From 683a07207a8d9fa143728a15ca13f93f99b87fa9 Mon Sep 17 00:00:00 2001 From: robiscool Date: Mon, 15 Jun 2009 21:16:30 -0700 Subject: pfsense custom voip rules --- config/snort/pfsense_rules/pfsense-voip.rules | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 config/snort/pfsense_rules/pfsense-voip.rules diff --git a/config/snort/pfsense_rules/pfsense-voip.rules b/config/snort/pfsense_rules/pfsense-voip.rules new file mode 100644 index 00000000..f168403d --- /dev/null +++ b/config/snort/pfsense_rules/pfsense-voip.rules @@ -0,0 +1,3 @@ +alert ip any any -> $HOME_NET $SIP_PROXY_PORTS (msg:"OPTIONS SIP scan"; content:"OPTIONS"; depth:7; threshold: type both , track by_src, count 30, seconds 3; sid:5000004; rev:1;) +alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"Excessive number of SIP 4xx Responses - possible user or password guessing attack"; pcre:"/^SIP\/2.0 4\d{2}"; threshold: type both, track by_src, count 100, seconds 60; sid:5000009; rev:1;) +alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"Ghost call attack"; content:"SIP/2.0 180"; depth:11; threshold: type both, track by_src, count 100, seconds 60; sid:5000009; rev:1;) -- cgit v1.2.3