Sunday, February 17, 2008

Detecting SIP attacks with Snort

Update: Put the snort rules here for easy download.

Protecting the network from VoIP threats is only half of the story. The rest involves detecting that your system is under attack. Intrusion Detection Systems such as Snort can be configured to help with this task. Currently the one can find some SIP related rules in the latest Community Snort Rules. These rules are able to detect attacks (generated with tools like svwar and svcrack) that create a large number of INVITE or REGISTER SIP requests as well as "401 Unauthorized" SIP responses.

In this post we present some extra snort rules that are not yet available in any public Snort ruleset (i.e. a SIPVicious exclusive ;-)).

Rule for alerting of OPTIONS scan or flood attack:
alert ip any any -> $HOME_NET $SIP_PROXY_PORTS \
(msg:"OPTIONS SIP scan"; content:"OPTIONS"; depth:7; \
threshold: type both , track by_src, count 30, seconds 3; \
sid:5000004; rev:1;)

The above rule is able to detect svmap when launched against a network as large as 30 hosts or more.

Detecting 4xx SIP responses:
alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS \
(msg:"Excessive number of SIP 4xx Responses - possible user or password guessing attack"; \
pcre:"/^SIP\/2.0 4\d{2}"; \
threshold: type both, track by_src, count 100, seconds 60; \
sid:5000009; rev:1;)

The presence of a large number of 4xx SIP responses usually indicates that there is an ongoing attack. The reason behind this is that SIP responses with these are listed as "Client error" such as "User Not Found" or "Forbidden" messages. These messages usually generated in bulks when an extension enumeration or bruteforce attack is underway.

Detecting ghost calls:
alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS \
(msg:"Ghost call attack"; \
content:"SIP/2.0 180"; depth:11; \
threshold: type both, track by_src, count 100, seconds 60; \
sid:5000009; rev:1;)

A large number of ringing phones - especially something like 100 rings in 1 minute - can indicate that something is wrong on certain IP Phone networks ;-)


CG said...

well i hope you now put a way to break that class C into 29 host blocks for svmap ;-)

ids evasion is always fun and necessary

sandro said...

definitely necessary. which is why there's the randomscan option and the timing options ;-)

i think that those would avoid detection .. does that satisfy you?

CG said...

you're a true saint sandro