LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 09-03-2013, 10:35 PM   #1
lpallard
Senior Member
 
Registered: Nov 2008
Posts: 1,044

Rep: Reputation: Disabled
VOIP question and Snort alerts


I initially posted this on pfsense's forum, but this being partially off-topic in regards to snort and the pfsense platform, I expect little to no reply on their forums here why I am posting here. Its actually more of a networking question rather than a pfsense or snort specific question..

I have been using VOIP behind a pfsense firewall with Snort for about 2 weeks now, and while I had a good experience so far, I have found that without deactivating snort completely, the ATA (VOIP adapter) loses connectivity to the VOIP server at the moment I place or receive a phone call.

Snort believes there is an attack happening and blocks the VOIP server which results in a dropped call. Annoying to say the least, but I think snort is just doing its job.

In snort's logs, I see:

Code:
Aug 28 23:04:24 	snort[4034]: [122:21:1] (portscan) UDP Filtered Portscan [Classification: Attempted Information Leak] [Priority: 2] {PROTO:255} YYY.YYY.YYY.YYY -> XXX.XXX.XXX.XXX
Aug 28 23:04:24 	snort[4034]: [122:21:1] (portscan) UDP Filtered Portscan [Classification: Attempted Information Leak] [Priority: 2] {PROTO:255} YYY.YYY.YYY.YYY -> XXX.XXX.XXX.XXX
Aug 28 23:04:21 	snort[23348]: [140:20:1] (spp_sip) Invite replay attack [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} XXX.XXX.XXX.XXX:5060 -> YYY.YYY.YYY.YYY:5060
Aug 28 23:04:21 	snort[23348]: [140:20:1] (spp_sip) Invite replay attack [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} XXX.XXX.XXX.XXX:5060 -> YYY.YYY.YYY.YYY:5060
Aug 28 23:03:48 	snort[23348]: [140:20:1] (spp_sip) Invite replay attack [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} XXX.XXX.XXX.XXX:5060 -> YYY.YYY.YYY.YYY:5060
Aug 28 23:03:48 	snort[23348]: [140:20:1] (spp_sip) Invite replay attack [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} XXX.XXX.XXX.XXX:5060 -> YYY.YYY.YYY.YYY:5060
Aug 28 23:03:12 	snort[4034]: [1:2008578:6] ET SCAN Sipvicious Scan [Classification: Attempted Information Leak] [Priority: 2] {UDP} 173.255.118.235:5068 -> XXX.XXX.XXX.XXX:5060
Aug 28 23:03:12 	snort[4034]: [1:2008578:6] ET SCAN Sipvicious Scan [Classification: Attempted Information Leak] [Priority: 2] {UDP} 173.255.118.235:5068 -> XXX.XXX.XXX.XXX:5060
Aug 28 23:03:12 	snort[4034]: [1:2011716:4] ET SCAN Sipvicious User-Agent Detected (friendly-scanner) [Classification: Attempted Information Leak] [Priority: 2] {UDP} 173.255.118.235:5068 -> XXX.XXX.XXX.XXX:5060
Aug 28 23:03:12 	snort[4034]: [1:2011716:4] ET SCAN Sipvicious User-Agent Detected (friendly-scanner) [Classification: Attempted Information Leak] [Priority: 2] {UDP} 173.255.118.235:5068 -> XXX.XXX.XXX.XXX:5060
Please note: XXX.XXX.XXX.XXX = My WAN (public) IP, and YYY.YYY.YYY.YYY = My service provider's VOIP server.

I reckon the issue with snort blocking the ATA device because of "Attempted Information Leak" or "Potentially Bad Traffic" but what got me wondering is the other IP that caught my attention: 173.255.118.235. According to http://www.ip-adress.com/ip_tracer/173.255.118.235, this would be a Google IP! What is Google doing on their port 5068 trying to communicate with MY port 5060 !?!?

Later tonight, I tried once again with some minor snort modifications to re-use the phone. It got blocked once again by snort. This time, in snort's alert list, I see two identical alerts such as:

Code:
Date:  09/03/13 23:08:21 PRI:  2	Attempted Information Leak 	Source:  198.199.100.18     Destination:  YYY.YYY.YYY.YYY   SID:  122:21    Description: (portscan) UDP Filtered Portscan
Strange though, these alerts always come in a pair of 2: one from my ISP's VOIP server (The YYY.YYY.YYY.YYY), and the other IP from a random unknown server somewhere else. This time its a server (198.199.100.18) belonging to "akamai.skafari.com"............

Could it be for some DNS lookup or similar? What would it have to do with my VOIP service!? Why are these servers trying to connect with my VOIP service?

Has anybody seen this before?

Last edited by lpallard; 09-03-2013 at 10:36 PM.
 
Old 09-04-2013, 02:34 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by lpallard View Post
Snort believes there is an attack happening and blocks the VOIP server which results in a dropped call. Annoying to say the least, but I think snort is just doing its job.
Is it?..

If I may focus on a subset of what you're asking for: please be aware that some Snort rules may be very basic. Apart from understanding what you run they may need carefully selection, white listing or other adjustments: for example the built-in port scanner may judge traffic as port scanning but this may be legitimate (RTP, multiple phones?) and in the case of "ET SCAN Sipvicious Scan" the only content scan is for "From|3A 20 22|sipvicious". If unsure about rules it would make sense to not block them but log them plus save a packet capture for analysis. That way you can determine if this actually is a rule you would like it to fire off or not. VoIP fraud is not uncommon and can lead to loss of service, money and reputation. It would make sense to inform yourself thoroughly of VoIP and its security needs. For that I've compiled a short list of docs that may (or may not) be interesting:

http://www.sans.org/reading-room/whi...abilities_2036
http://www.sans.org/reading-room/whi...sure-voip-1701
http://www.sans.org/reading-room/whitepapers/voip
https://www.owasp.org/index.php/File...ity_basics.pdf
http://www.snortattack.org/docs/voip_en.pdf
http://www.blackhat.com/presentation...7-dempster.pdf
http://www.backtrack-linux.org/wiki/...entesting_VOIP
Nice list of tools: http://www.voipsa.org/Resources/tools.php

HTH
 
Old 09-04-2013, 07:36 PM   #3
lpallard
Senior Member
 
Registered: Nov 2008
Posts: 1,044

Original Poster
Rep: Reputation: Disabled
unSpawn, thanks for providing these documents. Believe it or not, I have just read most of them. Quite a lot more extensive than what I expected for sure!! I will keep on reading this and further understanding the topics and post back. This is interesting for sure!

I agree, without knowing my exact networking usage, its difficult if not impossible to say if Snort is doing its job or not..

Quote:
If unsure about rules it would make sense to not block them but log them plus save a packet capture for analysis
I will try that.
 
Old 09-04-2013, 07:45 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by lpallard View Post
Believe it or not, I have just read most of them.
Well done.


Quote:
Originally Posted by lpallard View Post
I agree, without knowing my exact networking usage, its difficult if not impossible to say if Snort is doing its job or not..
It probably is except that it sometimes may do its job a wee bit too well... Should you wish another pair of eyeballs wrt packet capture analysis / Snort rule adjustment just let me know in time.
 
Old 09-04-2013, 07:52 PM   #5
lpallard
Senior Member
 
Registered: Nov 2008
Posts: 1,044

Original Poster
Rep: Reputation: Disabled
Quote:
Should you wish another pair of eyeballs wrt packet capture analysis / Snort rule adjustment just let me know in time.
I am moving the ATA device to a VLAN on my pfsense router. Once this is done, I will restore Snort's previous configuration on my standard interfaces, and then create a new Snort interface on the created VLAN.

That wont change the fact that it will still block my ATA but at least it will allow me to segregate it from the rest of my LAN..

As for the packet capture and analysis, can you recommend a way?
 
Old 09-05-2013, 01:57 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Kind of depends on what you're after. Running tcpdump to a file (warning: files may grow large), possibly with a BPF filter to focus on certain protocols, addresses or ports may provide a more coherent basis compared to the packets or sessions Snort logs but in the end you'll probably want to run captured packets through Snort (-r file) and maybe Wireshark. Knowledge of VoIP protocols and applications is implied.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Snort - no portscan and tcp alerts in snort av.dubey Linux - Software 6 07-11-2008 09:56 PM
How many alerts a day do you get on snort? abefroman Linux - Software 7 05-06-2008 07:53 AM
snort alerts lord-fu Linux - Security 1 11-25-2005 03:28 PM
Snort Alerts ?? zahra79 Linux - Networking 5 06-22-2005 05:11 AM
Snort Alerts knight_ridda Linux - Security 13 06-21-2003 04:32 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 06:46 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration