I initially posted this on pfsense's forum, but this being partially off-topic in regards to snort and the pfsense platform, I expect little to no reply on their forums here why I am posting here. Its actually more of a networking question rather than a pfsense or snort specific question..
I have been using VOIP behind a pfsense firewall with Snort for about 2 weeks now, and while I had a good experience so far, I have found that without deactivating snort completely, the ATA (VOIP adapter) loses connectivity to the VOIP server at the moment I place or receive a phone call.
Snort believes there is an attack happening and blocks the VOIP server which results in a dropped call. Annoying to say the least, but I think snort is just doing its job.
In snort's logs, I see:
Code:
Aug 28 23:04:24 snort[4034]: [122:21:1] (portscan) UDP Filtered Portscan [Classification: Attempted Information Leak] [Priority: 2] {PROTO:255} YYY.YYY.YYY.YYY -> XXX.XXX.XXX.XXX
Aug 28 23:04:24 snort[4034]: [122:21:1] (portscan) UDP Filtered Portscan [Classification: Attempted Information Leak] [Priority: 2] {PROTO:255} YYY.YYY.YYY.YYY -> XXX.XXX.XXX.XXX
Aug 28 23:04:21 snort[23348]: [140:20:1] (spp_sip) Invite replay attack [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} XXX.XXX.XXX.XXX:5060 -> YYY.YYY.YYY.YYY:5060
Aug 28 23:04:21 snort[23348]: [140:20:1] (spp_sip) Invite replay attack [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} XXX.XXX.XXX.XXX:5060 -> YYY.YYY.YYY.YYY:5060
Aug 28 23:03:48 snort[23348]: [140:20:1] (spp_sip) Invite replay attack [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} XXX.XXX.XXX.XXX:5060 -> YYY.YYY.YYY.YYY:5060
Aug 28 23:03:48 snort[23348]: [140:20:1] (spp_sip) Invite replay attack [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} XXX.XXX.XXX.XXX:5060 -> YYY.YYY.YYY.YYY:5060
Aug 28 23:03:12 snort[4034]: [1:2008578:6] ET SCAN Sipvicious Scan [Classification: Attempted Information Leak] [Priority: 2] {UDP} 173.255.118.235:5068 -> XXX.XXX.XXX.XXX:5060
Aug 28 23:03:12 snort[4034]: [1:2008578:6] ET SCAN Sipvicious Scan [Classification: Attempted Information Leak] [Priority: 2] {UDP} 173.255.118.235:5068 -> XXX.XXX.XXX.XXX:5060
Aug 28 23:03:12 snort[4034]: [1:2011716:4] ET SCAN Sipvicious User-Agent Detected (friendly-scanner) [Classification: Attempted Information Leak] [Priority: 2] {UDP} 173.255.118.235:5068 -> XXX.XXX.XXX.XXX:5060
Aug 28 23:03:12 snort[4034]: [1:2011716:4] ET SCAN Sipvicious User-Agent Detected (friendly-scanner) [Classification: Attempted Information Leak] [Priority: 2] {UDP} 173.255.118.235:5068 -> XXX.XXX.XXX.XXX:5060
Please note: XXX.XXX.XXX.XXX = My WAN (public) IP, and YYY.YYY.YYY.YYY = My service provider's VOIP server.
I reckon the issue with snort blocking the ATA device because of "Attempted Information Leak" or "Potentially Bad Traffic" but what got me wondering is the other IP that caught my attention: 173.255.118.235. According to
http://www.ip-adress.com/ip_tracer/173.255.118.235, this would be a Google IP! What is Google doing on their port 5068 trying to communicate with MY port 5060 !?!?
Later tonight, I tried once again with some minor snort modifications to re-use the phone. It got blocked once again by snort. This time, in snort's alert list, I see two identical alerts such as:
Code:
Date: 09/03/13 23:08:21 PRI: 2 Attempted Information Leak Source: 198.199.100.18 Destination: YYY.YYY.YYY.YYY SID: 122:21 Description: (portscan) UDP Filtered Portscan
Strange though, these alerts always come in a pair of 2: one from my ISP's VOIP server (The YYY.YYY.YYY.YYY), and the other IP from a random unknown server somewhere else. This time its a server (198.199.100.18) belonging to "akamai.skafari.com"............
Could it be for some DNS lookup or similar? What would it have to do with my VOIP service!? Why are these servers trying to connect with my VOIP service?
Has anybody seen this before?