aboutsummaryrefslogtreecommitdiffstats
path: root/config/snort-dev/pfsense_rules/rules/pfsense-voip.rules
diff options
context:
space:
mode:
authorrobiscool <robrob2626@yahoo.com>2009-09-08 03:15:14 -0700
committerrobiscool <robrob2626@yahoo.com>2009-09-08 03:15:14 -0700
commit8564f82412de9183210e8db7e37afa6066453d4d (patch)
tree1772d18b058dc42dc64b3d236244d675bbd2c7d9 /config/snort-dev/pfsense_rules/rules/pfsense-voip.rules
parentd65a69cda0fe97579f9e2328b62bd856c6a52914 (diff)
downloadpfsense-packages-8564f82412de9183210e8db7e37afa6066453d4d.tar.gz
pfsense-packages-8564f82412de9183210e8db7e37afa6066453d4d.tar.bz2
pfsense-packages-8564f82412de9183210e8db7e37afa6066453d4d.zip
snort-dev, replace snort2c with spoink, replace snort-mysql with barnyard2, add rule perl scrips, update Gsnort GUI, fix dboot-up issues
Diffstat (limited to 'config/snort-dev/pfsense_rules/rules/pfsense-voip.rules')
-rw-r--r--config/snort-dev/pfsense_rules/rules/pfsense-voip.rules11
1 files changed, 11 insertions, 0 deletions
diff --git a/config/snort-dev/pfsense_rules/rules/pfsense-voip.rules b/config/snort-dev/pfsense_rules/rules/pfsense-voip.rules
new file mode 100644
index 00000000..3142c0b6
--- /dev/null
+++ b/config/snort-dev/pfsense_rules/rules/pfsense-voip.rules
@@ -0,0 +1,11 @@
+alert ip any any -> $HOME_NET $SIP_PROXY_PORTS (msg:"OPTIONS SIP scan"; content:"OPTIONS"; depth:7; threshold: type both , track by_src, count 30, seconds 3; sid:5000004; rev:1;)
+# Excessive number of SIP 4xx Responses Does not work
+#### alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"Excessive number of SIP 4xx Responses - possible user or password guessing attack"; pcre:"/^SIP\/2.0 4\d{2}"; threshold: type both, track by_src, count 100, seconds 60; sid:5000008; rev:1;)
+alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"Ghost call attack"; content:"SIP/2.0 180"; depth:11; threshold: type both, track by_src, count 100, seconds 60; sid:5000009; rev:1;)
+
+# Rule for alerting of INVITE flood attack:
+alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"INVITE message flooding"; content:"INVITE"; depth:6; threshold: type both , track by_src, count 100, seconds 60; sid:5000002; rev:1;)
+# Rule for alerting of REGISTER flood attack:
+alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"REGISTER message flooding"; content:"REGISTER"; depth:8; threshold: type both , track by_src, count 100, seconds 60; sid:5000005; rev:1;)
+# Threshold rule for unauthorized responses:
+alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"INVITE message flooding"; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_src, count 100, seconds 60; sid:5000008; rev:1;)