My Blog

snortルール調整

BASEで不正アクセスのチェックをすると80%が以下のアラートが発生していた

「COMMUNITY SIP TCP/IP message flooding directed to SIP proxy」

発信元・発信先を確認すると、ほとんどがローカルでの通信で、どうやら差し支えなさそうなのでローカル内でのアラートは除くことにする

ルールの変更例

IPアドレス192.168.0.100のホストの80/TCP宛てについて送信元を限定せずに検出

tcp any any -> 192.168.0.100 80

IPアドレスやポート番号を指定する時「!」を前に付けることで否定となる
192.168.0.100の22/TCP（ssh）へのアクセスで、送信元が192.168.0.0/24からのものは検出しないようにするには以下のようにする

tcp !192.168.0.0/24 any -> 192.168.0.100 22

ローカルでは問題ないアクセスを除外する修正（community-sip.rules）

関係しているルールファイルは「community-sip.rules」で、/etc/snort/rules.bak を作成して元ファイルを保管

（修正前）
# Copyright 2005 Sourcefire, Inc. All Rights Reserved.
# These rules are licensed under the GNU General Public License.
# Please see the file LICENSE in this directory for more details.
# $Id: community-sip.rules,v 1.5 2006/06/01 15:51:28 akirk Exp $

#Rules submitted by Jiri Markl
#Rule for alerting of INVITE flood attack:
alert ip any any -> any 5060 (msg:"COMMUNITY SIP INVITE message flooding"; content:"INVITE"; depth:6; threshold: type both, track by_src, count 100, seconds 60; classtype:attempted-dos; sid:100000158; rev:2;)
#Rule for alerting of REGISTER flood attack:
alert ip any any -> any 5060 (msg:"COMMUNITY SIP REGISTER message flooding"; content:"REGISTER"; depth:8; threshold: type both, track by_src, count 100, seconds 60; classtype:attempted-dos; sid:100000159; rev:2;)
#Rule for alerting common TCP/UDP flood attack:
alert ip any any -> any 5060 (msg:"COMMUNITY SIP TCP/IP message flooding directed to SIP proxy"; threshold: type both, track by_src, count 300, seconds 60; classtype:attempted-dos; sid:100000160; rev:2;)
#Rule for alerting attack using unresolvable DNS names:
alert udp $DNS_SERVERS 53 -> any any (msg:"COMMUNITY SIP DNS No such name treshold - Abnormaly high count of No such name responses"; content:"|83|"; offset:3; depth:1; threshold: type both, track by_dst, count 100, seconds 60; classtype:attempted-dos; sid:100000161; rev:2;)
#Threshold rule for unauthorized responses:
alert ip any any -> any 5060 (msg:"COMMUNITY SIP 401 Unauthorized Flood"; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_src, count 100, seconds 60; classtype:attempted-dos; sid:100000162; rev:2;)
alert ip any any -> any 5060 (msg:"COMMUNITY SIP 407 Proxy Authentication Required Flood"; content:"SIP/2.0 407 Proxy Authentication Required"; depth:42; threshold: type both, track by_src, count 100, seconds 60; classtype:attempted-dos; sid:100000163; rev:2;)
#Rule submitted by rmkml
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"COMMUNITY EXPLOIT SIP UDP Softphone overflow attempt"; content:"|3B|branch|3D|"; content:"a|3D|"; pcre:"/^a\x3D[^\n]{1000,}/smi"; reference:bugtraq,16213; reference:cve,2006-0189; classtype:misc-attack; sid:100000223; rev:1;)

（修正後）
# Copyright 2005 Sourcefire, Inc. All Rights Reserved.
# These rules are licensed under the GNU General Public License.
# Please see the file LICENSE in this directory for more details.
# $Id: community-sip.rules,v 1.5 2006/06/01 15:51:28 akirk Exp $

#Rules submitted by Jiri Markl
#Rule for alerting of INVITE flood attack:
alert ip $EXTERNAL_NET any -> any 5060 (msg:"COMMUNITY SIP INVITE message flooding"; content:"INVITE"; depth:6; threshold: type both, track by_src, count 100, seconds 60; classtype:attempted-dos; sid:100000158; rev:2;)
#Rule for alerting of REGISTER flood attack:
alert ip $EXTERNAL_NET any -> any 5060 (msg:"COMMUNITY SIP REGISTER message flooding"; content:"REGISTER"; depth:8; threshold: type both, track by_src, count 100, seconds 60; classtype:attempted-dos; sid:100000159; rev:2;)
#Rule for alerting common TCP/UDP flood attack:
alert ip $EXTERNAL_NET any -> any 5060 (msg:"COMMUNITY SIP TCP/IP message flooding directed to SIP proxy"; threshold: type both, track by_src, count 300, seconds 60; classtype:attempted-dos; sid:100000160; rev:2;)
#Rule for alerting attack using unresolvable DNS names:
alert udp $DNS_SERVERS 53 -> any any (msg:"COMMUNITY SIP DNS No such name treshold - Abnormaly high count of No such name responses"; content:"|83|"; offset:3; depth:1; threshold: type both, track by_dst, count 100, seconds 60; classtype:attempted-dos; sid:100000161; rev:2;)
#Threshold rule for unauthorized responses:
alert ip $EXTERNAL_NET any -> any 5060 (msg:"COMMUNITY SIP 401 Unauthorized Flood"; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_src, count 100, seconds 60; classtype:attempted-dos; sid:100000162; rev:2;)
alert ip $EXTERNAL_NET any -> any 5060 (msg:"COMMUNITY SIP 407 Proxy Authentication Required Flood"; content:"SIP/2.0 407 Proxy Authentication Required"; depth:42; threshold: type both, track by_src, count 100, seconds 60; classtype:attempted-dos; sid:100000163; rev:2;)
#Rule submitted by rmkml
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"COMMUNITY EXPLOIT SIP UDP Softphone overflow attempt"; content:"|3B|branch|3D|"; content:"a|3D|"; pcre:"/^a\x3D[^\n]{1000,}/smi"; reference:bugtraq,16213; reference:cve,2006-0189; classtype:misc-attack; sid:100000223; rev:1;)