diff options
author | serg dvoriancev <dv_serg@mail.ru> | 2010-04-12 21:52:00 +0400 |
---|---|---|
committer | serg dvoriancev <dv_serg@mail.ru> | 2010-04-12 21:52:00 +0400 |
commit | 312f6a4827d742869daba0ebb186b6de5483379a (patch) | |
tree | 9285758224d8a53d519f7fab142629397e1ef13d /config/snort-old/pfsense_rules/rules/pfsense-voip.rules | |
parent | 8d8c3e1278c35aaf235710d07cbe6583337700d5 (diff) | |
parent | e8fa9505ad3c402bf4a5b5143842c0028382a658 (diff) | |
download | pfsense-packages-312f6a4827d742869daba0ebb186b6de5483379a.tar.gz pfsense-packages-312f6a4827d742869daba0ebb186b6de5483379a.tar.bz2 pfsense-packages-312f6a4827d742869daba0ebb186b6de5483379a.zip |
Merge branch 'master' of http://gitweb.pfsense.org/pfsense-packages/mainline
Diffstat (limited to 'config/snort-old/pfsense_rules/rules/pfsense-voip.rules')
-rw-r--r-- | config/snort-old/pfsense_rules/rules/pfsense-voip.rules | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/config/snort-old/pfsense_rules/rules/pfsense-voip.rules b/config/snort-old/pfsense_rules/rules/pfsense-voip.rules new file mode 100644 index 00000000..12f2fdf2 --- /dev/null +++ b/config/snort-old/pfsense_rules/rules/pfsense-voip.rules @@ -0,0 +1,10 @@ +alert ip any any -> $HOME_NET $SIP_PROXY_PORTS (msg:"OPTIONS SIP scan"; content:"OPTIONS"; depth:7; threshold: type both , track by_src, count 30, seconds 3; sid:5000001; rev:1;) +# Excessive number of SIP 4xx Responses Does not work +#### alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"Excessive number of SIP 4xx Responses - possible user or password guessing attack"; pcre:"/^SIP\/2.0 4\d{2}"; threshold: type both, track by_src, count 100, seconds 60; sid:5000002; rev:1;) +alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"Ghost call attack"; content:"SIP/2.0 180"; depth:11; threshold: type both, track by_src, count 100, seconds 60; sid:5000003; rev:1;) +# Rule for alerting of INVITE flood attack: +alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"INVITE message flooding"; content:"INVITE"; depth:6; threshold: type both , track by_src, count 100, seconds 60; sid:5000004; rev:1;) +# Rule for alerting of REGISTER flood attack: +alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"REGISTER message flooding"; content:"REGISTER"; depth:8; threshold: type both , track by_src, count 100, seconds 60; sid:5000005; rev:1;) +# Threshold rule for unauthorized responses: +alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"INVITE message flooding"; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_src, count 100, seconds 60; sid:5000006; rev:1;) |