diff options
author | robiscool <robrob2626@yahoo.com> | 2009-09-30 03:25:18 -0700 |
---|---|---|
committer | robiscool <robrob2626@yahoo.com> | 2009-09-30 03:27:32 -0700 |
commit | 71a3b727a3121c2bd081fe1f657f9dbe563e7064 (patch) | |
tree | 1de60531e544e0abd7ea466500d65d8f7d39d4f4 /config/snort/pfsense_rules | |
parent | 7792770b047efb0e3c6c6d134658d1344c940831 (diff) | |
download | pfsense-packages-71a3b727a3121c2bd081fe1f657f9dbe563e7064.tar.gz pfsense-packages-71a3b727a3121c2bd081fe1f657f9dbe563e7064.tar.bz2 pfsense-packages-71a3b727a3121c2bd081fe1f657f9dbe563e7064.zip |
Push snort 1.6 to stable, fix some startup issues
Diffstat (limited to 'config/snort/pfsense_rules')
-rw-r--r-- | config/snort/pfsense_rules/local.rules | 7 | ||||
-rw-r--r-- | config/snort/pfsense_rules/pfsense_rules.tar.gz.md5 | 2 | ||||
-rw-r--r-- | config/snort/pfsense_rules/rules/pfsense-voip.rules | 11 |
3 files changed, 13 insertions, 7 deletions
diff --git a/config/snort/pfsense_rules/local.rules b/config/snort/pfsense_rules/local.rules new file mode 100644 index 00000000..a9072733 --- /dev/null +++ b/config/snort/pfsense_rules/local.rules @@ -0,0 +1,7 @@ +# ----------------
+# LOCAL RULES
+# ----------------
+# This file intentionally does not come with signatures. Put your local
+# additions here. Pfsense first install rule. Rule edit tabe fails with out this file.
+#
+#
\ No newline at end of file diff --git a/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5 b/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5 index 97a55e1d..0aede4a0 100644 --- a/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5 +++ b/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5 @@ -1 +1 @@ -101
\ No newline at end of file +102
\ No newline at end of file diff --git a/config/snort/pfsense_rules/rules/pfsense-voip.rules b/config/snort/pfsense_rules/rules/pfsense-voip.rules index 3142c0b6..12f2fdf2 100644 --- a/config/snort/pfsense_rules/rules/pfsense-voip.rules +++ b/config/snort/pfsense_rules/rules/pfsense-voip.rules @@ -1,11 +1,10 @@ -alert ip any any -> $HOME_NET $SIP_PROXY_PORTS (msg:"OPTIONS SIP scan"; content:"OPTIONS"; depth:7; threshold: type both , track by_src, count 30, seconds 3; sid:5000004; rev:1;) +alert ip any any -> $HOME_NET $SIP_PROXY_PORTS (msg:"OPTIONS SIP scan"; content:"OPTIONS"; depth:7; threshold: type both , track by_src, count 30, seconds 3; sid:5000001; rev:1;) # Excessive number of SIP 4xx Responses Does not work -#### alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"Excessive number of SIP 4xx Responses - possible user or password guessing attack"; pcre:"/^SIP\/2.0 4\d{2}"; threshold: type both, track by_src, count 100, seconds 60; sid:5000008; rev:1;) -alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"Ghost call attack"; content:"SIP/2.0 180"; depth:11; threshold: type both, track by_src, count 100, seconds 60; sid:5000009; rev:1;) - +#### alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"Excessive number of SIP 4xx Responses - possible user or password guessing attack"; pcre:"/^SIP\/2.0 4\d{2}"; threshold: type both, track by_src, count 100, seconds 60; sid:5000002; rev:1;) +alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"Ghost call attack"; content:"SIP/2.0 180"; depth:11; threshold: type both, track by_src, count 100, seconds 60; sid:5000003; rev:1;) # Rule for alerting of INVITE flood attack: -alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"INVITE message flooding"; content:"INVITE"; depth:6; threshold: type both , track by_src, count 100, seconds 60; sid:5000002; rev:1;) +alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"INVITE message flooding"; content:"INVITE"; depth:6; threshold: type both , track by_src, count 100, seconds 60; sid:5000004; rev:1;) # Rule for alerting of REGISTER flood attack: alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"REGISTER message flooding"; content:"REGISTER"; depth:8; threshold: type both , track by_src, count 100, seconds 60; sid:5000005; rev:1;) # Threshold rule for unauthorized responses: -alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"INVITE message flooding"; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_src, count 100, seconds 60; sid:5000008; rev:1;) +alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"INVITE message flooding"; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_src, count 100, seconds 60; sid:5000006; rev:1;) |