[VOIPSEC] VOIP and IDS

[Smith, Donald]

Sir, I would recommend you forward your question to the snort developers
list.
snort-devel at lists.sourceforge.net

In general snort handles stateful type connections via a preprocessor.
That is how fragments, long running scans etc... are handled.

I think it would be interesting to have a H323 or SIP snort preprocessor
someone on the developers list might agree:)
As for gsm type discovery of anolomies you would have to maintain a LOT
more information but it should be possible.

donald.smith at qwest.com giac 

> -----Original Message-----
> From: Voipsec-bounces at voipsa.org 
> [mailto:Voipsec-bounces at voipsa.org] On Behalf Of Henrik Ingo
> Sent: Monday, July 11, 2005 8:55 AM
> To: Voipsec at voipsa.org
> Subject: [VOIPSEC] VOIP and IDS
> 
> 
> I just realised there might be some very knowloedgeable Snort 
> people on 
> this list...
> 
> What is the situation with VOIP and Intrusion Detection? How 
> well does 
> Snort (or any other IDS) recognize "traditional" IP network 
> attacks like 
> DoS or attacks on SIP?
> 
> On the other hand, are there any systems that perform 
> analysis that we'd 
> be familiar with from gsm networks (or credit card companies 
> for that) 
> ie. same person calling from Finland and Taiwan within an hour, phone 
> bill doubles from last month, calls lot's of numbers he's never used 
> before etc...
> 
> I'm actually more interested in the latter. Example case 
> would be that 
> someone finds out/guesses someone elses password and starts 
> calling on 
> their account.
> 
> I've not used Snort, but I've understood it's based on finding 
> fingerprints (kind of like virus engine) but it doesn't have 
> any sense 
> of history which this kind of (statistical, time-series) 
> analysis would 
> require?
> 
> henrik
> -- 
> Henrik.Ingo at sesca.com
> +358 40 569 7354
> 
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>