voip.rules

This is the snapshot of Snot Latest Rules

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP From header format string attempt"; content:"From|3A|"; nocase; content:"%"; distance:0; pcre:"/^From\x3A\s*[^\r\n%]*%/smi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11988; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP CANCEL flood"; content:"CANCEL"; depth:6; nocase; content:"sip|3A|"; distance:0; nocase; content:"SIP/2.0"; distance:0; nocase; pcre:"/^CANCEL\s+sip\x3A[^\r\n\s]+\x40[^\r\n\s]+\s+SIP\x2F2\x2E0/smi"; threshold:type both, track by_src, count 10, seconds 5; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:12003; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP SDP negative time value"; content:"Content-Type|3A|"; nocase; content:"application/sdp"; distance:0; nocase; content:"t="; distance:0; nocase; content:"-"; distance:0; pcre:"/^Content-Type\x3A\s+application\x2Fsdp/smi"; pcre:"/^t=(-|\d{1,6}\s-)/smi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4566.txt; classtype:attempted-user; sid:11983; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP To header invalid characters detected"; content:"To|3A|"; nocase; pcre:"/^To\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x80-\xFF]/smi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11998; rev:2;)
alert udp $HOME_NET 5060 -> $EXTERNAL_NET any (msg:"VOIP-SIP outbound 401 Unauthorized message"; content:"SIP/2.0 401 Unauthorized"; depth:24; nocase; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12007; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP Contact header format string attempt"; content:"Contact|3A|"; nocase; content:"%"; distance:0; pcre:"/^Contact\x3A\s*[^\r\n%]*%/smi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11990; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP overflow in URI type - SIP"; content:"<sip"; nocase; pcre:"/<sips?[^\x3A]{6}/smi"; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-user; sid:11976; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP Call-ID header format string attempt"; content:"Call-ID|3A|"; nocase; content:"%"; distance:0; pcre:"/^Call-ID\x3A\s*[^\r\n%]*%/smi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11989; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP MultiTech INVITE field buffer overflow attempt"; content:"INVITE"; depth:6; nocase; pcre:"/^INVITE\s[^\s\r\n]{60}/smi"; reference:bugtraq,15711; reference:cve,2005-4050; classtype:attempted-user; sid:11981; rev:4;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP Via header invalid characters detected"; content:"Via|3A|"; nocase; pcre:"/^Via\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x80-\xFF]/smi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11999; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP inbound 501 Not Implemented message"; content:"SIP/2.0 501 Not Implemented"; depth:27; nocase; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12172; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP INVITE invalid IP address"; content:"INVITE"; nocase; content:"sip"; distance:0; nocase; pcre:"/^INVITE\s+sip\x3A[^\r\n\x40]+\x40((192\.0\.[02]\.\d{1,3})|(127\.\d{1,3}\.\d{1,3}\.\d{1,3})|(128\.0\.\d{1,3}\.\d{1,3})|(191\.255\.\d{1,3}\.\d{1,3})|(223\.255\.255\.\d{1,3})|(2(2[4-9]|[34][0-9]|5[0-5])\.\d{1,3}\.\d{1,3}\.\d{1,3}))/smi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:12000; rev:2;)
# alert udp $EXTERNAL_NET 5060 -> $HOME_NET any (msg:"VOIP-SIP response code not three digits"; content:"SIP/2.0 "; depth:8; nocase; pcre:"/^SIP\/2\.0\s+(?!\d{3})/smi"; reference:bugtraq,23093; reference:cve,2007-1594; classtype:attempted-admin; sid:12072; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP Contact header invalid characters detected"; content:"Contact|3A|"; nocase; pcre:"/^Contact\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x80-\xFF]/smi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11994; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP From header invalid characters detected"; content:"From|3A|"; nocase; pcre:"/^From\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x80-\xFF]/smi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11997; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP Via header format string attempt"; content:"Via|3A|"; nocase; content:"%"; distance:0; pcre:"/^Via\x3A\s*SIP\x2F2\x2E0\x2F(TC|UD)P\s+[^\r\n%]*%/smi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11987; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP invalid SDP connection value"; content:"Content-Type|3A|"; nocase; content:"application/sdp"; distance:0; nocase; content:"c="; distance:0; nocase; pcre:"/^Content-Type\x3A\s+application\x2Fsdp/smi"; pcre:"/^c=([^I]|I[^N]|IN[^\s]|IN\s+[^I]|IN\s+I[^P]|IN\s+IP[^46])/smi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4566.txt; classtype:attempted-dos; sid:12005; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP inbound 604 Does Not Exist Anywhere message"; content:"SIP/2.0 604 Does Not Exist Anywhere"; depth:35; nocase; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12174; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP response too small"; dsize:<11; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:misc-activity; sid:11974; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP multiple at signs in SIP URI"; content:" sip|3A|"; nocase; pcre:"/^[A-Z]+\s+sip\x3A[^\r\n\x40]+\x40{2}/smi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:misc-activity; sid:12167; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP Max-Forwards value over 70"; content:"Max-Forwards|3A|"; nocase; pcre:"/^Max-Forwards\x3A\s+(\d{3,}|[89]\d|7[1-9])/smi"; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:misc-activity; sid:11972; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP Content-Type header invalid characters detected"; content:"Content-Type|3A|"; nocase; pcre:"/^Content-Type[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x80-\xFF]/smi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11995; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP recursive URL-encoded data in To header"; content:"To|3A|"; nocase; content:"%25%32%35%25%33%32%25%33%35%25%32%35%25%33%33"; distance:0; nocase; pcre:"/^To\x3A\s+%25%32%35%25%33%32%25%33%35%25%32%35%25%33%33/smi"; reference:url,www.ietf.org/rfc/rfc2396.txt; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11982; rev:2;)
# alert udp $EXTERNAL_NET 5060 -> $HOME_NET any (msg:"VOIP-SIP outbound 415 Unsupported Media Type message"; content:"SIP/2.0 415 Unsupported Media Type"; depth:34; nocase; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12177; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP Sivus scanner detected"; content:"From|3A|"; nocase; content:"sivus_voip_scanner"; distance:0; nocase; pcre:"/^From\x3A\s*sivus_voip_scanner/smi"; reference:url,www.vopsecurity.org/; classtype:network-scan; sid:12112; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP inbound 100 Trying message"; content:"SIP/2.0 100 Trying"; depth:18; nocase; threshold:type limit, track by_src, count 1, seconds 300; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12073; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP inbound 401 unauthorized message"; content:"SIP/2.0 401 Unauthorized"; depth:24; nocase; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:11969; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP inbound 404 Not Found"; content:"SIP/2.0 404 Not Found"; depth:21; nocase; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12180; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP inbound 408 Request Timeout message"; content:"SIP/2.0 408 Request Timeout"; depth:27; nocase; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12170; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP BYE flood"; content:"BYE"; depth:3; nocase; content:"sip|3A|"; distance:0; nocase; content:"SIP/2.0"; distance:0; nocase; pcre:"/^BYE\s+sip\x3A[^\r\n\s]+\x40[^\r\n\s]+\s+SIP\x2F2\x2E0/smi"; threshold:type both, track by_src, count 100, seconds 25; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:12002; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP Call-ID header invalid characters detected"; content:"Call-ID|3A|"; nocase; pcre:"/^Call-ID\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x80-\xFF]/smi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11993; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP INVITE message invalid Content-Length size of zero"; content:"INVITE"; depth:6; nocase; content:"sip|3A|"; distance:0; nocase; content:"SIP/2.0"; distance:0; nocase; content:"Content-Length|3A|"; distance:0; nocase; content:"0"; distance:0; pcre:"/^INVITE\s+sip\x3A[^\r\n\s]+\x40[^\r\n\s]+\s+SIP\x2F2\x2E0/smi"; pcre:"/^Content-Length\x3A\s+0[\r\n]/smi"; threshold:type both, track by_src, count 25, seconds 10; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:12004; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP oversized SDP media port"; content:"Content-Type|3A|"; nocase; content:"application/sdp"; distance:0; nocase; content:"m="; distance:0; nocase; pcre:"/^Content-Type\x3A\s+application\x2Fsdp/smi"; pcre:"/^m=[A-Z]{1,20}\s(\d{6,}|[7-9]\d{5,}|6[6-9]\d{3,}|65[6-9]\d{2,}|655[4-9]\d+|6553[6-9])/smi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4566.txt; classtype:attempted-user; sid:11979; rev:2;)
# alert udp $EXTERNAL_NET 5060 -> $HOME_NET any (msg:"VOIP-SIP outbound 481 Call/Leg Transaction Does Not Exist"; content:"SIP/2.0 481 Call/Leg Transaction Does Not Exist"; depth:47; nocase; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12179; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP From header field buffer overflow attempt - UDP"; content:"To|3A|"; nocase; pcre:"/^To\x3A\s+[^\r\n]{256}/smi"; reference:bugtraq,6904; reference:cve,2003-1108; reference:cve,2003-1109; reference:cve,2003-1115; reference:url,www.cert.org/advisories/CA-2003-06.html; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-user; sid:12683; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP SIP URI possible overflow"; flow:established; content:" sip|3A|"; nocase; pcre:"/^[A-Z]+\s+sip\x3A[^\r\n\x40]{256}/smi"; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:misc-activity; sid:12681; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP Via header hostname buffer overflow attempt - TCP"; flow:established; content:"Via|3A|"; nocase; pcre:"/^Via\x3A\s+SIP\x2F2\x2E0\x2F(TCP|UDP)\s+[^\x3B\r\n]{63}/smi"; reference:bugtraq,24542; reference:cve,2007-3369; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-user; sid:12680; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP From header field buffer overflow attempt - TCP"; flow:established; content:"To|3A|"; nocase; pcre:"/^To\x3A\s+[^\r\n]{256}/smi"; reference:bugtraq,6904; reference:cve,2003-1108; reference:cve,2003-1109; reference:cve,2003-1115; reference:url,www.cert.org/advisories/CA-2003-06.html; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-user; sid:12682; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP OPTIONS request misplaced Via field - after terminating newline"; content:"OPTIONS"; depth:7; nocase; content:"Via|3A|"; nocase; pcre:"/^OPTIONS.+\r\n\r\n(.+)?^Via\x3A/smi"; metadata:policy security-ips drop; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:13589; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP OPTIONS request misplaced Call-ID field - after terminating newline"; content:"OPTIONS"; depth:7; nocase; content:"Call-ID|3A|"; nocase; pcre:"/^OPTIONS.+\r\n\r\n(.+)?^Call-ID\x3A/smi"; metadata:policy security-ips drop; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:13590; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP OPTIONS request missing RFC-mandated Via field"; content:"OPTIONS"; depth:7; nocase; content:!"Via|3A|"; nocase; metadata:policy security-ips drop; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:13587; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP OPTIONS request missing RFC-mandated Call-ID field"; content:"OPTIONS"; depth:7; nocase; content:!"Call-ID|3A|"; nocase; metadata:policy security-ips drop; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:13588; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP hexadecimal characters in IP address portion of Remote-Party-ID field"; content:"Remote-Party-ID|3A|"; pcre:"/^Remote-Party-ID\x3A\s+[^\r\n]+\x40[^\r\n]*?[\x80-\xFF]/smi"; metadata:policy security-ips alert; reference:bugtraq,23047; reference:cve,2007-1542; reference:url,www.cisco.com/en/US/products/products_security_response09186a00808075ad.html; classtype:attempted-admin; sid:13664; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"VOIP-SIP invalid RTP payload type - possible Asterisk memory overwrite"; content:"Content-Type|3A|"; nocase; content:"application/sdp"; distance:0; nocase; pcre:"/^Content-Type\x3A\s+application\x2Fsdp/smi"; content:"a=rtpmap|3A|"; distance:0; nocase; byte_test:9,>,256,0,relative,string; reference:bugtraq,28308; reference:cve,2008-1289; reference:url,www.asterisk.org/node/48466; classtype:attempted-user; sid:13693; rev:1;)