deployment of snort ids in sip based voip environments jiří markl jaroslav dočkal
TRANSCRIPT
![Page 1: Deployment of Snort IDS in SIP based VoIP environments Jiří Markl Jaroslav Dočkal](https://reader036.vdocument.in/reader036/viewer/2022082611/56649f1a5503460f94c2f8d0/html5/thumbnails/1.jpg)
Deployment of Snort IDS in SIP based VoIP environments
Jiří Markl
Jaroslav Dočkal
![Page 2: Deployment of Snort IDS in SIP based VoIP environments Jiří Markl Jaroslav Dočkal](https://reader036.vdocument.in/reader036/viewer/2022082611/56649f1a5503460f94c2f8d0/html5/thumbnails/2.jpg)
Motivation and targets
Evident advantages of VoIPThe same level of availability as in
PSTNDoS attacks on SIP infrastructureAttacks identificationApplicability of Snort IDS for attacks
detection
![Page 3: Deployment of Snort IDS in SIP based VoIP environments Jiří Markl Jaroslav Dočkal](https://reader036.vdocument.in/reader036/viewer/2022082611/56649f1a5503460f94c2f8d0/html5/thumbnails/3.jpg)
Identified attacks
Attacks to SIP proxies Common TCP/IP attacks
Direct attacks (Teardrop, Ping of Death, SYN Flood) Indirect attacks (Smurf attack) Other TCP floods (STREAM attack, Null flood) Distributed denial of service
Attacks using specific SIP vulnerabilities
Attacks to contributing services DNS, ENUM Application servers
![Page 4: Deployment of Snort IDS in SIP based VoIP environments Jiří Markl Jaroslav Dočkal](https://reader036.vdocument.in/reader036/viewer/2022082611/56649f1a5503460f94c2f8d0/html5/thumbnails/4.jpg)
SIP specific attacks
Brute force attack using Invite messages
Denial of service utilizing Register message
alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS \(msg:"INVITE message flooding"; content:"INVITE"; depth:6; \threshold: type both, track by_src, count 200, seconds 60; \ sid:1000100; rev:1;)
#Suppresion of alerting for known proxy 147.32.121.12suppress gen_id 1, sig_id 1000100, track by_src, ip 147.32.121.12
![Page 5: Deployment of Snort IDS in SIP based VoIP environments Jiří Markl Jaroslav Dočkal](https://reader036.vdocument.in/reader036/viewer/2022082611/56649f1a5503460f94c2f8d0/html5/thumbnails/5.jpg)
SIP specific attacks – continuation
Tearing down sessionsBye, Cancel
Denial of service utilizing responses3xx, 4xx, 5xx, 6xx
Using message amplification to cause the DoS loops forking
![Page 6: Deployment of Snort IDS in SIP based VoIP environments Jiří Markl Jaroslav Dočkal](https://reader036.vdocument.in/reader036/viewer/2022082611/56649f1a5503460f94c2f8d0/html5/thumbnails/6.jpg)
SIP specific attacks – continuation
Brute force authentication attack401 Unauthorized407 Proxy Authentication Required
alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS \(msg:"INVITE message flooding"; \content:"SIP/2.0 401 Unauthorized"; depth:24; \threshold: type both, track by_src, count 100, seconds 60; \ sid:1000600; rev:1;)
![Page 7: Deployment of Snort IDS in SIP based VoIP environments Jiří Markl Jaroslav Dočkal](https://reader036.vdocument.in/reader036/viewer/2022082611/56649f1a5503460f94c2f8d0/html5/thumbnails/7.jpg)
SIP specific attacks – continuation
Attacks using SQL injectionUsing unresolvable DNS namesalert udp $DNS_SERVERS 53 -> $SIP_PROXY_IP any \msg:"DNS No such name treshold"; \content:"|83|"; offset:3; depth:1; \threshold: type both , track by_src, count 2000, seconds 60; \sid:1000400; rev:1;)
![Page 8: Deployment of Snort IDS in SIP based VoIP environments Jiří Markl Jaroslav Dočkal](https://reader036.vdocument.in/reader036/viewer/2022082611/56649f1a5503460f94c2f8d0/html5/thumbnails/8.jpg)
Snort usage conclusions
Advantages Based on existing OpenSource solution SIP proxy independent Can be used for detection of various attacks and
known exploits – lots of rules available Can be used for detection of misconfigurations in
SIP network
Drawbacks Problems with secured connections (TLS) Usable only for simple detection
![Page 9: Deployment of Snort IDS in SIP based VoIP environments Jiří Markl Jaroslav Dočkal](https://reader036.vdocument.in/reader036/viewer/2022082611/56649f1a5503460f94c2f8d0/html5/thumbnails/9.jpg)
SIP rules published on Snort.org
Developed rules can be obtained from Snort.org within current Community Rules set.
http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/
Community-Rules-CURRENT.tar.gz
![Page 10: Deployment of Snort IDS in SIP based VoIP environments Jiří Markl Jaroslav Dočkal](https://reader036.vdocument.in/reader036/viewer/2022082611/56649f1a5503460f94c2f8d0/html5/thumbnails/10.jpg)
Thanks.