[VOIPSEC] VOIP and IDS
Credland, Jim
jim.credland at thus.net
Tue Jul 12 05:22:37 CDT 2005
If you're looking at application level stuff to do with telephone calls then
you might do well to look at technology ported from the POTS world.
You could look at the stuff from ectel (http://www.ectel.com/) - they make a
carrier class VoIP probe and some software that hangs off the back to do
anaylsis - but I suspect it's pretty expensive.
On the IDS front though I'm interested in anything that spots dodgy looking
SIP packets.
So far :
1. Checkpoint's Firewall-1 I've noticed includes some vague screening but
it's not precisely clear what it's looking for.
2. Cisco claim that IOS "monitors the network for misuse of the SIP
protocol, and potential intrusion to the session." whatever that means.
3. SCIDIVE looks interesting, it's a dedicated VoIP IDS platfrom being put
together by Avaya Labs and a handful of university people.
http://shay.ecn.purdue.edu/~dcsl/Publications/papers/scidive_dsn04_submit.pd
f
The only catch is that I'm not sure a working implementation exists yet and
that the paper only talks about 4 attacks.
Have I missed anything obvious off my list?
jim.credland at thus.net
Security Consultant
> -----Original Message-----
> From: Henrik Ingo [mailto:henrik.ingo at sesca.com]
> Sent: 12 July 2005 07:23
> To: Smith, Donald
> Cc: Voipsec at voipsa.org
> Subject: Re: [VOIPSEC] VOIP and IDS
>
> Thanks for your answer...
>
> Smith, Donald wrote:
> > Sir, I would recommend you forward your question to the snort
> > developers list.
> > snort-devel at lists.sourceforge.net
> >
>
> Sure, I realise that, but in the end I'm more interested in
> the SIP and VOIP part and IDS in general, snort just being
> one case of IDS.
>
> > In general snort handles stateful type connections via a
> preprocessor.
> > That is how fragments, long running scans etc... are handled.
> >
> > I think it would be interesting to have a H323 or SIP snort
> > preprocessor someone on the developers list might agree:)
> As for gsm
> > type discovery of anolomies you would have to maintain a LOT more
> > information but it should be possible.
>
> Hence the question. If a system is set up to recognize things
> like "some packets during the last minute amount up to scan
> X" it might not be suitable for things like "last months
> calls add up to a rather sizeable bill". Also that kind of
> "phone network" IDS might actually be more feasible to do in
> concert with the SIP proxy and backend database, rather than
> sniffing the network and storing the same data in the IDS
> (snort or otherwise) system.
>
> henrik
> --
> Henrik.Ingo at sesca.com
> +358 40 569 7354
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
More information about the Voipsec
mailing list