aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--config/snort/pfsense_rules/local.rules7
-rw-r--r--config/snort/pfsense_rules/pfsense_rules.tar.gz.md51
-rw-r--r--config/snort/pfsense_rules/rules/pfsense-voip.rules10
3 files changed, 0 insertions, 18 deletions
diff --git a/config/snort/pfsense_rules/local.rules b/config/snort/pfsense_rules/local.rules
deleted file mode 100644
index 83a05f1b..00000000
--- a/config/snort/pfsense_rules/local.rules
+++ /dev/null
@@ -1,7 +0,0 @@
-# ----------------
-# LOCAL RULES
-# ----------------
-# This file intentionally does not come with signatures. Put your local
-# additions here. Pfsense first install rule. Rule edit tabe fails with out this file.
-#
-# \ No newline at end of file
diff --git a/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5 b/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5
deleted file mode 100644
index d2e6fa4d..00000000
--- a/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5
+++ /dev/null
@@ -1 +0,0 @@
-"e8a95fd5f1b40e878fedeffd585134bb" \ No newline at end of file
diff --git a/config/snort/pfsense_rules/rules/pfsense-voip.rules b/config/snort/pfsense_rules/rules/pfsense-voip.rules
deleted file mode 100644
index 12f2fdf2..00000000
--- a/config/snort/pfsense_rules/rules/pfsense-voip.rules
+++ /dev/null
@@ -1,10 +0,0 @@
-alert ip any any -> $HOME_NET $SIP_PROXY_PORTS (msg:"OPTIONS SIP scan"; content:"OPTIONS"; depth:7; threshold: type both , track by_src, count 30, seconds 3; sid:5000001; rev:1;)
-# Excessive number of SIP 4xx Responses Does not work
-#### alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"Excessive number of SIP 4xx Responses - possible user or password guessing attack"; pcre:"/^SIP\/2.0 4\d{2}"; threshold: type both, track by_src, count 100, seconds 60; sid:5000002; rev:1;)
-alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"Ghost call attack"; content:"SIP/2.0 180"; depth:11; threshold: type both, track by_src, count 100, seconds 60; sid:5000003; rev:1;)
-# Rule for alerting of INVITE flood attack:
-alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"INVITE message flooding"; content:"INVITE"; depth:6; threshold: type both , track by_src, count 100, seconds 60; sid:5000004; rev:1;)
-# Rule for alerting of REGISTER flood attack:
-alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"REGISTER message flooding"; content:"REGISTER"; depth:8; threshold: type both , track by_src, count 100, seconds 60; sid:5000005; rev:1;)
-# Threshold rule for unauthorized responses:
-alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"INVITE message flooding"; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_src, count 100, seconds 60; sid:5000006; rev:1;)