A couple of days ago, I saw the snort rules from sipvicious, and saw some flaws in them. Leon Ward from Sourcefire also recently announced dumbpig.pl. So combining the VoIP-snort.rules from sipvicious and dumbpig.pl from Leon, gave me some nice debug output to look at.
Most interesting was:
– IP rule with port number (or var that could be set to a port number). This is BAD and invalid syntax.
It is likely that this rule head is not functioning as you expect it to.
The IP protocol doesn’t have port numbers.
If you want to inspect both UDP and TCP traffic on specific ports use two rules, its faster and valid syntax.
Spliting it up to one TCP and one UDP rule, gave more leads on tuning:
– TCP, without flow. Considder adding flow to provide better state tracking on this TCP based rule
Apart from the output that dumbpig.pl gave me, the sipvicious rules would barf in snort because of an regexp error. Also Im not sure about the “SIP 4xx Responses” rule from sipvicious. Depending on what you put into $SIP_PROXY_IP, it might work like expected, but I hope I make the rule a bit clearer to read the way I did it.
Also I bumped into a bug in the “Parse::Snort” module regarding a whitespace issue which Leon kindly investigated, confirmed and reported upstream.
Well, here are my snort rules after I played with dumbpig.pl and added some personal thoughts to it. Hopefully I will be able to test them out in a lab environment in the next month or so, and maybe Ill be updating them if needed. Feedback of any sort is welcome!
“Snort successfully loaded all rules and checked all rule chains!”