of VoIP
The same level of availability as in
PSTN
DoS attacks on SIP infrastructure
Attacks identification
Applicability of Snort IDS for attacks
detection
Identified attacks
Attacks to SIP proxies
Common TCP/IP attacks
Direct attacks (Teardrop, Ping of Death, SYN Flood)
Indirect attacks (Smurf attack)
Other TCP floods (STREAM attack, Null flood)
Distributed denial of service
Attacks using specific SIP vulnerabilities
Attacks to contributing services
DNS, ENUM
Application servers
SIP specific attacks
Brute force attack using Invite messages
alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS \
(msg:"INVITE message flooding"; content:"INVITE"; depth:6; \
threshold: type both, track by_src, count 200, seconds 60; \
sid:1000100; rev:1;)
#Suppresion of alerting for known proxy 147.32.121.12
suppress gen_id 1, sig_id 1000100, track by_src, ip 147.32.121.12
Denial of service utilizing Register
message
SIP specific attacks – continuation
Tearing down sessions
Denial of service utilizing responses
Bye, Cancel
3xx, 4xx, 5xx, 6xx
Using message amplification to cause
the DoS
loops
forking
SIP specific attacks – continuation
Brute force authentication attack
401 Unauthorized
407 Proxy Authentication Required
alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS \
(msg:"INVITE message flooding"; \
content:"SIP/2.0 401 Unauthorized"; depth:24; \
threshold: type both, track by_src, count 100, seconds 60; \
sid:1000600; rev:1;)
SIP specific attacks – continuation
Attacks using SQL injection
Using unresolvable DNS names
alert udp $DNS_SERVERS 53 -> $SIP_PROXY_IP any \
msg:"DNS No such name treshold"; \
content:"|83|"; offset:3; depth:1; \
threshold: type both , track by_src, count 2000, seconds 60; \
sid:1000400; rev:1;)
Snort usage conclusions
Advantages
Based on existing OpenSource solution
SIP proxy independent
Can be used for detection of various attacks and
known exploits – lots of rules available
Can be used for detection of misconfigurations in
SIP network
Drawbacks
Problems with secured connections (TLS)
Usable only for simple detection
SIP rules published on Snort.org
Developed rules can be obtained from
Snort.org within current Community Rules
set.
http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/
Community-Rules-CURRENT.tar.gz
Thanks.