deployment of snort ids in sip based voip environments n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Deployment of Snort IDS in SIP based VoIP environments PowerPoint Presentation
Download Presentation
Deployment of Snort IDS in SIP based VoIP environments

Loading in 2 Seconds...

play fullscreen
1 / 10

Deployment of Snort IDS in SIP based VoIP environments - PowerPoint PPT Presentation


  • 74 Views
  • Uploaded on

Deployment of Snort IDS in SIP based VoIP environments. Jiří Markl Jaroslav Dočkal. Motivation and targets. Evident advantages of VoIP The same level of availability as in PSTN DoS attacks on SIP infrastructure Attacks identification Applicability of Snort IDS for attacks detection.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

Deployment of Snort IDS in SIP based VoIP environments


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
motivation and targets
Motivation and targets
  • Evident advantages of VoIP
  • The same level of availability as in PSTN
  • DoS attackson SIP infrastructure
  • Attacks identification
  • Applicability of Snort IDS for attacks detection
identified attacks
Identified attacks
  • Attacks to SIP proxies
    • Common TCP/IP attacks
      • Direct attacks (Teardrop, Ping of Death, SYN Flood)
      • Indirect attacks (Smurf attack)
      • Other TCP floods (STREAM attack, Null flood)
      • Distributed denial of service
    • Attacks using specific SIP vulnerabilities
  • Attacks to contributing services
    • DNS, ENUM
    • Application servers
sip specific attacks
SIP specific attacks
  • Brute force attack using Invite messages
  • Denial of service utilizing Register message

alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS \

(msg:"INVITE message flooding"; content:"INVITE"; depth:6; \

threshold: type both, track by_src, count 200, seconds 60; \ sid:1000100; rev:1;)

#Suppresion of alerting for known proxy 147.32.121.12

suppress gen_id 1, sig_id 1000100, track by_src, ip 147.32.121.12

sip specific attacks continuation
SIP specific attacks – continuation
  • Tearing down sessions
    • Bye, Cancel
  • Denial of service utilizing responses
    • 3xx, 4xx, 5xx, 6xx
  • Using message amplification to cause the DoS
    • loops
    • forking
sip specific attacks continuation1
SIP specific attacks – continuation
  • Brute force authentication attack
    • 401 Unauthorized
    • 407 Proxy Authentication Required

alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS \

(msg:"INVITE message flooding"; \

content:"SIP/2.0 401 Unauthorized"; depth:24; \

threshold: type both, track by_src, count 100, seconds 60; \

sid:1000600; rev:1;)

sip specific attacks continuation2
SIP specific attacks – continuation
  • Attacks using SQL injection
  • Using unresolvable DNS names

alert udp $DNS_SERVERS 53 -> $SIP_PROXY_IP any \

msg:"DNS No such name treshold"; \

content:"|83|"; offset:3; depth:1; \

threshold: type both , track by_src, count 2000, seconds 60; \

sid:1000400; rev:1;)

snort usage conclusions
Snort usage conclusions
  • Advantages
    • Based on existing OpenSource solution
    • SIP proxy independent
    • Can be used for detection of various attacks and known exploits – lots of rules available
    • Can be used for detection of misconfigurations in SIP network
  • Drawbacks
    • Problems with secured connections (TLS)
    • Usable only for simple detection
sip rules published on snort org
SIP rules published on Snort.org

Developed rules can be obtained from Snort.org within current Community Rules set.

http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/

Community-Rules-CURRENT.tar.gz