diff options
| author | robiscool <robrob2626@yahoo.com> | 2010-03-31 19:02:32 -0700 |
|---|---|---|
| committer | robiscool <robrob2626@yahoo.com> | 2010-03-31 19:03:32 -0700 |
| commit | 844fbe052e814a4662dedcf3a09fbfcdb814801a (patch) | |
| tree | 1aaa04b143ea727331592d2be9e51648a1f2e0b6 /config/snort-old/pfsense_rules | |
| parent | 5ee5b0e0e604c8e5d998ac79392a3fa728fbebb1 (diff) | |
| download | pfsense-packages-844fbe052e814a4662dedcf3a09fbfcdb814801a.tar.gz pfsense-packages-844fbe052e814a4662dedcf3a09fbfcdb814801a.tar.bz2 pfsense-packages-844fbe052e814a4662dedcf3a09fbfcdb814801a.zip | |
snort-dev to snort, snort to snort-old, Release
Diffstat (limited to 'config/snort-old/pfsense_rules')
| -rw-r--r-- | config/snort-old/pfsense_rules/local.rules | 7 | ||||
| -rw-r--r-- | config/snort-old/pfsense_rules/pfsense_rules.tar.gz.md5 | 1 | ||||
| -rw-r--r-- | config/snort-old/pfsense_rules/rules/pfsense-voip.rules | 10 |
3 files changed, 18 insertions, 0 deletions
diff --git a/config/snort-old/pfsense_rules/local.rules b/config/snort-old/pfsense_rules/local.rules new file mode 100644 index 00000000..83a05f1b --- /dev/null +++ b/config/snort-old/pfsense_rules/local.rules @@ -0,0 +1,7 @@ +# ---------------- +# LOCAL RULES +# ---------------- +# This file intentionally does not come with signatures. Put your local +# additions here. Pfsense first install rule. Rule edit tabe fails with out this file. +# +#
\ No newline at end of file diff --git a/config/snort-old/pfsense_rules/pfsense_rules.tar.gz.md5 b/config/snort-old/pfsense_rules/pfsense_rules.tar.gz.md5 new file mode 100644 index 00000000..83d5bdae --- /dev/null +++ b/config/snort-old/pfsense_rules/pfsense_rules.tar.gz.md5 @@ -0,0 +1 @@ +10002
\ No newline at end of file diff --git a/config/snort-old/pfsense_rules/rules/pfsense-voip.rules b/config/snort-old/pfsense_rules/rules/pfsense-voip.rules new file mode 100644 index 00000000..12f2fdf2 --- /dev/null +++ b/config/snort-old/pfsense_rules/rules/pfsense-voip.rules @@ -0,0 +1,10 @@ +alert ip any any -> $HOME_NET $SIP_PROXY_PORTS (msg:"OPTIONS SIP scan"; content:"OPTIONS"; depth:7; threshold: type both , track by_src, count 30, seconds 3; sid:5000001; rev:1;) +# Excessive number of SIP 4xx Responses Does not work +#### alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"Excessive number of SIP 4xx Responses - possible user or password guessing attack"; pcre:"/^SIP\/2.0 4\d{2}"; threshold: type both, track by_src, count 100, seconds 60; sid:5000002; rev:1;) +alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"Ghost call attack"; content:"SIP/2.0 180"; depth:11; threshold: type both, track by_src, count 100, seconds 60; sid:5000003; rev:1;) +# Rule for alerting of INVITE flood attack: +alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"INVITE message flooding"; content:"INVITE"; depth:6; threshold: type both , track by_src, count 100, seconds 60; sid:5000004; rev:1;) +# Rule for alerting of REGISTER flood attack: +alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"REGISTER message flooding"; content:"REGISTER"; depth:8; threshold: type both , track by_src, count 100, seconds 60; sid:5000005; rev:1;) +# Threshold rule for unauthorized responses: +alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"INVITE message flooding"; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_src, count 100, seconds 60; sid:5000006; rev:1;) |