[VOIPSEC] VOIP and IDS

Chris Moore chris.moore at u4eatech.com
Tue Jul 12 15:34:42 CDT 2005 

You should look into "Secure Logix" (http://www.securelogix.com/) they have
something like this (call pattern recognition) and I believe they are
adding(added?) VoIP support..


-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Scott Beverly
Sent: Tuesday, July 12, 2005 6:46 AM
To: Henrik Ingo
Cc: Smith, Donald; Voipsec at voipsa.org
Subject: Re: [VOIPSEC] VOIP and IDS

What I was envisioning was something with a learning engine that can
learn to understand patterns in usage.  This is more what I thought the
original poster was interested in using for an anti-fraud type thing.  I
don't know, but I suspect that credit card companies have been using
this kind of AI for years to spot fraud in card usage.  This type of
thing wouldn't be as interested in a packet flow like an IDS but more in
the billing records or call authorization accounting.

Scott...

On Tue, 2005-07-12 at 09:22 +0300, Henrik Ingo wrote:
> Thanks for your answer...
> 
> Smith, Donald wrote:
> > Sir, I would recommend you forward your question to the snort developers
> > list.
> > snort-devel at lists.sourceforge.net
> > 
> 
> Sure, I realise that, but in the end I'm more interested in the SIP and 
> VOIP part and IDS in general, snort just being one case of IDS.
> 
> > In general snort handles stateful type connections via a preprocessor.
> > That is how fragments, long running scans etc... are handled.
> > 
> > I think it would be interesting to have a H323 or SIP snort preprocessor
> > someone on the developers list might agree:)
> > As for gsm type discovery of anolomies you would have to maintain a LOT
> > more information but it should be possible.
> 
> Hence the question. If a system is set up to recognize things like "some 
> packets during the last minute amount up to scan X" it might not be 
> suitable for things like "last months calls add up to a rather sizeable 
> bill". Also that kind of "phone network" IDS might actually be more 
> feasible to do in concert with the SIP proxy and backend database, 
> rather than sniffing the network and storing the same data in the IDS 
> (snort or otherwise) system.
> 
> henrik
-- 
Scott Beverly
Mercury Risk Management
scottbeverly at mercuryrm do t com

_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list