OpenSourceSoftware, Snort

Some VoIP rules for snort and

A couple of days ago, I saw the snort rules from sipvicious, and saw some flaws in them. Leon Ward from Sourcefire also recently announced So combining the VoIP-snort.rules from sipvicious and from Leon, gave me some nice debug output to look at.

Most interesting was:

– IP rule with port number (or var that could be set to a port number). This is BAD and invalid syntax.
It is likely that this rule head is not functioning as you expect it to.
The IP protocol doesn’t have port numbers.
If you want to inspect both UDP and TCP traffic on specific ports use two rules, its faster and valid syntax.

Spliting it up to one TCP and one UDP rule, gave more leads on tuning:

– TCP, without flow. Considder adding flow to provide better state tracking on this TCP based rule

Apart from the output that gave me, the sipvicious rules would barf in snort because of an regexp error. Also Im not sure about the “SIP 4xx Responses” rule from sipvicious. Depending on what you put into $SIP_PROXY_IP, it might work like expected, but I hope I make the rule a bit clearer to read the way I did it.

Also I bumped into a bug in the “Parse::Snort” module regarding a whitespace issue which Leon kindly investigated, confirmed and reported upstream.

Well, here are my snort rules after I played with and added some personal thoughts to it. Hopefully I will be able to test them out in a lab environment in the next month or so, and maybe Ill be updating them if needed. Feedback of any sort is welcome!

“Snort successfully loaded all rules and checked all rule chains!”


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s