[VOIPSEC] VOIP and IDS

Mark Teicher mht3 at earthlink.net
Tue Jul 12 16:32:39 CDT 2005 

Call Detail Recording systems by definition, capture the telecommunication information {timestamp, source number, destination number, duration, trunk, trunk group #, etc, etc} of the call, some of the more sophisticated CDR's allow for customization to trigger email, page, snmp alerts based on certain policies/rules a security/telecommunications administrator may setup.  Again, unless the telecommunication folks really have a good grasp of their infrastructure, can identify end user telephone numbers with a blink of an eye, and can identify trunk group numbers with one arm behind their back, and knows their gazz-intos from gazz-outos, detection exploit VoIP packets will be the least of their concern unless call pattern levels or certain telecommunications costs become suddenly outrageous.  

With VoIP,a lot of the tell-tale signs of telecommunications fraud are not easy to detect as they were before, (i.e. monthly telecommunication LD invoices)  but also it is a lot harder since most vendors are investing a lot of stock/claim of their product being more secure than their neighbors or being quoted as stating: "As telephone communications move to the IP world, it will become increasingly easier to intercept and monitor telephone calls by anyone."  

Not quite sure I agree with the previous quote, but even if true, it would a lot more skill and saavy than just snaking a green box, and inserting a piece of silver against a particular TN pair or borrowing TPS equipment to make your own call center or divert 1-800 yellow page ads for years.



-----Original Message-----
From: "Smith, Donald" <Donald.Smith at qwest.com>
Sent: Jul 12, 2005 3:37 PM
To: scottbeverly at mercuryrm.com, Henrik Ingo <henrik.ingo at sesca.com>
Cc: Voipsec at voipsa.org
Subject: RE: [VOIPSEC] VOIP and IDS

Understood. For something like that you need access to the CDR's or
other such billing info to do some type of trending reports.
snort COULD be used but I envision it being used more in the exploit
packet recognition phase.
So if someone writes an exploit tool we should be able to recognize it
via simple packet matching.

Has anyone already written up snort sigs for tools like sipsak or protos
h323/sip test suites?
That might be worth the effort:)



donald.smith at qwest.com giac 

> -----Original Message-----
> From: Voipsec-bounces at voipsa.org 
> [mailto:Voipsec-bounces at voipsa.org] On Behalf Of Scott Beverly
> Sent: Tuesday, July 12, 2005 7:46 AM
> To: Henrik Ingo
> Cc: Smith, Donald; Voipsec at voipsa.org
> Subject: Re: [VOIPSEC] VOIP and IDS
> 
> 
> What I was envisioning was something with a learning engine that can
> learn to understand patterns in usage.  This is more what I 
> thought the
> original poster was interested in using for an anti-fraud 
> type thing.  I
> don't know, but I suspect that credit card companies have been using
> this kind of AI for years to spot fraud in card usage.  This type of
> thing wouldn't be as interested in a packet flow like an IDS 
> but more in
> the billing records or call authorization accounting.
> 
> Scott...
> 
> On Tue, 2005-07-12 at 09:22 +0300, Henrik Ingo wrote:
> > Thanks for your answer...
> > 
> > Smith, Donald wrote:
> > > Sir, I would recommend you forward your question to the 
> snort developers
> > > list.
> > > snort-devel at lists.sourceforge.net
> > > 
> > 
> > Sure, I realise that, but in the end I'm more interested in 
> the SIP and 
> > VOIP part and IDS in general, snort just being one case of IDS.
> > 
> > > In general snort handles stateful type connections via a 
> preprocessor.
> > > That is how fragments, long running scans etc... are handled.
> > > 
> > > I think it would be interesting to have a H323 or SIP 
> snort preprocessor
> > > someone on the developers list might agree:)
> > > As for gsm type discovery of anolomies you would have to 
> maintain a LOT
> > > more information but it should be possible.
> > 
> > Hence the question. If a system is set up to recognize 
> things like "some 
> > packets during the last minute amount up to scan X" it might not be 
> > suitable for things like "last months calls add up to a 
> rather sizeable 
> > bill". Also that kind of "phone network" IDS might actually be more 
> > feasible to do in concert with the SIP proxy and backend database, 
> > rather than sniffing the network and storing the same data 
> in the IDS 
> > (snort or otherwise) system.
> > 
> > henrik
> -- 
> Scott Beverly
> Mercury Risk Management
> scottbeverly at mercuryrm do t com
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> 

_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org


"The Truth Lies at the Heart of the Art of Combat.  Once it is mastered, Though shall fear no one, though the devil himself may bar thy way...."

More information about the Voipsec mailing list