[VOIPSEC] VOIP and IDS
Scott Beverly
scottbeverly at mercuryrm.com
Tue Jul 12 08:45:58 CDT 2005
What I was envisioning was something with a learning engine that can
learn to understand patterns in usage. This is more what I thought the
original poster was interested in using for an anti-fraud type thing. I
don't know, but I suspect that credit card companies have been using
this kind of AI for years to spot fraud in card usage. This type of
thing wouldn't be as interested in a packet flow like an IDS but more in
the billing records or call authorization accounting.
Scott...
On Tue, 2005-07-12 at 09:22 +0300, Henrik Ingo wrote:
> Thanks for your answer...
>
> Smith, Donald wrote:
> > Sir, I would recommend you forward your question to the snort developers
> > list.
> > snort-devel at lists.sourceforge.net
> >
>
> Sure, I realise that, but in the end I'm more interested in the SIP and
> VOIP part and IDS in general, snort just being one case of IDS.
>
> > In general snort handles stateful type connections via a preprocessor.
> > That is how fragments, long running scans etc... are handled.
> >
> > I think it would be interesting to have a H323 or SIP snort preprocessor
> > someone on the developers list might agree:)
> > As for gsm type discovery of anolomies you would have to maintain a LOT
> > more information but it should be possible.
>
> Hence the question. If a system is set up to recognize things like "some
> packets during the last minute amount up to scan X" it might not be
> suitable for things like "last months calls add up to a rather sizeable
> bill". Also that kind of "phone network" IDS might actually be more
> feasible to do in concert with the SIP proxy and backend database,
> rather than sniffing the network and storing the same data in the IDS
> (snort or otherwise) system.
>
> henrik
--
Scott Beverly
Mercury Risk Management
scottbeverly at mercuryrm do t com
More information about the Voipsec
mailing list