[VOIPSEC] VOIP and IDS
Henrik Ingo
henrik.ingo at sesca.com
Tue Jul 12 01:22:31 CDT 2005
Thanks for your answer...
Smith, Donald wrote:
> Sir, I would recommend you forward your question to the snort developers
> list.
> snort-devel at lists.sourceforge.net
>
Sure, I realise that, but in the end I'm more interested in the SIP and
VOIP part and IDS in general, snort just being one case of IDS.
> In general snort handles stateful type connections via a preprocessor.
> That is how fragments, long running scans etc... are handled.
>
> I think it would be interesting to have a H323 or SIP snort preprocessor
> someone on the developers list might agree:)
> As for gsm type discovery of anolomies you would have to maintain a LOT
> more information but it should be possible.
Hence the question. If a system is set up to recognize things like "some
packets during the last minute amount up to scan X" it might not be
suitable for things like "last months calls add up to a rather sizeable
bill". Also that kind of "phone network" IDS might actually be more
feasible to do in concert with the SIP proxy and backend database,
rather than sniffing the network and storing the same data in the IDS
(snort or otherwise) system.
henrik
--
Henrik.Ingo at sesca.com
+358 40 569 7354
More information about the Voipsec
mailing list