From 7cac4afd3f3da453b186ffdc1d0a166125162a82 Mon Sep 17 00:00:00 2001 From: robiscool Date: Tue, 16 Jun 2009 06:27:27 -0700 Subject: this ones for you mcrane, added custom pfsense rules auto updates, add voip rulles for freeswitch --- config/snort/pfsense_rules/pfsense-voip.rules | 3 --- config/snort/pfsense_rules/pfsense_rules.tar.gz.md5 | 1 + config/snort/pfsense_rules/rules/pfsense-voip.rules | 11 +++++++++++ 3 files changed, 12 insertions(+), 3 deletions(-) delete mode 100644 config/snort/pfsense_rules/pfsense-voip.rules create mode 100644 config/snort/pfsense_rules/pfsense_rules.tar.gz.md5 create mode 100644 config/snort/pfsense_rules/rules/pfsense-voip.rules (limited to 'config/snort/pfsense_rules') diff --git a/config/snort/pfsense_rules/pfsense-voip.rules b/config/snort/pfsense_rules/pfsense-voip.rules deleted file mode 100644 index f168403d..00000000 --- a/config/snort/pfsense_rules/pfsense-voip.rules +++ /dev/null @@ -1,3 +0,0 @@ -alert ip any any -> $HOME_NET $SIP_PROXY_PORTS (msg:"OPTIONS SIP scan"; content:"OPTIONS"; depth:7; threshold: type both , track by_src, count 30, seconds 3; sid:5000004; rev:1;) -alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"Excessive number of SIP 4xx Responses - possible user or password guessing attack"; pcre:"/^SIP\/2.0 4\d{2}"; threshold: type both, track by_src, count 100, seconds 60; sid:5000009; rev:1;) -alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"Ghost call attack"; content:"SIP/2.0 180"; depth:11; threshold: type both, track by_src, count 100, seconds 60; sid:5000009; rev:1;) diff --git a/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5 b/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5 new file mode 100644 index 00000000..97a55e1d --- /dev/null +++ b/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5 @@ -0,0 +1 @@ +101 \ No newline at end of file diff --git a/config/snort/pfsense_rules/rules/pfsense-voip.rules b/config/snort/pfsense_rules/rules/pfsense-voip.rules new file mode 100644 index 00000000..3142c0b6 --- /dev/null +++ b/config/snort/pfsense_rules/rules/pfsense-voip.rules @@ -0,0 +1,11 @@ +alert ip any any -> $HOME_NET $SIP_PROXY_PORTS (msg:"OPTIONS SIP scan"; content:"OPTIONS"; depth:7; threshold: type both , track by_src, count 30, seconds 3; sid:5000004; rev:1;) +# Excessive number of SIP 4xx Responses Does not work +#### alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"Excessive number of SIP 4xx Responses - possible user or password guessing attack"; pcre:"/^SIP\/2.0 4\d{2}"; threshold: type both, track by_src, count 100, seconds 60; sid:5000008; rev:1;) +alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"Ghost call attack"; content:"SIP/2.0 180"; depth:11; threshold: type both, track by_src, count 100, seconds 60; sid:5000009; rev:1;) + +# Rule for alerting of INVITE flood attack: +alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"INVITE message flooding"; content:"INVITE"; depth:6; threshold: type both , track by_src, count 100, seconds 60; sid:5000002; rev:1;) +# Rule for alerting of REGISTER flood attack: +alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"REGISTER message flooding"; content:"REGISTER"; depth:8; threshold: type both , track by_src, count 100, seconds 60; sid:5000005; rev:1;) +# Threshold rule for unauthorized responses: +alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"INVITE message flooding"; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_src, count 100, seconds 60; sid:5000008; rev:1;) -- cgit v1.2.3