344 lines
115 KiB
Plaintext
344 lines
115 KiB
Plaintext
# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
|
|
#
|
|
# This file contains (i) proprietary rules that were created, tested and certified by
|
|
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
|
|
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
|
|
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
|
|
# GNU General Public License (GPL), v2.
|
|
#
|
|
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
|
|
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
|
|
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
|
|
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
|
|
# list of third party owners and their respective copyrights.
|
|
#
|
|
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
|
|
# to the VRT Certified Rules License Agreement (v2.0).
|
|
#
|
|
#---------------------
|
|
# PROTOCOL-VOIP RULES
|
|
#---------------------
|
|
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"PROTOCOL-VOIP Digium Asterisk Management Interface HTTP digest authentication stack buffer overflow attempt"; flow:to_server,established; content:"Authorization: Digest"; http_header; content:!"|0A|"; within:500; http_header; pcre:"/^Authorization\x3a\sDigest[^\n]*?[\s=][\x22\x27][^\x22\x27\n]{500}/mH"; metadata:service http; reference:url,downloads.asterisk.org/pub/security/AST-2012-003.html; classtype:attempted-admin; sid:26594; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Digium Asterisk SIP SDP header parsing stack buffer overflow attempt"; flow:to_server; sip_method:invite; sip_body; content:"sprop-parameter-sets"; nocase; pcre:"/^=[^,\r\n\x3b\s]{17}/iR"; metadata:service sip; reference:cve,2013-2685; classtype:attempted-admin; sid:26426; rev:3;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Digium Asterisk SIP SDP header parsing stack buffer overflow attempt"; flow:to_server; sip_method:invite; sip_body; content:"sprop-parameter-sets"; nocase; pcre:"/^=[^,\r\n\x3b\s]{1,16},[^\r\n\x3b\s]{17}/iR"; metadata:service sip; reference:cve,2013-2685; classtype:attempted-admin; sid:26425; rev:3;)
|
|
# alert udp $EXTERNAL_NET 8000 -> $HOME_NET any (msg:"PROTOCOL-VOIP Digium Asterisk RTP comfort noise denial of service attempt"; content:"|80 0D|"; depth:2; isdataat:37; metadata:service rtp; reference:bugtraq,37153; reference:cve,2009-4055; classtype:denial-of-service; sid:24270; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"PROTOCOL-VOIP Digium Asterisk invite malformed SDP denial of service attempt"; flow:to_server; sip_method:invite; sip_header; content:"INVITE"; depth:6; nocase; content:"INVITE"; distance:0; nocase; sip_body; content:"c=IN IP"; nocase; content:"c=IN IP"; distance:0; nocase; byte_test:10,>,255,1,relative,string,dec; metadata:service sip; reference:bugtraq,23031; reference:cve,2007-1561; classtype:attempted-dos; sid:23966; rev:4;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 3217 (msg:"PROTOCOL-VOIP Avaya WinPDM header buffer overflow attempt"; flow:to_server; content:"UTP/1"; depth:5; fast_pattern; content:"To|3A|"; distance:0; nocase; isdataat:256,relative; content:!"|0D|"; within:256; content:!"|0A|"; within:256; reference:bugtraq,47947; classtype:attempted-admin; sid:22948; rev:5;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 4569 (msg:"PROTOCOL-VOIP Digium Asterisk IAX2 Channel Driver DoS attempt"; flow:to_server; content:"|80 01 00 01|"; depth:4; content:"|06 0B|"; within:2; distance:6; isdataat:1,relative; reference:cve,2007-3763; classtype:denial-of-service; sid:21768; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 4569 (msg:"PROTOCOL-VOIP Digium Asterisk IAX2 Channel Driver DoS attempt"; flow:to_server; content:"|80 01 00 01|"; depth:4; content:"|06 0C|"; within:2; distance:6; isdataat:1,relative; reference:cve,2007-3763; classtype:denial-of-service; sid:21767; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2000 (msg:"PROTOCOL-VOIP Digium Asterisk SCCP overly large mem copy attempt"; flow:to_server,established; content:"|00 00 00|"; depth:3; offset:1; byte_test:1,<=,3,0; isdataat:8,relative; reference:bugtraq,24950; reference:cve,2007-3764; classtype:attempted-user; sid:21673; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2000 (msg:"PROTOCOL-VOIP Digium Asterisk SCCP capabilities response message capabilities count overflow attempt"; flow:to_server,established; content:"|00 00 00 00 10 00 00 00|"; depth:8; offset:4; byte_test:4,>,50,0,relative,little; reference:cve,2007-4280; classtype:attempted-dos; sid:21672; rev:3;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Digium Asterisk missing SIP version denial of service attempt"; flow:to_server; content:"Contact:"; fast_pattern:only; pcre:"/^((?!(SIP\/\d\.\d)).)+?\x0A/"; metadata:service sip; reference:bugtraq,20835; reference:cve,2006-5445; reference:cve,2014-2154; classtype:attempted-dos; sid:21669; rev:8;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 4569 (msg:"PROTOCOL-VOIP Digium Asterisk IAX2 call number denial of service"; flow:to_server,no_stream; content:"|80 00|"; depth:2; content:"|06|"; within:1; distance:8; byte_test:1,&,1,0,relative; byte_test:1,!&,126,0,relative; detection_filter:track by_src, count 8000, seconds 60; reference:cve,2009-2346; classtype:attempted-dos; sid:21608; rev:3;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Grandstream networks denial of service"; flow:to_server; content:"183 Session Progress"; fast_pattern; nocase; content:"s=BreakingPoint"; nocase; metadata:service sip; reference:bugtraq,25399; reference:cve,2007-4498; classtype:attempted-dos; sid:21150; rev:5;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Digium Asterisk channel driver denial of service attempt"; flow:to_server; sip_method:register; sip_header; content:"Contact:"; nocase; pcre:"/Contact\x3A\x0D\x0A/miH"; reference:bugtraq,50117; reference:cve,2011-4063; classtype:attempted-dos; sid:21103; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Digium Asterisk channel driver denial of service attempt"; flow:to_server; sip_method:register; sip_header; content:"Contact"; nocase; pcre:"/Contact\x3A\s*\x3C\s*\x3E/miH"; reference:bugtraq,50117; reference:cve,2011-4063; classtype:attempted-dos; sid:21102; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS 2000 (msg:"PROTOCOL-VOIP Digium Asterisk data length field overflow attempt"; flow:to_server,established; content:"|FF FF FF|"; depth:3; offset:1; reference:bugtraq,20617; reference:cve,2006-5444; reference:url,www.exploit-db.com/exploits/2597; classtype:attempted-user; sid:20670; rev:6;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP OpenSBC VIA header denial of service attempt"; flow:to_server; content:"Via|3A 3A|"; fast_pattern:only; sip_method:invite; reference:url,ims-bisf.nexginrc.org/OpenSBC-vul.html; classtype:denial-of-service; sid:20427; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP MultiTech INVITE message buffer overflow attempt"; flow:to_server,established; sip_method:invite; pcre:"/^INVITE\s[^\s\r\n]{60}/smi"; reference:bugtraq,15711; reference:cve,2005-4050; classtype:attempted-user; sid:20426; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Sivus scanner detected"; flow:to_server,established; content:"sivus_voip_scanner"; fast_pattern:only; pcre:"/^From\x3A\s*sivus_voip_scanner/Hsmi"; reference:url,www.vopsecurity.org/; classtype:network-scan; sid:20424; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP OPTIONS message Call-ID header request misplaced - after terminating newline"; flow:to_server,established; sip_method:options; pcre:"/^OPTIONS.+\r\n\r\n(.+)?^Call-ID\x3A/smi"; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20423; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP OPTIONS message Via field request misplaced - after terminating newline"; flow:to_server,established; sip_method:options; pcre:"/^OPTIONS.+\r\n\r\n(.+)?^Via\x3A/smi"; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20422; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP INVITE message Content-Length header size of zero"; flow:to_server,established,only_stream; sip_method:invite; pcre:"/^Content-Length\x3A\s+0[\r\n]/Hsmi"; detection_filter:track by_src, count 100, seconds 25; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20421; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP INVITE message invalid IP address"; flow:to_server,established; sip_method:invite; pcre:"/^INVITE\s+sip\x3A[^\r\n\x40]+\x40((192\.0\.[02]\.\d{1,3})|(127\.\d{1,3}\.\d{1,3}\.\d{1,3})|(128\.0\.\d{1,3}\.\d{1,3})|(191\.255\.\d{1,3}\.\d{1,3})|(223\.255\.255\.\d{1,3})|(2(2[4-9]|[34][0-9]|5[0-5])\.\d{1,3}\.\d{1,3}\.\d{1,3}))/smi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20420; rev:3;)
|
|
# alert tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 401 Unauthorized message"; flow:to_client,established; content:"SIP/2.0 401 Unauthorized"; fast_pattern:only; sip_stat_code:401; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20419; rev:3;)
|
|
# alert tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 481 Call/Leg Transaction Does Not Exist"; flow:to_client,established; content:"SIP/2.0 481 Call/Leg Transaction Does Not Exist"; fast_pattern:only; sip_stat_code:481; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20418; rev:3;)
|
|
# alert tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 415 Unsupported Media Type message"; flow:to_client,established; content:"SIP/2.0 415 Unsupported Media Type"; fast_pattern:only; sip_stat_code:415; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20417; rev:3;)
|
|
# alert tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 604 Does Not Exist Anywhere message"; flow:to_client,established; content:"SIP/2.0 604 Does Not Exist Anywhere"; fast_pattern:only; sip_stat_code:604; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20416; rev:3;)
|
|
# alert tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 501 Not Implemented message"; flow:to_client,established; content:"SIP/2.0 501 Not Implemented"; fast_pattern:only; sip_stat_code:501; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20415; rev:3;)
|
|
# alert tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 408 Request Timeout message"; flow:to_client,established; content:"SIP/2.0 408 Request Timeout"; fast_pattern:only; sip_stat_code:408; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20414; rev:3;)
|
|
# alert tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 100 Trying message"; flow:to_client,established; content:"SIP/2.0 100 Trying"; fast_pattern:only; sip_stat_code:100; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20413; rev:3;)
|
|
# alert tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 404 Not Found"; flow:to_client,established; content:"SIP/2.0 404 Not Found"; fast_pattern:only; sip_stat_code:404; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20412; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP inbound 404 Not Found"; flow:to_server,established; content:"SIP/2.0 404 Not Found"; fast_pattern:only; sip_stat_code:404; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20411; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP inbound 401 unauthorized message"; flow:to_server,established; content:"SIP/2.0 401 Unauthorized"; fast_pattern:only; sip_stat_code:401; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20410; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP inbound 481 Call/Leg Transaction Does Not Exist"; flow:to_server,established; content:"SIP/2.0 481 Call/Leg Transaction Does Not Exist"; fast_pattern:only; sip_stat_code:481; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20409; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP inbound 415 Unsupported Media Type message"; flow:to_server,established; content:"SIP/2.0 415 Unsupported Media Type"; fast_pattern:only; sip_stat_code:415; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20408; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP inbound 604 Does Not Exist Anywhere message"; flow:to_server,established; content:"SIP/2.0 604 Does Not Exist Anywhere"; fast_pattern:only; sip_stat_code:604; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20407; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP inbound 501 Not Implemented message"; flow:to_server,established; content:"SIP/2.0 501 Not Implemented"; fast_pattern:only; sip_stat_code:501; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20406; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP inbound 408 Request Timeout message"; flow:to_server,established; content:"SIP/2.0 408 Request Timeout"; fast_pattern:only; sip_stat_code:408; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20405; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP inbound 100 Trying message"; flow:to_server,established; content:"SIP/2.0 100 Trying"; fast_pattern:only; sip_stat_code:100; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20404; rev:3;)
|
|
# alert tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Response code 405 Method Not Allowed response flood"; flow:to_client,established,only_stream; content:"SIP/2.0"; fast_pattern:only; sip_stat_code:405; detection_filter:track by_dst, count 100, seconds 25; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:protocol-command-decode; sid:20403; rev:4;)
|
|
# alert udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Response code 405 Method Not Allowed response flood"; flow:to_client; content:"SIP/2.0"; fast_pattern:only; sip_stat_code:405; detection_filter:track by_dst, count 100, seconds 25; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:protocol-command-decode; sid:20402; rev:5;)
|
|
# alert tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Response code 415 Unsupported Media Type response flood"; flow:to_client,established,only_stream; content:"SIP/2.0"; fast_pattern:only; sip_stat_code:415; detection_filter:track by_dst, count 100, seconds 25; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:protocol-command-decode; sid:20401; rev:4;)
|
|
# alert udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Response code 415 Unsupported Media Type response flood"; flow:to_client; content:"SIP/2.0"; fast_pattern:only; sip_stat_code:415; detection_filter:track by_dst, count 100, seconds 25; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:protocol-command-decode; sid:20400; rev:5;)
|
|
# alert tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Response code 420 Bad Extension response flood"; flow:to_client,established,only_stream; content:"SIP/2.0"; fast_pattern:only; sip_stat_code:420; detection_filter:track by_dst, count 100, seconds 25; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:protocol-command-decode; sid:20399; rev:4;)
|
|
# alert udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Response code 420 Bad Extension response flood"; flow:to_client; content:"SIP/2.0"; fast_pattern:only; sip_stat_code:420; detection_filter:track by_dst, count 100, seconds 25; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:protocol-command-decode; sid:20398; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP INVITE flood"; flow:to_server,established,only_stream; sip_method:invite; detection_filter:track by_src, count 100, seconds 25; reference:cve,2008-5180; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20397; rev:4;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP INVITE flood attempt"; flow:to_server; sip_method:invite; detection_filter:track by_src, count 100, seconds 25; metadata:service sip; reference:cve,2008-5180; reference:cve,2017-6648; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-tele; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20396; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP REGISTER flood attempt"; flow:to_server,established,only_stream; sip_method:register; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2014-2154; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20395; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP CANCEL flood"; flow:to_server,established,only_stream; sip_method:cancel; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20394; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP BYE flood"; flow:to_server,established,only_stream; sip_method:bye; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20393; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Attribute header buffer overflow attempt"; flow:to_server,established; content:"application/sdp"; fast_pattern:only; pcre:"/^a=[^\r\n]{256}/Psmi"; reference:bugtraq,16213; reference:cve,2006-0189; reference:url,www.ietf.org/rfc/rfc4566.txt; classtype:attempted-user; sid:20389; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP T.38 fax EC attribute buffer overflow attempt"; flow:to_server,established; content:"a=T38FaxUdpEC|3A|"; fast_pattern:only; pcre:"/^a=T38FaxUdpEC\x3A[^\r\n]{256}/smi"; metadata:service sip; reference:bugtraq,23648; reference:cve,2007-2293; classtype:attempted-admin; sid:20388; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP T.38 fax rate management attribute buffer overflow attempt"; flow:to_server,established; content:"a=T38FaxRateManagement|3A|"; fast_pattern:only; pcre:"/^a=T38FaxRateManagement\x3A[^\r\n]{256}/smi"; metadata:service sip; reference:bugtraq,23648; reference:cve,2007-2293; classtype:attempted-admin; sid:20387; rev:4;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Connection header invalid value"; flow:to_server; content:"application/sdp"; fast_pattern:only; pcre:"/^c=([^I]|I[^N]|IN[^\s]|IN\s+[^I]|IN\s+I[^P]|IN\s+IP[^46])/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4566.txt; classtype:attempted-dos; sid:20386; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Version header overflow attempt"; flow:to_server,established; content:"application/sdp"; fast_pattern:only; pcre:"/^v=(-|(\d{6,}|[7-9]\d{5,}|6[6-9]\d{3,}|65[6-9]\d{2,}|655[4-9]\d+|6553[6-9]))/Psmi"; reference:url,tools.ietf.org/html/rfc4566; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; classtype:attempted-dos; sid:20385; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Time header contains long value"; flow:to_server,established; content:"application/sdp"; fast_pattern:only; pcre:"/^t=(\d{7,}|\d{1,6}\s\d{7,})/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4566.txt; classtype:attempted-user; sid:20384; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Time header contains negative value"; flow:to_server,established; content:"application/sdp"; fast_pattern:only; pcre:"/^t=(-|\d{1,6}\s-)/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4566.txt; classtype:attempted-user; sid:20383; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Media header port field invalid value"; flow:to_server,established; content:"application/sdp"; fast_pattern:only; pcre:"/^m=[A-Z]{1,20}\s(\d{6,}|[7-9]\d{5,}|6[6-9]\d{3,}|65[6-9]\d{2,}|655[4-9]\d+|6553[6-9])/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4566.txt; classtype:attempted-user; sid:20382; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Authorization header invalid characters in response parameter"; flow:to_server,established; content:"Authorization|3A|"; fast_pattern:only; pcre:"/^Authorization\x3A[^\r\n]+?response=[\x00-\x09\x0B\x0C\x0E-\x7F]*[\x80-\xFF]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-user; sid:20380; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Date header invalid characters detected"; flow:to_server,established; content:"Date|3A|"; fast_pattern:only; pcre:"/^Date\x3A[^\r\n]*[\x2D\x2B]/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:misc-activity; sid:20379; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Date header invalid characters detected"; flow:to_server; content:"Date|3A|"; fast_pattern:only; pcre:"/^Date\x3A[^\r\n]*[\x2D\x2B]/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:misc-activity; sid:20378; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Content-Type header invalid characters detected"; flow:to_server,established; content:"Content-Type|3A|"; fast_pattern:only; pcre:"/^Content-Type[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x80-\xFF]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20377; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Content-Type header format string attempt"; flow:to_server,established; content:"Content-Type|3A|"; fast_pattern:only; pcre:"/^Content-Type\x3A\s*[^\r\n%]*%/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20376; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Contact header missing terminating quote"; flow:to_server,established; content:"Contact|3A|"; fast_pattern:only; pcre:"/^Contact\x3a\s+\x22[^\x22]*\x3c/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20375; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Contact header missing terminating quote"; flow:to_server; content:"Contact|3A|"; fast_pattern:only; pcre:"/^Contact\x3a\s+\x22[^\x22]*\x3c/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20374; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Contact header unquoted tokens in field attempt"; flow:to_server,established; content:"Contact|3A|"; fast_pattern:only; pcre:"/^Contact\x3A\s+[^\r\n\x22\x3C]*[\x3B\x27\x2C]/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20373; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Contact header unquoted tokens in field attempt"; flow:to_server; content:"Contact|3A|"; fast_pattern:only; pcre:"/^Contact\x3A\s+[^\r\n\x22\x3C]*[\x3B\x27\x2C]/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20372; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Contact header whitespace in field attempt"; flow:to_server,established; content:"Contact|3A|"; fast_pattern:only; pcre:"/^Contact\x3A\s+[^\r\n\x3C]*\x3C[^\r\n\x3E]*?[\x20\x09]/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20371; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Contact header whitespace in field attempt"; flow:to_server; content:"Contact|3A|"; fast_pattern:only; pcre:"/^Contact\x3A\s+[^\r\n\x3C]*\x3C[^\r\n\x3E]*?[\x20\x09]/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20370; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Contact header XSS injection attempt"; flow:to_server,established; content:"<script"; fast_pattern:only; pcre:"/^Contact\x3A\s+(\x22)?\x3Cscript/Hsmi"; classtype:misc-attack; sid:20367; rev:4;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Contact header XSS injection attempt"; flow:to_server; content:"<script"; fast_pattern:only; pcre:"/^Contact\x3A\s+(\x22)?\x3Cscript/Hsmi"; classtype:misc-attack; sid:20366; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Contact header invalid characters detected"; flow:to_server,established; content:"Contact|3A|"; fast_pattern:only; pcre:"/^Contact\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x80-\xFF]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20365; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Contact header format string attempt"; flow:to_server,established; content:"Contact|3A|"; fast_pattern:only; pcre:"/^Contact\x3A\s*[^\r\n%]*%/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20364; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Call-ID header multiple Call-ID headers"; flow:to_server,established; content:" sip|3A|"; fast_pattern:only; sip_header; content:"Call-ID|3A|"; nocase; content:"Call-ID|3A|"; distance:0; nocase; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20363; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Call-ID header multiple Call-ID headers"; flow:to_server; content:" sip|3A|"; fast_pattern:only; sip_header; content:"Call-ID|3A|"; nocase; content:"Call-ID|3A|"; distance:0; nocase; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20362; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Call-ID header invalid seperators"; flow:to_server,established; content:"|3B 2C|"; fast_pattern:only; pcre:"/^Call-ID\x3a\s+[^\r\n]*\x3B\x2C/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20361; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Call-ID header invalid seperators"; flow:to_server; content:"|3B 2C|"; fast_pattern:only; pcre:"/^Call-ID\x3a\s+[^\r\n]*\x3B\x2C/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20360; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Call-ID header format string attempt"; flow:to_server,established; content:"Call-ID|3A|"; fast_pattern:only; pcre:"/^Call-ID\x3A\s*[^\r\n%]*%/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20359; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Call-ID header format string attempt"; flow:to_server; content:"Call-ID|3A|"; fast_pattern:only; pcre:"/^Call-ID\x3A\s*[^\r\n%]*%/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20358; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Call-ID header XSS injection attempt"; flow:to_server,established; content:"<script"; fast_pattern:only; pcre:"/^Call-ID\x3A\s+(\x22)?\x3Cscript/Hsmi"; classtype:misc-attack; sid:20357; rev:4;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Call-ID header XSS injection attempt"; flow:to_server; content:"<script"; fast_pattern:only; pcre:"/^Call-ID\x3A\s+(\x22)?\x3Cscript/Hsmi"; classtype:misc-attack; sid:20356; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Call-ID header invalid characters detected"; flow:to_server,established; content:"Call-ID|3A|"; fast_pattern:only; pcre:"/^Call-ID\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x80-\xFF]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20355; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Call-ID header format string attempt"; flow:to_server,established; content:"Call-ID|3A|"; fast_pattern:only; pcre:"/^Call-ID\x3A\s*[^\r\n%]*%/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20354; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Expires header invalid characters detected"; flow:to_server,established; content:"Expires|3A|"; fast_pattern:only; pcre:"/^Expires\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x2D\x80-\xFF]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20353; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Expires header overflow attempt"; flow:to_server,established; content:"Expires|3A|"; fast_pattern:only; pcre:"/^Expires\x3A\s+\d{11}/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-user; sid:20352; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Subject header format string attempt"; flow:to_server,established; content:"Subject|3A|"; fast_pattern:only; pcre:"/^Subject\x3A\s*[^\r\n%]*%/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20351; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Subject header format string attempt"; flow:to_server; content:"Subject|3A|"; fast_pattern:only; pcre:"/^Subject\x3A\s*[^\r\n%]*%/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20350; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Subject header XSS injection attempt"; flow:to_server,established; content:"<script"; fast_pattern:only; pcre:"/^Subject\x3A\s+(\x22)?\x3Cscript/Hsmi"; classtype:misc-attack; sid:20349; rev:4;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Subject header XSS injection attempt"; flow:to_server; content:"<script"; fast_pattern:only; pcre:"/^Subject\x3A\s+(\x22)?\x3Cscript/Hsmi"; classtype:misc-attack; sid:20348; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP To header multiple To headers"; flow:to_server,established; content:" sip|3A|"; fast_pattern:only; sip_header; content:"To|3A|"; nocase; content:"To|3A|"; distance:0; nocase; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20347; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP To header multiple To headers"; flow:to_server; content:" sip|3A|"; fast_pattern:only; sip_header; content:"To|3A|"; nocase; content:"To|3A|"; distance:0; nocase; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20346; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP To header missing terminating quote"; flow:to_server,established; content:"To|3A|"; fast_pattern:only; pcre:"/^To\x3a\s+\x22[^\x22]*\x3c/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20345; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP To header missing terminating quote"; flow:to_server; content:"To|3A|"; fast_pattern:only; pcre:"/^To\x3a\s+\x22[^\x22]*\x3c/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20344; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP To header invalid seperators"; flow:to_server,established; content:"|3B 2C|"; fast_pattern:only; pcre:"/^To\x3a\s+[^\r\n]*\x3B\x2C/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20343; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP To header invalid seperators"; flow:to_server; content:"|3B 2C|"; fast_pattern:only; pcre:"/^To\x3a\s+[^\r\n]*\x3B\x2C/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20342; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP To header unquoted tokens in field attempt"; flow:to_server,established; content:"To|3A|"; fast_pattern:only; pcre:"/^To\x3A\s+[^\r\n\x22\x3C]*[\x3B\x27\x2C]/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20341; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP To header unquoted tokens in field attempt"; flow:to_server; content:"To|3A|"; fast_pattern:only; pcre:"/^To\x3A\s+[^\r\n\x22\x3C]*[\x3B\x27\x2C]/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20340; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP To header whitespace in field attempt"; flow:to_server,established; content:"To|3A|"; fast_pattern:only; pcre:"/^To\x3A\s+[^\r\n\x3C]*\x3C[^\r\n\x3E]*?[\x20\x09]/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20339; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP To header whitespace in field attempt"; flow:to_server; content:"To|3A|"; fast_pattern:only; pcre:"/^To\x3A\s+[^\r\n\x3C]*\x3C[^\r\n\x3E]*?[\x20\x09]/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20338; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP To header format string attempt"; flow:to_server,established; content:"To|3A|"; fast_pattern:only; pcre:"/^To\x3A\s*[^\r\n%]*%/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20337; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP To header format string attempt"; flow:to_server; content:"To|3A|"; fast_pattern:only; pcre:"/^To\x3A\s*[^\r\n%]*%/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20336; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP To header XSS injection attempt"; flow:to_server,established; content:"<script"; fast_pattern:only; pcre:"/^To\x3A\s+(\x22)?\x3Cscript/smiH"; classtype:misc-attack; sid:20335; rev:4;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP To header XSS injection attempt"; flow:to_server; content:"<script"; fast_pattern:only; pcre:"/^To\x3A\s+(\x22)?\x3Cscript/smiH"; classtype:misc-attack; sid:20334; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP To header invalid characters detected"; flow:to_server,established; content:"To|3A|"; fast_pattern:only; pcre:"/^To\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x80-\xFF]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20333; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP To header contains recursive URL-encoded data"; flow:to_server,established; content:"%25%32%35%25%33%32%25%33%35%25%32%35%25%33%33"; fast_pattern:only; pcre:"/^To\x3A\s+%25%32%35%25%33%32%25%33%35%25%32%35%25%33%33/Hsmi"; reference:url,www.ietf.org/rfc/rfc2396.txt; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20332; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP From header multiple From headers"; flow:to_server,established; content:" sip|3A|"; fast_pattern:only; sip_header; content:"From|3A|"; nocase; content:"From|3A|"; distance:0; nocase; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20331; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP From header multiple From headers"; flow:to_server; content:" sip|3A|"; fast_pattern:only; sip_header; content:"From|3A|"; nocase; content:"From|3A|"; distance:0; nocase; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20330; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP From header missing terminating quote"; flow:to_server,established; content:"From|3A|"; fast_pattern:only; pcre:"/^From\x3a\s+\x22[^\x22]*\x3c/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20329; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP From header missing terminating quote"; flow:to_server; content:"From|3A|"; fast_pattern:only; pcre:"/^From\x3a\s+\x22[^\x22]*\x3c/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20328; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP From header unquoted tokens in field attempt"; flow:to_server,established; content:"From|3A|"; fast_pattern:only; pcre:"/^From\x3A\s+[^\r\n\x22\x3C]*[\x3B\x27\x2C]/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20327; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP From header unquoted tokens in field attempt"; flow:to_server; content:"From|3A|"; fast_pattern:only; pcre:"/^From\x3A\s+[^\r\n\x22\x3C]*[\x3B\x27\x2C]/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20326; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP From header whitespace in field attempt"; flow:to_server,established; content:"From|3A|"; fast_pattern:only; pcre:"/^From\x3A\s+[^\r\n\x3C]*\x3C[^\r\n\x3E]*?[\x20\x09]/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20325; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP From header whitespace in field attempt"; flow:to_server; content:"From|3A|"; fast_pattern:only; pcre:"/^From\x3A\s+[^\r\n\x3C]*\x3C[^\r\n\x3E]*?[\x20\x09]/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20324; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP From header format string attempt"; flow:to_server,established; content:"From|3A|"; fast_pattern:only; pcre:"/^From\x3A\s*[^\r\n%]*%/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20323; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP From header XSS injection attempt"; flow:to_server,established; content:"<script"; fast_pattern:only; pcre:"/^From\x3A\s+(\x22)?\x3Cscript/Hsmi"; classtype:misc-attack; sid:20321; rev:4;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP From header XSS injection attempt"; flow:to_server; content:"<script"; fast_pattern:only; pcre:"/^From\x3A\s+(\x22)?\x3Cscript/Hsmi"; classtype:misc-attack; sid:20320; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP From header invalid characters detected"; flow:to_server,established; content:"From|3A|"; fast_pattern:only; pcre:"/^From\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x80-\xFF]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20319; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP From header format string attempt"; flow:to_server,established; content:"From|3A|"; fast_pattern:only; pcre:"/^From\x3A\s*[^\r\n%]*%/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20318; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Via header invalid seperators"; flow:to_server,established; content:"|3B 2C|"; fast_pattern:only; pcre:"/^Via\x3a\s+[^\r\n]*\x3B\x2C/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20317; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Via header invalid seperators"; flow:to_server; content:"|3B 2C|"; fast_pattern:only; pcre:"/^Via\x3a\s+[^\r\n]*\x3B\x2C/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20316; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Via header invalid characters detected"; flow:to_server,established; content:"Via|3A|"; fast_pattern:only; pcre:"/^Via\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x80-\xFF]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20315; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Via header format string attempt"; flow:to_server,established; content:"Via|3A|"; fast_pattern:only; pcre:"/^Via\x3A\s*SIP\x2F2\x2E0\x2F(TC|UD)P\s+[^\r\n%]*%/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20314; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Via header missing SIP field"; flow:to_server,established; content:"Via|3A|"; fast_pattern:only; pcre:"/^Via\x3A\s+(?!SIP\x2F2\x2E0)/Hsmi"; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:misc-activity; sid:20313; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Max-Forwards header invalid characters detected"; flow:to_server,established; content:"Max-Forwards|3A|"; fast_pattern:only; pcre:"/^Max-Forwards\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x2D\x80-\xFF]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20312; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Max-Forwards value over 70"; flow:to_server,established; content:"Max-Forwards|3A|"; fast_pattern:only; pcre:"/^Max-Forwards\x3A\s+(\d{3,}|[89]\d|7[1-9])/Hsmi"; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:misc-activity; sid:20311; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP CSeq header multiple CSeq headers"; flow:to_server,established; content:" sip|3A|"; fast_pattern:only; sip_header; content:"CSeq|3A|"; nocase; content:"CSeq|3A|"; distance:0; nocase; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20310; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP CSeq header multiple CSeq headers "; flow:to_server; content:" sip|3A|"; fast_pattern:only; sip_header; content:"CSeq|3A|"; nocase; content:"CSeq|3A|"; distance:0; nocase; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20309; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP CSeq header method mismatch attempt"; flow:to_server,established; content:"CSeq|3A|"; fast_pattern:only; pcre:"/^(?P<a>[A-Z]+)\s+sip\x3a.*?CSeq\x3a\s+\d+\s+(?!(?P=a))/smi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20308; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP CSeq header method mismatch attempt"; flow:to_server; content:"CSeq|3A|"; fast_pattern:only; pcre:"/^(?P<a>[A-Z]+)\s+sip\x3a.*?CSeq\x3a\s+\d+\s+(?!(?P=a))/smi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20307; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP CSeq header invalid characters detected"; flow:to_server,established; content:"CSeq|3A|"; fast_pattern:only; pcre:"/^CSeq\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x80-\xFF]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20306; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP CSeq header format string attempt"; flow:to_server,established; content:"CSeq|3A|"; fast_pattern:only; pcre:"/^CSeq\x3A\s*[^\r\n%]*%/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20305; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP URI possible format string attempt"; flow:to_server,established; sip_method:invite,bye,cancel,options; content:"%"; fast_pattern:only; pcre:"/^[A-Z]+\s+sip\x3A[^\r\n]*%/smi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:misc-activity; sid:20304; rev:3;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP URI possible format string attempt"; flow:to_server; sip_method:invite,bye,cancel,options; content:"%"; fast_pattern:only; pcre:"/^[A-Z]+\s+sip\x3A[^\r\n]*%/smi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:misc-activity; sid:20303; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP URI multiple at signs in message"; flow:to_server,established; content:" sip|3A|"; fast_pattern:only; pcre:"/^[A-Z]+\s+sip\x3A[^\r\n\x40]+\x40{2}/smi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:misc-activity; sid:20302; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP TEL URI type overflow attempt"; flow:to_server,established; content:"<tel"; fast_pattern:only; pcre:"/<tel[^\x3A]{6}/smi"; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-user; sid:20301; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP URI type overflow attempt"; flow:to_server,established; content:"<sip"; fast_pattern:only; pcre:"/<sips?[^\x3A]{6}/smi"; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-user; sid:20300; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Invalid request spaces at end of request line attempt"; flow:to_server,established; content:" sip|3A|"; fast_pattern:only; sip_method:invite,bye,cancel; pcre:"/^(INVITE|BYE|CANCEL)\s+sip\x3A[^\r\n\s]+\x40[^\r\n\s]+\s+SIP\x2F2\x2E0[^\r\n]\s[\r\n]/smi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20299; rev:3;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Invalid request spaces at end of request line attempt"; flow:to_server; content:" sip|3A|"; fast_pattern:only; sip_method:invite,bye,cancel; pcre:"/^(INVITE|BYE|CANCEL)\s+sip\x3A[^\r\n\s]+\x40[^\r\n\s]+\s+SIP\x2F2\x2E0[^\r\n]\s[\r\n]/smi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20298; rev:3;)
|
|
# alert tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound INVITE message"; flow:to_server,established; content:"INVITE"; fast_pattern:only; sip_method:invite; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20297; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP inbound INVITE message"; flow:to_server,established; content:"INVITE"; fast_pattern:only; sip_method:invite; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20296; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP INVITE message URI contains global broadcast address"; flow:to_server,established; sip_method:invite; content:"@255.255.255."; fast_pattern:only; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19410; rev:4;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP INVITE message URI contains global broadcast address"; flow:to_server; sip_method:invite; content:"@255.255.255."; fast_pattern:only; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19409; rev:4;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP REGISTER flood attempt"; flow:to_server; sip_method:register; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2014-2154; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19389; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Media header description field format string attempt"; flow:to_server,established; content:"application/sdp"; fast_pattern:only; pcre:"/^m=[^\r\n]*%/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19388; rev:3;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Media header description field format string attempt"; flow:to_server; content:"application/sdp"; fast_pattern:only; pcre:"/^m=[^\r\n]*%/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19387; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Media header description field overflow attempt"; flow:to_server,established; content:"application/sdp"; fast_pattern:only; pcre:"/^m=\s+[^\r\n]{256}/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19386; rev:3;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Media header description field overflow attempt"; flow:to_server; content:"application/sdp"; fast_pattern:only; pcre:"/^m=\s+[^\r\n]{256}/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19385; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Session Name invalid header attempt"; flow:to_server,established; content:"application/sdp"; fast_pattern:only; pcre:"/^s=[^\r\n\x20-\x2B\x2D-\x7E]*[\x00-\x1F\x2C\x7F-\xFF]/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19384; rev:3;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Session Name invalid header attempt"; flow:to_server; content:"application/sdp"; fast_pattern:only; pcre:"/^s=[^\r\n\x20-\x2B\x2D-\x7E]*[\x00-\x1F\x2C\x7F-\xFF]/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19383; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Session Name header format string attempt"; flow:to_server,established; content:"application/sdp"; fast_pattern:only; pcre:"/^s=[^\r\n]*%/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19382; rev:3;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Session Name header format string attempt"; flow:to_server; content:"application/sdp"; fast_pattern:only; pcre:"/^s=[^\r\n]*%/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19381; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Session Name header overflow attempt"; flow:to_server,established; content:"application/sdp"; fast_pattern:only; pcre:"/^s=\s+[^\r\n]{256}/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19380; rev:3;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Session Name header overflow attempt"; flow:to_server; content:"application/sdp"; fast_pattern:only; pcre:"/^s=\s+[^\r\n]{256}/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19379; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Origin invalid header"; flow:to_server,established; content:"application/sdp"; fast_pattern:only; pcre:"/^o=(\d+|\w+|\x2D)\s+\d+\s+\d+\s+IN\s+IP[46]\s+[^\r\n]*[\x2D\x5C\x80-\xFF\x00-\x08\x0B\x0C\x0E-\x19]/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19378; rev:3;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Origin invalid header"; flow:to_server; content:"application/sdp"; fast_pattern:only; pcre:"/^o=(\d+|\w+|\x2D)\s+\d+\s+\d+\s+IN\s+IP[46]\s+[^\r\n]*[\x2D\x5C\x80-\xFF\x00-\x08\x0B\x0C\x0E-\x19]/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19377; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Origin header format string attempt"; flow:to_server,established; content:"application/sdp"; fast_pattern:only; pcre:"/^o=[^\r\n]*%/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19376; rev:3;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Origin header format string attempt"; flow:to_server; content:"application/sdp"; fast_pattern:only; pcre:"/^o=[^\r\n]*%/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19375; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Origin header overflow attempt"; flow:to_server,established; content:"application/sdp"; fast_pattern:only; pcre:"/^o=\s+[^\r\n]{256}/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19374; rev:3;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Origin header overflow attempt"; flow:to_server; content:"application/sdp"; fast_pattern:only; pcre:"/^o=\s+[^\r\n]{256}/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19373; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Time Stop Header invalid value"; flow:to_server,established; content:"application/sdp"; fast_pattern:only; pcre:!"/^t=\d+\s+\d+[\r\n]/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19365; rev:3;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Time Stop header invalid value"; flow:to_server; content:"application/sdp"; fast_pattern:only; pcre:!"/^t=\d+\s+\d+[\r\n]/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19364; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP invalid SIP-Version field"; flow:to_server,established; content:" sip|3A|"; fast_pattern:only; pcre:"/^[A-Z]+\s+sip\x3A[^\r\n\s]+\sSIP\x2F/smi"; pcre:!"/^[A-Z]+\s+sip\x3A[^\r\n\s]+\sSIP\x2F(2\x2e0|1\x2e[01])/smi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:19338; rev:3;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP invalid SIP-Version field"; flow:to_server; content:" sip|3A|"; fast_pattern:only; pcre:"/^[A-Z]+\s+sip\x3A[^\r\n\s]+\sSIP\x2F/smi"; pcre:!"/^[A-Z]+\s+sip\x3A[^\r\n\s]+\sSIP\x2F(2\x2e0|1\x2e[01])/smi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:19337; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Content-Type header invalid format missing slash"; flow:to_server,established; content:"Content-Type|3A|"; fast_pattern:only; pcre:"/^Content-Type\x3a[^\r\n\x3B]\s*[^\x2F][\r\n]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19336; rev:4;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Content-Type header invalid format missing slash"; flow:to_server; content:"Content-Type|3A|"; fast_pattern:only; pcre:"/^Content-Type\x3a[^\r\n\x3B]\s*[^\x2F][\r\n]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19335; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Content-Type header invalid format too many slashes"; flow:to_server,established; content:"Content-Type|3A|"; fast_pattern:only; pcre:"/^Content-Type\x3A[^\r\n\x3B]+\x2F\x2F/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19334; rev:3;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Content-Type header invalid format too many slashes"; flow:to_server; content:"Content-Type|3A|"; fast_pattern:only; pcre:"/^Content-Type\x3A[^\r\n\x3B]+\x2F\x2F/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19333; rev:3;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Max-Forwards header invalid characters detected"; flow:to_server; content:"Max-Forwards|3A|"; fast_pattern:only; pcre:"/^Max-Forwards\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x2D\x80-\xFF]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19302; rev:3;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Expires header invalid characters detected"; flow:to_server; content:"Expires|3A|"; fast_pattern:only; pcre:"/^Expires\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x2D\x80-\xFF]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19301; rev:4;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP T.38 fax EC attribute buffer overflow attempt"; flow:to_server; content:"a=T38FaxUdpEC|3A|"; fast_pattern:only; pcre:"/^a=T38FaxUdpEC\x3A[^\r\n]{256}/smi"; metadata:service sip; reference:bugtraq,23648; reference:cve,2007-2293; classtype:attempted-admin; sid:14609; rev:5;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP T.38 fax rate management attribute buffer overflow attempt"; flow:to_server; content:"a=T38FaxRateManagement|3A|"; fast_pattern:only; pcre:"/^a=T38FaxRateManagement\x3A[^\r\n]{256}/smi"; metadata:service sip; reference:bugtraq,23648; reference:cve,2007-2293; classtype:attempted-admin; sid:14608; rev:5;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP OPTIONS message Call-ID header request misplaced - after terminating newline"; flow:to_server; sip_method:options; pcre:"/^OPTIONS.+\r\n\r\n(.+)?^Call-ID\x3A/smi"; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:13590; rev:5;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP OPTIONS message Via header request misplaced - after terminating newline"; flow:to_server; sip_method:options; pcre:"/^OPTIONS.+\r\n\r\n(.+)?^Via\x3A/smi"; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:13589; rev:5;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP From header field buffer overflow attempt"; flow:to_server; content:"To|3A|"; fast_pattern:only; pcre:"/^To\x3A\s+[^\r\n]{256}/Hsmi"; reference:bugtraq,6904; reference:cve,2003-1108; reference:cve,2003-1109; reference:cve,2003-1115; reference:url,www.cert.org/advisories/CA-2003-06.html; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-user; sid:12683; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP From header field buffer overflow attempt"; flow:to_server,established; content:"To|3A|"; fast_pattern:only; pcre:"/^To\x3A\s+[^\r\n]{256}/Hsmi"; reference:bugtraq,6904; reference:cve,2003-1108; reference:cve,2003-1109; reference:cve,2003-1115; reference:url,www.cert.org/advisories/CA-2003-06.html; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-user; sid:12682; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP URI overflow attempt"; flow:to_server,established; content:" sip|3A|"; fast_pattern:only; pcre:"/^[A-Z]+\s+sip\x3A[^\r\n\x40]{256}/smi"; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:misc-activity; sid:12681; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Via header hostname buffer overflow attempt"; flow:to_server,established; content:"Via|3A|"; fast_pattern:only; pcre:"/^Via\x3A\s+SIP\x2F2\x2E0\x2F(TCP|UDP)\s+[^\x3B\r\n]{63}/Hsmi"; reference:bugtraq,24542; reference:cve,2007-3369; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-user; sid:12680; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS 2000 (msg:"PROTOCOL-VOIP Digium Asterisk data length field overflow attempt"; flow:established,to_server; dsize:>992; byte_test:4,>,992,0,little; reference:bugtraq,20617; reference:cve,2006-5444; reference:url,www.exploit-db.com/exploits/2597; classtype:attempted-user; sid:12359; rev:9;)
|
|
# alert udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 404 Not Found"; flow:to_client; content:"SIP/2.0 404 Not Found"; fast_pattern:only; sip_stat_code:404; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12181; rev:5;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP inbound 404 Not Found"; flow:to_server; content:"SIP/2.0 404 Not Found"; fast_pattern:only; sip_stat_code:404; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12180; rev:5;)
|
|
# alert udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 481 Call/Leg Transaction Does Not Exist"; flow:to_client; content:"SIP/2.0 481 Call/Leg Transaction Does Not Exist"; fast_pattern:only; sip_stat_code:481; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12179; rev:5;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP inbound 481 Call/Leg Transaction Does Not Exist"; flow:to_server; content:"SIP/2.0 481 Call/Leg Transaction Does Not Exist"; fast_pattern:only; sip_stat_code:481; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12178; rev:5;)
|
|
# alert udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 415 Unsupported Media Type message"; flow:to_client; content:"SIP/2.0 415 Unsupported Media Type"; fast_pattern:only; sip_stat_code:415; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12177; rev:5;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP inbound 415 Unsupported Media Type message"; flow:to_server; content:"SIP/2.0 415 Unsupported Media Type"; fast_pattern:only; sip_stat_code:415; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12176; rev:5;)
|
|
# alert udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 604 Does Not Exist Anywhere message"; flow:to_client; content:"SIP/2.0 604 Does Not Exist Anywhere"; fast_pattern:only; sip_stat_code:604; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12175; rev:5;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP inbound 604 Does Not Exist Anywhere message"; flow:to_server; content:"SIP/2.0 604 Does Not Exist Anywhere"; fast_pattern:only; sip_stat_code:604; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12174; rev:5;)
|
|
# alert udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 501 Not Implemented message"; flow:to_client; content:"SIP/2.0 501 Not Implemented"; fast_pattern:only; sip_stat_code:501; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12173; rev:5;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP inbound 501 Not Implemented message"; flow:to_server; content:"SIP/2.0 501 Not Implemented"; fast_pattern:only; sip_stat_code:501; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12172; rev:6;)
|
|
# alert udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 408 Request Timeout message"; flow:to_client; content:"SIP/2.0 408 Request Timeout"; fast_pattern:only; sip_stat_code:408; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12171; rev:5;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP inbound 408 Request Timeout message"; flow:to_server; content:"SIP/2.0 408 Request Timeout"; fast_pattern:only; sip_stat_code:408; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12170; rev:5;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP URI multiple at signs in message"; flow:to_server; content:" sip|3A|"; fast_pattern:only; pcre:"/^[A-Z]+\s+sip\x3A[^\r\n\x40]+\x40{2}/smi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:misc-activity; sid:12167; rev:7;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP URI overflow attempt"; flow:to_server; content:" sip|3A|"; fast_pattern:only; pcre:"/^[A-Z]+\s+sip\x3A[^\r\n\x40]{256}/smi"; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:misc-activity; sid:12113; rev:7;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Sivus scanner detected"; flow:to_server; content:"sivus_voip_scanner"; fast_pattern:only; pcre:"/^From\x3A\s*sivus_voip_scanner/Hsmi"; reference:url,www.vopsecurity.org/; classtype:network-scan; sid:12112; rev:5;)
|
|
# alert udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 100 Trying message"; flow:to_client; content:"SIP/2.0 100 Trying"; fast_pattern:only; sip_stat_code:100; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12074; rev:6;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP inbound 100 Trying message"; flow:to_server; content:"SIP/2.0 100 Trying"; fast_pattern:only; sip_stat_code:100; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12073; rev:6;)
|
|
# alert udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 401 Unauthorized message"; flow:to_client; content:"SIP/2.0 401 Unauthorized"; fast_pattern:only; sip_stat_code:401; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12007; rev:6;)
|
|
# alert udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound INVITE message"; flow:to_server; content:"INVITE"; fast_pattern:only; sip_method:invite; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12006; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Connection header invalid value"; flow:to_server,established; content:"application/sdp"; fast_pattern:only; pcre:"/^c=([^I]|I[^N]|IN[^\s]|IN\s+[^I]|IN\s+I[^P]|IN\s+IP[^46])/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4566.txt; classtype:attempted-dos; sid:12005; rev:5;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP INVITE message Content-Length header size of zero"; flow:to_server; sip_method:invite; pcre:"/^Content-Length\x3A\s+0[\r\n]/Hsmi"; detection_filter:track by_src, count 100, seconds 25; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:12004; rev:9;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP CANCEL flood"; flow:to_server; sip_method:cancel; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:12003; rev:9;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP BYE flood"; flow:to_server; sip_method:bye; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:12002; rev:9;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Version header overflow attempt"; flow:to_server; content:"application/sdp"; fast_pattern:only; pcre:"/^v=(-|(\d{6,}|[7-9]\d{5,}|6[6-9]\d{3,}|65[6-9]\d{2,}|655[4-9]\d+|6553[6-9]))/Psmi"; reference:url,tools.ietf.org/html/rfc4566; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; classtype:attempted-dos; sid:12001; rev:5;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP INVITE message invalid IP address"; flow:to_server; sip_method:invite; pcre:"/^INVITE\s+sip\x3A[^\r\n\x40]+\x40((192\.0\.[02]\.\d{1,3})|(127\.\d{1,3}\.\d{1,3}\.\d{1,3})|(128\.0\.\d{1,3}\.\d{1,3})|(191\.255\.\d{1,3}\.\d{1,3})|(223\.255\.255\.\d{1,3})|(2(2[4-9]|[34][0-9]|5[0-5])\.\d{1,3}\.\d{1,3}\.\d{1,3}))/smi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:12000; rev:6;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Via header invalid characters detected"; flow:to_server; content:"Via|3A|"; fast_pattern:only; pcre:"/^Via\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x80-\xFF]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11999; rev:8;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP To header invalid characters detected"; flow:to_server; content:"To|3A|"; fast_pattern:only; pcre:"/^To\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x80-\xFF]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11998; rev:8;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP From header invalid characters detected"; flow:to_server; content:"From|3A|"; fast_pattern:only; pcre:"/^From\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x80-\xFF]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11997; rev:8;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP CSeq header invalid characters detected"; flow:to_server; content:"CSeq|3A|"; fast_pattern:only; pcre:"/^CSeq\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x80-\xFF]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11996; rev:8;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Content-Type header invalid characters detected"; flow:to_server; content:"Content-Type|3A|"; fast_pattern:only; pcre:"/^Content-Type[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x80-\xFF]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11995; rev:8;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Contact header invalid characters detected"; flow:to_server; content:"Contact|3A|"; fast_pattern:only; pcre:"/^Contact\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x80-\xFF]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11994; rev:8;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Call-ID header invalid characters detected"; flow:to_server; content:"Call-ID|3A|"; fast_pattern:only; pcre:"/^Call-ID\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x80-\xFF]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11993; rev:8;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Content-Type header format string attempt"; flow:to_server; content:"Content-Type|3A|"; fast_pattern:only; pcre:"/^Content-Type\x3A\s*[^\r\n%]*%/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11992; rev:5;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP CSeq header format string attempt"; flow:to_server; content:"CSeq|3A|"; fast_pattern:only; pcre:"/^CSeq\x3A\s*[^\r\n%]*%/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11991; rev:5;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Contact header format string attempt"; flow:to_server; content:"Contact|3A|"; fast_pattern:only; pcre:"/^Contact\x3A\s*[^\r\n%]*%/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11990; rev:5;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Call-ID header format string attempt"; flow:to_server; content:"Call-ID|3A|"; fast_pattern:only; pcre:"/^Call-ID\x3A\s*[^\r\n%]*%/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11989; rev:5;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP From header format string attempt"; flow:to_server; content:"From|3A|"; fast_pattern:only; pcre:"/^From\x3A\s*[^\r\n%]*%/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11988; rev:5;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Via header format string attempt"; flow:to_server; content:"Via|3A|"; fast_pattern:only; pcre:"/^Via\x3A\s*SIP\x2F2\x2E0\x2F(TC|UD)P\s+[^\r\n%]*%/Hsmi"; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171018-sip1; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11987; rev:6;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Authorization header invalid characters in response parameter"; flow:to_server; content:"Authorization|3A|"; fast_pattern:only; pcre:"/^Authorization\x3A[^\r\n]+?response=[\x00-\x09\x0B\x0C\x0E-\x7F]*[\x80-\xFF]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-user; sid:11986; rev:5;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Expires header overflow attempt"; flow:to_server; content:"Expires|3A|"; fast_pattern:only; pcre:"/^Expires\x3A\s+\d{11}/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-user; sid:11985; rev:7;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Time header contains long value"; flow:to_server; content:"application/sdp"; fast_pattern:only; pcre:"/^t=(\d{7,}|\d{1,6}\s\d{7,})/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4566.txt; classtype:attempted-user; sid:11984; rev:5;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Time header contains negative value"; flow:to_server; content:"application/sdp"; fast_pattern:only; pcre:"/^t=(-|\d{1,6}\s-)/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4566.txt; classtype:attempted-user; sid:11983; rev:5;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP To header contains recursive URL-encoded data"; flow:to_server; content:"%25%32%35%25%33%32%25%33%35%25%32%35%25%33%33"; fast_pattern:only; pcre:"/^To\x3A\s+%25%32%35%25%33%32%25%33%35%25%32%35%25%33%33/Hsmi"; reference:url,www.ietf.org/rfc/rfc2396.txt; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11982; rev:6;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP MultiTech INVITE message buffer overflow attempt"; flow:to_server; sip_method:invite; pcre:"/^INVITE\s[^\s\r\n]{60}/smi"; reference:bugtraq,15711; reference:cve,2005-4050; classtype:attempted-user; sid:11981; rev:8;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Attribute header buffer overflow attempt"; flow:to_server; content:"application/sdp"; fast_pattern:only; pcre:"/^a=[^\r\n]{256}/Psmi"; reference:bugtraq,16213; reference:cve,2006-0189; reference:url,www.ietf.org/rfc/rfc4566.txt; classtype:attempted-user; sid:11980; rev:7;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Media header port field invalid value"; flow:to_server; content:"application/sdp"; fast_pattern:only; pcre:"/^m=[A-Z]{1,20}\s(\d{6,}|[7-9]\d{5,}|6[6-9]\d{3,}|65[6-9]\d{2,}|655[4-9]\d+|6553[6-9])/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4566.txt; classtype:attempted-user; sid:11979; rev:5;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP TEL URI type overflow attempt"; flow:to_server; content:"<tel"; fast_pattern:only; pcre:"/<tel[^\x3A]{6}/smi"; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-user; sid:11977; rev:7;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP URI type overflow attempt"; flow:to_server; content:"<sip"; fast_pattern:only; pcre:"/<sips?[^\x3A]{6}/smi"; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-user; sid:11976; rev:7;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Via header missing SIP field"; flow:to_server; content:"Via|3A|"; fast_pattern:only; pcre:"/^Via\x3A\s+(?!SIP\x2F2\x2E0)/Hsmi"; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:misc-activity; sid:11975; rev:6;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Via header hostname buffer overflow attempt"; flow:to_server; content:"Via|3A|"; fast_pattern:only; pcre:"/^Via\x3A\s+SIP\x2F2\x2E0\x2F(TCP|UDP)\s+[^\x3B\r\n]{63}/Hsmi"; reference:bugtraq,24542; reference:cve,2007-3369; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-user; sid:11973; rev:9;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Max-Forwards value over 70"; flow:to_server; content:"Max-Forwards|3A|"; fast_pattern:only; pcre:"/^Max-Forwards\x3A\s+(\d{3,}|[89]\d|7[1-9])/Hsmi"; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:misc-activity; sid:11972; rev:6;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP CSeq buffer overflow attempt"; flow:to_server; content:"CSeq|3A|"; fast_pattern:only; pcre:"/^CSeq\x3a\s+[^\r\n]{25}/Hsmi"; metadata:policy max-detect-ips drop; reference:bugtraq,13504; reference:bugtraq,15711; reference:bugtraq,18906; reference:bugtraq,36015; reference:cve,2005-1461; reference:cve,2005-4050; reference:cve,2006-3524; reference:cve,2009-2726; reference:nessus,18986; reference:url,www.ethereal.com/news/item_20050504_01.html; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11971; rev:7;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP inbound 401 unauthorized message"; flow:to_server; content:"SIP/2.0 401 Unauthorized"; fast_pattern:only; sip_stat_code:401; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:11969; rev:6;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP inbound INVITE message"; flow:to_server; content:"INVITE"; fast_pattern:only; sip_method:invite; metadata:ruleset community, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:11968; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"PROTOCOL-VOIP PA168 chipset based IP phone authentication bypass"; flow:to_server,established; content:"POST /g"; depth:7; nocase; content:"back=++Back++|0D 0A 0D 0A|"; distance:0; nocase; metadata:service http; reference:bugtraq,22191; reference:cve,2007-0528; reference:url,www.procheckup.com/vulnerability_manager/vulnerabilities/pr06-14; classtype:attempted-admin; sid:10124; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"PROTOCOL-VOIP PA168 chipset based IP phone default password attempt"; flow:to_server,established; content:"auth=12345678&login=+++Login+++"; nocase; metadata:service http; reference:bugtraq,22191; reference:cve,2007-0528; reference:url,attack.mitre.org/techniques/T1078; reference:url,www.procheckup.com/vulnerability_manager/vulnerabilities/pr06-14; classtype:attempted-admin; sid:10123; rev:14;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 4569 (msg:"PROTOCOL-VOIP Digium Asterisk IAX2 truncated mini-frame packet overflow attempt"; flow:to_server; dsize:<4; byte_test:2,<,32768,0; reference:bugtraq,18307; reference:cve,2006-2923; classtype:attempted-admin; sid:6515; rev:5;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 4569 (msg:"PROTOCOL-VOIP Digium Asterisk IAX2 truncated full-frame packet overflow attempt"; flow:to_server; dsize:<12; byte_test:2,&,32768,0; reference:bugtraq,18307; reference:cve,2006-2923; classtype:attempted-admin; sid:6514; rev:5;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 4569 (msg:"PROTOCOL-VOIP Digium Asterisk IAX2 truncated video mini-frame packet overflow attempt"; flow:to_server; dsize:<6; content:"|00 00|"; depth:2; byte_test:2,&,32768,0,relative; reference:bugtraq,18295; reference:cve,2006-2898; classtype:attempted-admin; sid:6513; rev:5;)
|
|
# alert tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Excessive number of SIP 4xx responses potential user or password guessing attempt"; flow:to_client,established,only_stream; sip_stat_code:4; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:ruleset community, service sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27904; rev:2;)
|
|
# alert tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Ghost call attack attempt"; flow:to_client,established,only_stream; sip_stat_code:180; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:ruleset community, service sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27903; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Possible SIP OPTIONS service information gathering attempt"; flow:to_server,established,only_stream; sip_method:options; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:ruleset community, service sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27902; rev:2;)
|
|
# alert udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Ghost call attack attempt"; flow:to_client; sip_stat_code:180; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:ruleset community, service sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27901; rev:3;)
|
|
# alert udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Excessive number of SIP 4xx responses potential user or password guessing attempt"; flow:to_client; sip_stat_code:4; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:ruleset community, service sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27900; rev:3;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Possible SIP OPTIONS service information gathering attempt"; flow:to_server; sip_method:options; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:ruleset community, service sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27899; rev:3;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP attempted DOS detected"; flow:to_server; sip_body; content:"m="; content:"c="; distance:0; metadata:service sip; reference:cve,2013-5641; reference:cve,2013-5642; reference:url,downloads.asterisk.org/pub/security/AST-2013-005.html; classtype:denial-of-service; sid:28165; rev:3;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Sipvicious User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: friendly-scanner"; fast_pattern:only; metadata:service sip; reference:url,advantia.ca/weblog/less-than-friendly-scanner--sipvicious; classtype:attempted-recon; sid:28993; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Digium Asterisk SIP channel driver denial of service attempt"; flow:to_server; sip_method:bye; sip_header; content:"Also|3A|"; fast_pattern:only; metadata:service sip; reference:cve,2008-0095; reference:url,downloads.asterisk.org/pub/security/AST-2008-001.html; classtype:denial-of-service; sid:33445; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2000 (msg:"PROTOCOL-VOIP Digium Asterisk SCCP keypad button message denial of service attempt"; flow:to_server,established,no_stream; flowbits:isset,sccp.callstate; dsize:>600; content:"|10 00 00 00 00 00 00 00 03 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:cve,2012-2415; classtype:attempted-dos; sid:24720; rev:7;)
|
|
alert tcp $EXTERNAL_NET 2000 -> $HOME_NET any (msg:"PROTOCOL-VOIP Digium Asterisk SCCP call state message offhook"; flow:to_client,established; content:"|00 00 00 00 11 01 00 00 01 00 00 00|"; fast_pattern:only; flowbits:set,sccp.callstate; flowbits:noalert; metadata:policy max-detect-ips drop; reference:cve,2012-2415; classtype:attempted-dos; sid:24719; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5038 (msg:"PROTOCOL-VOIP Digium Asterisk Manager command shell execution attempt"; flow:to_server,established; flowbits:isset,asteriskmi; content:"EVAL("; fast_pattern:only; metadata:policy max-detect-ips drop; reference:bugtraq,53206; reference:cve,2012-2414; reference:url,downloads.asterisk.org/pub/security/AST-2012-004.html; classtype:policy-violation; sid:23210; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5038 (msg:"PROTOCOL-VOIP Digium Asterisk Manager command shell execution attempt"; flow:to_server,established; flowbits:isset,asteriskmi; content:"SHELL("; fast_pattern:only; metadata:policy max-detect-ips drop; reference:bugtraq,53206; reference:cve,2012-2414; reference:url,downloads.asterisk.org/pub/security/AST-2012-004.html; classtype:policy-violation; sid:23209; rev:9;)
|
|
alert tcp $HOME_NET 5038 -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Digium Asterisk Manager Interface initial banner"; flow:to_client,established; content:"Asterisk Call Manager"; fast_pattern:only; flowbits:set,asteriskmi; flowbits:noalert; classtype:misc-activity; sid:23208; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"PROTOCOL-VOIP Digium Asterisk Management Interface HTTP digest authentication stack buffer overflow attempt"; flow:to_server,established; content:"Authorization: Digest"; http_header; content:!"|0A|"; within:500; http_header; pcre:"/^Authorization\x3a\sDigest[^\n]*?(=[^,\s\n\x22\x27]{500}|\s[^=\n\x22\x27]{500})/mH"; metadata:policy max-detect-ips drop, service http; reference:url,downloads.asterisk.org/pub/security/AST-2012-003.html; classtype:attempted-admin; sid:21753; rev:12;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Digium Asterisk channel driver denial of service attempt"; flow:to_server; sip_method:register; sip_header; content:"|0D 0A 0D 0A|"; content:!"Contact"; nocase; metadata:policy max-detect-ips drop, service sip; reference:bugtraq,50117; reference:cve,2011-4063; classtype:attempted-dos; sid:21101; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Cisco 7940/7960 INVITE Remote-Party-ID header denial of service attempt"; flow:to_server,established; sip_method:invite; content:"Remote-Party-Id|3A|scsip|3A|"; fast_pattern:only; pcre:"/^Remote-Party-ID\x3A\scsip\x3A[^@]+@\d{1,3}\x2E\d{1,3}\x2E\xD1/Hsmi"; metadata:policy max-detect-ips drop; reference:bugtraq,23047; reference:cve,2007-1542; reference:url,www.cisco.com/warp/public/707/cisco-sr-20070320-sip.shtml; classtype:attempted-dos; sid:20425; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Digium Asterisk Attribute header rtpmap field buffer overflow attempt"; flow:to_server,established; content:"a|3D|rtpmap|3A|"; fast_pattern:only; sip_method:invite,bye; pcre:"/(^a\x3Drtpmap\x3A[^\n]*\r\n){31}/Psmi"; metadata:policy max-detect-ips drop; reference:cve,2008-1289; classtype:misc-attack; sid:20392; rev:9;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Digium Asterisk Attribute header rtpmap field buffer overflow attempt"; flow:to_server; content:"a|3D|rtpmap|3A|"; fast_pattern:only; sip_method:invite,bye; pcre:"/(^a\x3Drtpmap\x3A[^\n]*\r\n){31}/Psmi"; metadata:policy max-detect-ips drop; reference:cve,2008-1289; classtype:misc-attack; sid:20391; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Attribute header rtpmap field invalid payload type"; flow:to_server,established; content:"a=rtpmap|3A|"; nocase; byte_test:9,>,256,0,relative,string; metadata:policy max-detect-ips drop; reference:bugtraq,28308; reference:cve,2008-1289; reference:url,www.asterisk.org/node/48466; classtype:attempted-user; sid:20390; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Remote-Party-ID header hexadecimal characters in IP address field"; flow:to_server,established; content:"Remote-Party-ID|3A|"; fast_pattern:only; pcre:"/^Remote-Party-ID\x3A\s+[^\r\n]+\x40[^\r\n]*?[\x80-\xFF]/Hsmi"; metadata:policy max-detect-ips drop; reference:bugtraq,23047; reference:cve,2007-1542; reference:url,www.cisco.com/en/US/products/products_security_response09186a00808075ad.html; classtype:attempted-admin; sid:20381; rev:7;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-VOIP Digium Asterisk UDPTL processing overflow attempt"; flow:to_server; content:"|08 C0 01 80 00 02 FF C0 02|"; depth:12; offset:2; content:"|80|"; within:2; byte_test:1,>,9,1,relative; metadata:policy max-detect-ips drop; reference:bugtraq,46474; reference:cve,2011-1147; classtype:attempted-admin; sid:19167; rev:10;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 4569 (msg:"PROTOCOL-VOIP Digium Asterisk IAX2 ack response denial of service attempt"; flow:to_server; content:"|80 EB 00 00 00 00 00 0A 00 00 06 04|"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:bugtraq,28901; reference:cve,2008-1897; reference:url,downloads.digium.com/pub/security/AST-2008-006.html; classtype:attempted-dos; sid:16445; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP CSeq buffer overflow attempt"; flow:to_server,established; content:"CSeq|3A|"; fast_pattern:only; pcre:"/^CSeq\x3a\s+[^\r\n]{25}/smi"; metadata:policy max-detect-ips drop, service sip; reference:bugtraq,13504; reference:bugtraq,15711; reference:bugtraq,18906; reference:bugtraq,36015; reference:cve,2005-1461; reference:cve,2005-4050; reference:cve,2006-3524; reference:cve,2009-2726; reference:nessus,18986; reference:url,www.ethereal.com/news/item_20050504_01.html; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:16351; rev:11;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Attribute header rtpmap field invalid payload type"; flow:to_server; content:"a=rtpmap|3A|"; nocase; byte_test:9,>,256,0,relative,string; metadata:policy max-detect-ips drop, service sip; reference:bugtraq,28308; reference:cve,2008-1289; reference:url,www.asterisk.org/node/48466; classtype:attempted-user; sid:13693; rev:12;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Remote-Party-ID header hexadecimal characters in IP address field"; flow:to_server; content:"Remote-Party-ID|3A|"; fast_pattern:only; pcre:"/^Remote-Party-ID\x3A\s+[^\r\n]+\x40[^\r\n]*?[\x80-\xFF]/Hsmi"; metadata:policy max-detect-ips drop; reference:bugtraq,23047; reference:cve,2007-1542; reference:url,www.cisco.com/en/US/products/products_security_response09186a00808075ad.html; classtype:attempted-admin; sid:13664; rev:9;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Cisco 7940/7960 INVITE Remote-Party-ID header denial of service attempt"; flow:to_server; sip_method:invite; content:"Remote-Party-Id"; fast_pattern:only; pcre:"/^Remote-Party-ID\x3A\scsip\x3A[^@]+@\d{1,3}\x2E\d{1,3}\x2E\xD1/Hsmi"; metadata:policy max-detect-ips drop, service sip; reference:bugtraq,23047; reference:cve,2007-1542; reference:url,www.cisco.com/warp/public/707/cisco-sr-20070320-sip.shtml; classtype:attempted-dos; sid:11970; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP javascript found in SIP headers attempt"; flow:to_server,established; sip_method:invite,message; content:"xzY3JpcHQ+"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-6061; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-123; classtype:attempted-user; sid:36735; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP javascript found in SIP headers attempt"; flow:to_server,established; sip_method:invite,message; content:"PHNjcmlwdD"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-6061; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-123; classtype:attempted-user; sid:36734; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP javascript found in SIP headers attempt"; flow:to_server,established; sip_method:invite,message; content:"8c2NyaXB0P"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-6061; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-123; classtype:attempted-user; sid:36733; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Mr.SIP SIP servers discovery attempt"; flow:to_server,established; sip_method:options; content:"branch=z9hG4bK-"; fast_pattern:only; content:"To:"; content:"sip:@"; within:15; metadata:service sip; reference:url,github.com/meliht/Mr.SIP; classtype:attempted-recon; sid:45584; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Mr.SIP SIP servers discovery attempt"; flow:to_server; sip_method:options; content:"branch=z9hG4bK-"; fast_pattern:only; content:"To:"; content:"sip:@"; within:15; metadata:service sip; reference:url,github.com/meliht/Mr.SIP; classtype:attempted-recon; sid:45583; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Mr.SIP subscribe request denial of service attempt"; flow:to_server,established,only_stream; sip_method:subscribe; content:"branch=z9hg4bk-"; fast_pattern:only; detection_filter:track by_src, count 50, seconds 15; metadata:service sip; reference:url,github.com/meliht/mr.sip; classtype:attempted-dos; sid:45582; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Mr.SIP options request denial of service attempt"; flow:to_server,established,only_stream; sip_method:options; content:"branch=z9hG4bK-"; fast_pattern:only; detection_filter:track by_src, count 50, seconds 15; metadata:service sip; reference:url,github.com/meliht/Mr.SIP; classtype:attempted-dos; sid:45581; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Mr.SIP invite request denial of service attempt"; flow:to_server,established,only_stream; sip_method:invite; content:"branch=z9hG4bK-"; fast_pattern:only; detection_filter:track by_src, count 50, seconds 15; metadata:service sip; reference:url,github.com/meliht/Mr.SIP; classtype:attempted-dos; sid:45580; rev:3;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Mr.SIP subscribe request denial of service attempt"; flow:to_server; content:"branch=z9hg4bk-"; fast_pattern:only; sip_method:subscribe; detection_filter:track by_src, count 50, seconds 15; metadata:service sip; reference:url,github.com/meliht/mr.sip; classtype:attempted-dos; sid:45579; rev:4;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Mr.SIP options request denial of service attempt"; flow:to_server; sip_method:options; content:"branch=z9hG4bK-"; fast_pattern:only; detection_filter:track by_src, count 50, seconds 15; metadata:service sip; reference:url,github.com/meliht/Mr.SIP; classtype:attempted-dos; sid:45578; rev:4;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Mr.SIP invite request denial of service attempt"; flow:to_server; sip_method:invite; content:"branch=z9hG4bK-"; fast_pattern:only; detection_filter:track by_src, count 50, seconds 15; metadata:service sip; reference:url,github.com/meliht/Mr.SIP; classtype:attempted-dos; sid:45577; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP wildcard VIA address flood attempt"; flow:to_server,established,only_stream; sip_header; content:"SIP/2.0/TCP 0.0.0.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; classtype:attempted-dos; sid:48265; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP wildcard VIA address flood attempt"; flow:to_server; sip_header; content:"SIP/2.0/UDP 0.0.0.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; classtype:attempted-dos; sid:48264; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: siparmyknife"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48352; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: VaxSIPUserAgent"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48351; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: CSipSimple"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48350; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: smap"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48349; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sundayddr"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48348; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: Gulp"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48347; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: iWar"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48346; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: SIVuS"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48345; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: VaxIPUserAgent"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48344; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sipv"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48343; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: friendly-request"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48342; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sipsak"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48341; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sipvicious"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48340; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sipcli"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48339; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sip-scan"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48338; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: SIPScan"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48337; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: Test Agent"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48336; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: Ozeki"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48335; rev:1;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: Ozeki"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48334; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: eyeBeam"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48333; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: hamdan"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48332; rev:1;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: eyeBeam"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48331; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: pplsip"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48330; rev:1;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: hamdan"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48329; rev:1;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: Conaito"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48328; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: Conaito"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48327; rev:1;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: pplsip"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48326; rev:1;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: SIPScan"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48325; rev:1;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: Test Agent"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48324; rev:1;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sipcli"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48323; rev:1;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: siparmyknife"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48322; rev:1;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: VaxSIPUserAgent"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48321; rev:1;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: VaxIPUserAgent"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48320; rev:1;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: friendly-request"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48319; rev:1;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: smap"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48318; rev:1;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sipv"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48317; rev:1;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: Gulp"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48316; rev:1;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: SIVuS"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48315; rev:1;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: iWar"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48314; rev:1;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sundayddr"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48313; rev:1;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sipsak"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48312; rev:1;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: CSipSimple"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48311; rev:1;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sipvicious"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48310; rev:1;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sip-scan"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48309; rev:1;)
|
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-VOIP SIP over SCTP wildcard VIA address attempt"; ip_proto:132; content:"SIP/2.0/SCTP 0.0.0.0"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; classtype:attempted-dos; sid:48593; rev:1;)
|