[VOIPSEC] VOIP and IDS

Smith, Donald Donald.Smith at qwest.com
Tue Jul 12 14:37:35 CDT 2005 

Understood. For something like that you need access to the CDR's or
other such billing info to do some type of trending reports.
snort COULD be used but I envision it being used more in the exploit
packet recognition phase.
So if someone writes an exploit tool we should be able to recognize it
via simple packet matching.

Has anyone already written up snort sigs for tools like sipsak or protos
h323/sip test suites?
That might be worth the effort:)



donald.smith at qwest.com giac 

> -----Original Message-----
> From: Voipsec-bounces at voipsa.org 
> [mailto:Voipsec-bounces at voipsa.org] On Behalf Of Scott Beverly
> Sent: Tuesday, July 12, 2005 7:46 AM
> To: Henrik Ingo
> Cc: Smith, Donald; Voipsec at voipsa.org
> Subject: Re: [VOIPSEC] VOIP and IDS
> 
> 
> What I was envisioning was something with a learning engine that can
> learn to understand patterns in usage.  This is more what I 
> thought the
> original poster was interested in using for an anti-fraud 
> type thing.  I
> don't know, but I suspect that credit card companies have been using
> this kind of AI for years to spot fraud in card usage.  This type of
> thing wouldn't be as interested in a packet flow like an IDS 
> but more in
> the billing records or call authorization accounting.
> 
> Scott...
> 
> On Tue, 2005-07-12 at 09:22 +0300, Henrik Ingo wrote:
> > Thanks for your answer...
> > 
> > Smith, Donald wrote:
> > > Sir, I would recommend you forward your question to the 
> snort developers
> > > list.
> > > snort-devel at lists.sourceforge.net
> > > 
> > 
> > Sure, I realise that, but in the end I'm more interested in 
> the SIP and 
> > VOIP part and IDS in general, snort just being one case of IDS.
> > 
> > > In general snort handles stateful type connections via a 
> preprocessor.
> > > That is how fragments, long running scans etc... are handled.
> > > 
> > > I think it would be interesting to have a H323 or SIP 
> snort preprocessor
> > > someone on the developers list might agree:)
> > > As for gsm type discovery of anolomies you would have to 
> maintain a LOT
> > > more information but it should be possible.
> > 
> > Hence the question. If a system is set up to recognize 
> things like "some 
> > packets during the last minute amount up to scan X" it might not be 
> > suitable for things like "last months calls add up to a 
> rather sizeable 
> > bill". Also that kind of "phone network" IDS might actually be more 
> > feasible to do in concert with the SIP proxy and backend database, 
> > rather than sniffing the network and storing the same data 
> in the IDS 
> > (snort or otherwise) system.
> > 
> > henrik
> -- 
> Scott Beverly
> Mercury Risk Management
> scottbeverly at mercuryrm do t com
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>

More information about the Voipsec mailing list