[VOIPSEC] Artemisa: An Open-Source VoIP Honeypot
J. Oquendo
sil at infiltrated.net
Fri Apr 2 08:56:46 CDT 2010
Rodrigo do Carmo wrote:
> I briefly give you the most important points of Artemisa:
> * It registers itself to your domain SIP proxy (Asterisk, SER, etc.)
> * It waits for SIP messages (e.g. INVITE messages which are of course not
> expected at the honeypot.)
> * It analyzes the received messages in several ways (e.g. it uses nmap to
> explore in real-time the IP addresses found in the SIP message and
> determines if SIP ports are opened.) and determine its nature (a SPIT call,
> an attack made with a well-known attack tool, an interactive attack, a
> dialplan fault, a scanning attempt, a ringing attempt, etc.)
> * It also records the media if any.
> * After the analysis, Artemisa shows a report and sends it by e-mail if it's
> configured.
> * It can also execute scripts to automatically adjust the firewall to
> blacklist the IP of the attacker (this feature is still under development.)
>
> I'm opened to answer any question, doubt, or discuss about Artemisa.
>
> Best regards,
> Rodrigo do Carmo.
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
Kudos to bringing something new to the community however, there are some
things to think about - at least I do...
Using NMAP to counterscan someone is "iffy" slash sketchy. There are so
many ways to blindly send data that someone could possibly cause your
system to illicitly start scanning a host...
For example: As an attacker, what are you going to do if I send the
honeypot N_amount of messages from a host I dislike?
1) Me --> Spoof_IP_Of_A_Host_I_Dislike --> Fuzzy_SIP_Packets --> Honeypot
2) Honeypot responds with NMAP scans --> Host_I_Dislike
There is a lot of room for potential abuse.
Anyhow, I've thrown together my own ghetto-fab Asterisk based honeypots
so if you'd like to play with the context, format, etc., check it out
here (sorry didn't want to hurt anyone's eyes):
http://www.disgraced.org/artemisa-comments.txt
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP
"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett
227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
More information about the Voipsec
mailing list