Presentation is loading. Please wait.

Presentation is loading. Please wait.

Deployment of Snort IDS in SIP based VoIP environments Jiří Markl Jaroslav Dočkal.

Published byTheodore Robinson Modified over 8 years ago

Similar presentations

Presentation on theme: "Deployment of Snort IDS in SIP based VoIP environments Jiří Markl Jaroslav Dočkal."— Presentation transcript:

1 Deployment of Snort IDS in SIP based VoIP environments Jiří Markl Jaroslav Dočkal

2 Motivation and targets Evident advantages of VoIP The same level of availability as in PSTN DoS attacks on SIP infrastructure Attacks identification Applicability of Snort IDS for attacks detection

3 Identified attacks Attacks to SIP proxies Common TCP/IP attacks Direct attacks (Teardrop, Ping of Death, SYN Flood) Indirect attacks (Smurf attack) Other TCP floods (STREAM attack, Null flood) Distributed denial of service Attacks using specific SIP vulnerabilities Attacks to contributing services DNS, ENUM Application servers

4 SIP specific attacks Brute force attack using Invite messages Denial of service utilizing Register message alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS \ (msg:"INVITE message flooding"; content:"INVITE"; depth:6; \ threshold: type both, track by_src, count 200, seconds 60; \ sid:1000100; rev:1;) #Suppresion of alerting for known proxy 147.32.121.12 suppress gen_id 1, sig_id 1000100, track by_src, ip 147.32.121.12

5 SIP specific attacks – continuation Tearing down sessions Bye, Cancel Denial of service utilizing responses 3xx, 4xx, 5xx, 6xx Using message amplification to cause the DoS loops forking

6 SIP specific attacks – continuation Brute force authentication attack 401 Unauthorized 407 Proxy Authentication Required alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS \ (msg:"INVITE message flooding"; \ content:"SIP/2.0 401 Unauthorized"; depth:24; \ threshold: type both, track by_src, count 100, seconds 60; \ sid:1000600; rev:1;)

7 SIP specific attacks – continuation Attacks using SQL injection Using unresolvable DNS names alert udp $DNS_SERVERS 53 -> $SIP_PROXY_IP any \ msg:"DNS No such name treshold"; \ content:"|83|"; offset:3; depth:1; \ threshold: type both, track by_src, count 2000, seconds 60; \ sid:1000400; rev:1;)

8 Snort usage conclusions Advantages Based on existing OpenSource solution SIP proxy independent Can be used for detection of various attacks and known exploits – lots of rules available Can be used for detection of misconfigurations in SIP network Drawbacks Problems with secured connections (TLS) Usable only for simple detection

9 SIP rules published on Snort.org Developed rules can be obtained from Snort.org within current Community Rules set. http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/ Community-Rules-CURRENT.tar.gz

10 Thanks.

Download ppt "Deployment of Snort IDS in SIP based VoIP environments Jiří Markl Jaroslav Dočkal."

Similar presentations

Denial of Service on SIP VoIP Infrastructures Using DNS Flooding

Denial of Service on SIP VoIP Infrastructures Using DNS Flooding
Fraunhofer FOKUS 2007 VoIP Defender The Future of VoIP Protection Fraunhofer FOKUS Institute, Germany.

Fraunhofer FOKUS 2007 VoIP Defender The Future of VoIP Protection Fraunhofer FOKUS Institute, Germany.
Voice Security Interop 2009 Mark D. Collier SecureLogix Corporation

Voice Security Interop 2009 Mark D. Collier SecureLogix Corporation
Denial of Service By: Samarth Shah and Navin Soni.

Denial of Service By: Samarth Shah and Navin Soni.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Tom Behrens Adam Muniz. Overview What is VoIP SIP Sessions H.323 Examples Problems.

Tom Behrens Adam Muniz. Overview What is VoIP SIP Sessions H.323 Examples Problems.
A Hybrid and Cross-Protocol Architecture with Semantics and Syntax Awareness to Improve Intrusion Detection Efficiency in Voice over IP Environments Department.

A Hybrid and Cross-Protocol Architecture with Semantics and Syntax Awareness to Improve Intrusion Detection Efficiency in Voice over IP Environments Department.
The study and demonstration on SIP security vulnerabilities Mahidhar Penigi Vamsi Krishna Karnati.

The study and demonstration on SIP security vulnerabilities Mahidhar Penigi Vamsi Krishna Karnati.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Check Point DDoS Protector June 2012.

©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Check Point DDoS Protector June 2012.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
September 19, 2006speermint interim1 VoIP Threats and Attacks Alan Johnston.

September 19, 2006speermint interim1 VoIP Threats and Attacks Alan Johnston.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Distributed Denial of Service Attacks CMPT 471 1 Distributed Denial of Service Attacks Darius Law.

Distributed Denial of Service Attacks CMPT Distributed Denial of Service Attacks Darius Law.
Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems,

Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems,
Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems,

Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems,
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Similar presentations

Ads by Google