voip.rules

This is the snapshot of Snot Latest Rules

# Copyright 2001-2007 Sourcefire, Inc. All Rights Reserved
#
# This file may contain proprietary rules that were created, tested and
# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
# rules that were created by Sourcefire and other third parties and
# distributed under the GNU General Public License (the "GPL Rules").  The
# VRT Certified Rules contained in this file are the property of
# Sourcefire, Inc. Copyright 2007 Sourcefire, Inc. All Rights Reserved.
# The GPL Rules created by Sourcefire, Inc. are the property of
# Sourcefire, Inc. Copyright 2002-2007 Sourcefire, Inc. All Rights
# Reserved.  All other GPL Rules are owned and copyrighted by their
# respective owners (please see www.snort.org/contributors for a list of
# owners and their respective copyrights).  In order to determine what
# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
# Certified Rules License Agreement.
#
#-----------
# VOIP RULES
#-----------


alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP Via header missing SIP field"; content:"Via|3A|"; nocase; pcre:"/^Via\x3A\s+(?!SIP\x2F2\x2E0)/smi"; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:misc-activity; sid:11975; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP CSeq header invalid characters detected"; content:"CSeq|3A|"; nocase; pcre:"/^CSeq\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x80-\xFF]/smi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11996; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP CSeq header format string attempt"; content:"CSeq|3A|"; nocase; content:"%"; distance:0; pcre:"/^CSeq\x3A\s*[^\r\n%]*%/smi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11991; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP overflow in URI type - Tel"; content:"<tel"; nocase; pcre:"/<tel[^\x3A]{6}/smi"; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-user; sid:11977; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP SDP version overflow attempt"; content:"Content-Type|3A|"; nocase; content:"application/sdp"; distance:0; nocase; content:"v="; distance:0; nocase; pcre:"/^Content-Type\x3A\s+application\x2Fsdp/smi"; pcre:"/^v=(-|(\d{6,}|[7-9]\d{5,}|6[6-9]\d{3,}|65[6-9]\d{2,}|655[4-9]\d+|6553[6-9]))/smi"; reference:url,tools.ietf.org/html/rfc4566; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; classtype:attempted-dos; sid:12001; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP Cisco 7940/7960 INVITE Remote-Party-ID denial of service attempt"; content:"INVITE"; depth:6; nocase; content:"Remote-Party-Id"; nocase; content:"csip|3A|"; distance:0; nocase; pcre:"/Remote-Party-ID\x3A\scsip\x3A[^@]+@\d{1,3}\x2E\d{1,3}\x2E\xD1/smi"; reference:bugtraq,23047; reference:cve,2007-1542; reference:url,www.cisco.com/warp/public/707/cisco-sr-20070320-sip.shtml; classtype:attempted-dos; sid:11970; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP Via header hostname buffer overflow attempt"; content:"Via|3A|"; nocase; pcre:"/^Via\x3A\s+SIP\x2F2\x2E0\x2F(TCP|UDP)\s+[^\x3B\r\n]{63}/smi"; reference:bugtraq,24542; reference:cve,2007-3369; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-user; sid:11973; rev:4;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP SDP oversized time value"; content:"Content-Type|3A|"; nocase; content:"application/sdp"; distance:0; nocase; content:"t="; distance:0; nocase; pcre:"/^Content-Type\x3A\s+application\x2Fsdp/smi"; pcre:"/^t=(\d{7,}|\d{1,6}\s\d{7,})/smi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4566.txt; classtype:attempted-user; sid:11984; rev:2;)
# alert udp $EXTERNAL_NET 5060 -> $HOME_NET any (msg:"VOIP-SIP outbound 604 Does Not Exist Anywhere message"; content:"SIP/2.0 604 Does Not Exist Anywhere"; depth:35; nocase; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12175; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP SDP attribute buffer overflow attempt"; content:"Content-Type|3A|"; nocase; content:"application/sdp"; distance:0; nocase; content:"a="; distance:0; nocase; content:!"|0A|"; within:257; pcre:"/^Content-Type\x3A\s+application\x2Fsdp/smi"; pcre:"/^a=[^\r\n]{256}/smi"; reference:bugtraq,16213; reference:cve,2006-0189; reference:url,www.ietf.org/rfc/rfc4566.txt; classtype:attempted-user; sid:11980; rev:4;)
# alert udp $HOME_NET 5060 -> $EXTERNAL_NET any (msg:"VOIP-SIP outbound INVITE message"; content:"INVITE"; depth:6; nocase; content:"SIP/2.0"; distance:0; nocase; pcre:"/^INVITE\s+(sips?|tel|https?)\x3A[\w-'"]+\x40[\w-'"\x2E]+\s+/smi"; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12006; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP invalid characters in authorization response parameter"; content:"Authorization|3A|"; nocase; content:"response="; distance:0; nocase; pcre:"/^Authorization\x3A[^\r\n]+?response=[\x00-\x09\x0B\x0C\x0E-\x7F]*[\x80-\xFF]/smi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-user; sid:11986; rev:2;)
# alert udp $EXTERNAL_NET 5060 -> $HOME_NET any (msg:"VOIP-SIP outbound 501 Not Implemented message"; content:"SIP/2.0 501 Not Implemented"; depth:27; nocase; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12173; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP inbound 481 Call/Leg Transaction Does Not Exist"; content:"SIP/2.0 481 Call/Leg Transaction Does Not Exist"; depth:47; nocase; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12178; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP inbound INVITE message"; content:"INVITE"; depth:6; nocase; content:"SIP/2.0"; distance:0; nocase; pcre:"/^INVITE\s+(sips?|tel|https?)\x3A[\w-'"]+\x40[\w-'"\x2E]+\s+/smi"; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:11968; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"SIP request line equal To zero"; content:"SIP/2.0"; nocase; content:"0"; distance:0; nocase; pcre:"/^SIP\/2\.0\s+0\s*$/smi"; reference:bugtraq,24359; reference:cve,2007-2297; reference:url,bugs.digium.com/view.php?id=9313; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:12061; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP inbound 415 Unsupported Media Type message"; content:"SIP/2.0 415 Unsupported Media Type"; depth:34; nocase; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12176; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP Expires header overflow attempt"; content:"Expires|3A|"; nocase; pcre:"/^Expires\x3A\s+\d{11}/smi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-user; sid:11985; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP Content-Type header format string attempt"; content:"Content-Type|3A|"; nocase; content:"%"; distance:0; pcre:"/^Content-Type\x3A\s*[^\r\n%]*%/smi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11992; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP SIP URI overflow attempt"; content:" sip|3A|"; nocase; pcre:"/^[A-Z]+\s+sip\x3A[^\r\n\x40]{256}/smi"; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:misc-activity; sid:12113; rev:3;)
# alert udp $EXTERNAL_NET 5060 -> $HOME_NET any (msg:"VOIP-SIP outbound 404 Not Found"; content:"SIP/2.0 404 Not Found"; depth:21; nocase; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12181; rev:2;)
# alert udp $EXTERNAL_NET 5060 -> $HOME_NET any (msg:"VOIP-SIP outbound 408 Request Timeout message"; content:"SIP/2.0 408 Request Timeout"; depth:27; nocase; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12171; rev:2;)
# alert udp $EXTERNAL_NET 5060 -> $HOME_NET any (msg:"VOIP-SIP outbound 100 Trying message"; content:"SIP/2.0 100 Trying"; depth:18; nocase; threshold:type limit, track by_src, count 1, seconds 300; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12074; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060:5061 (msg:"VOIP-SIP CSeq buffer overflow attempt"; content:"CSeq|3A|"; nocase; isdataat:25,relative; content:!"|0A|"; within:25; reference:bugtraq,18906; reference:cve,2005-4050; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11971; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP from header field buffer overflow attempt"; content:"From|3A|"; nocase; pcre:"/^From\x3A\s+[^\r\n]{256}/smi"; reference:url,www.cert.org/advisories/CA-2003-06.html; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-user; sid:11978; rev:3;)