Saturday, March 15, 2008

Using OSSEC to detect attacks on an Asterisk box

This post is an echo on the previous post which describes how to configure snort to detect SIP attacks. This time we look at detecting attacks at the PBX's end rather than by monitoring network traffic. OSSEC allows us to do just this - it is a host intrusion detection system that can do matching on log files and actively react to attack.

By default OSSEC does not have support for Asterisk. To add this functionality place a new xml file called asterisk.xml in the OSSEC rules directory (typically at /var/ossec/rules/). This file contains rules for the following violations:
  • User/Extension enumeration
  • Password cracking attacks
The actual rules file can be downloaded here.

This rules file needs to be referenced from the main configuration usually found in /var/ossec/etc/ossec.conf. This can be done by adding the following line to this file:

<include>asterisk.xml</include>

Then we need to add a decoder entry so that OSSEC can extract the offending IP address. This is done by including the below section to the decoder definition file usually found at /var/ossec/etc/decoder.conf:

<decoder name="asterisk">
<program_name>^asterisk</program_name>
</decoder>

<decoder name="asterisk-denied">
<parent>asterisk</parent>
<prematch>Registration from </prematch>
<regex offset="after_prematch">failed for '(\d+.\d+.\d+.\d+)'</regex>
<order>srcip</order>
</decoder>

Do not forget to restart OSSEC. Typically done by executing the following command:
/etc/init.d/ossec restart
Finally - it is important to make sure that Asterisk is configured to log to syslog and restarted. The next commands to execute are:
echo "syslog.local0 => notice,warning,error" >> /etc/asterisk/logger.conf

/etc/init.d/asterisk restart
Note: Check out Laureano's post on how to just reload the logger configuration.

That's it. Note that this has been tested on a Trixbox VM and your Asterisk configuration might require some modifications since it appears that Asterisk log files are not so standard.

Oh, and to test these rules you can obviously use SIPVicious tool suite ;-)

2 comments:

Laureano said...

A better way to reload the Asterisk logger configuration file is by using the following command from the Asterisk CLI:
* logger reload

sandro said...

thanks - updated the blog post to point towards your comment