VOIP question and Snort alerts
I initially posted this on pfsense's forum, but this being partially off-topic in regards to snort and the pfsense platform, I expect little to no reply on their forums here why I am posting here. Its actually more of a networking question rather than a pfsense or snort specific question..
I have been using VOIP behind a pfsense firewall with Snort for about 2 weeks now, and while I had a good experience so far, I have found that without deactivating snort completely, the ATA (VOIP adapter) loses connectivity to the VOIP server at the moment I place or receive a phone call. Snort believes there is an attack happening and blocks the VOIP server which results in a dropped call. Annoying to say the least, but I think snort is just doing its job. In snort's logs, I see: Code:
Aug 28 23:04:24 snort[4034]: [122:21:1] (portscan) UDP Filtered Portscan [Classification: Attempted Information Leak] [Priority: 2] {PROTO:255} YYY.YYY.YYY.YYY -> XXX.XXX.XXX.XXX I reckon the issue with snort blocking the ATA device because of "Attempted Information Leak" or "Potentially Bad Traffic" but what got me wondering is the other IP that caught my attention: 173.255.118.235. According to http://www.ip-adress.com/ip_tracer/173.255.118.235, this would be a Google IP! What is Google doing on their port 5068 trying to communicate with MY port 5060 !?!? Later tonight, I tried once again with some minor snort modifications to re-use the phone. It got blocked once again by snort. This time, in snort's alert list, I see two identical alerts such as: Code:
Date: 09/03/13 23:08:21 PRI: 2 Attempted Information Leak Source: 198.199.100.18 Destination: YYY.YYY.YYY.YYY SID: 122:21 Description: (portscan) UDP Filtered Portscan Could it be for some DNS lookup or similar? What would it have to do with my VOIP service!? Why are these servers trying to connect with my VOIP service? Has anybody seen this before? |
Quote:
If I may focus on a subset of what you're asking for: please be aware that some Snort rules may be very basic. Apart from understanding what you run they may need carefully selection, white listing or other adjustments: for example the built-in port scanner may judge traffic as port scanning but this may be legitimate (RTP, multiple phones?) and in the case of "ET SCAN Sipvicious Scan" the only content scan is for "From|3A 20 22|sipvicious". If unsure about rules it would make sense to not block them but log them plus save a packet capture for analysis. That way you can determine if this actually is a rule you would like it to fire off or not. VoIP fraud is not uncommon and can lead to loss of service, money and reputation. It would make sense to inform yourself thoroughly of VoIP and its security needs. For that I've compiled a short list of docs that may (or may not) be interesting: http://www.sans.org/reading-room/whi...abilities_2036 http://www.sans.org/reading-room/whi...sure-voip-1701 http://www.sans.org/reading-room/whitepapers/voip https://www.owasp.org/index.php/File...ity_basics.pdf http://www.snortattack.org/docs/voip_en.pdf http://www.blackhat.com/presentation...7-dempster.pdf http://www.backtrack-linux.org/wiki/...entesting_VOIP Nice list of tools: http://www.voipsa.org/Resources/tools.php HTH |
unSpawn, thanks for providing these documents. Believe it or not, I have just read most of them. Quite a lot more extensive than what I expected for sure!! I will keep on reading this and further understanding the topics and post back. This is interesting for sure!
I agree, without knowing my exact networking usage, its difficult if not impossible to say if Snort is doing its job or not.. Quote:
|
Quote:
Quote:
|
Quote:
That wont change the fact that it will still block my ATA but at least it will allow me to segregate it from the rest of my LAN.. As for the packet capture and analysis, can you recommend a way? |
Kind of depends on what you're after. Running tcpdump to a file (warning: files may grow large), possibly with a BPF filter to focus on certain protocols, addresses or ports may provide a more coherent basis compared to the packets or sessions Snort logs but in the end you'll probably want to run captured packets through Snort (-r file) and maybe Wireshark. Knowledge of VoIP protocols and applications is implied.
|
All times are GMT -5. The time now is 07:03 AM. |