#
# $Id: emerging-voip.rules $
# Emerging Treats VOIP rules. 
#
# SID's are 2000000+ to avoid conflicts
#
# More information available at www.emergingthreats.net
#
# Please submit any custom rules or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list
#
#*************************************************************
#
#  Copyright (c) 2003-2010, Emerging Threats
#  All rights reserved.
#  
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
#  following conditions are met:
#  
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
#    from this software without specific prior written permission.
#  
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
#
#
#by Blake Hartstein
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP Asterisk Register with no URI or Version DOS Attempt"; content:"REGISTER|0d 0a|"; nocase; depth:10; content:!"SIP/"; distance:0; reference:url,labs.musecurity.com/advisories/MU-200703-01.txt; reference:url,tools.ietf.org/html/rfc3261; classtype: attempted-dos; reference:url,doc.emergingthreats.net/2003474; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VOIP/VOIP_Asterisk_DOS; sid:2003474; rev:5;)

#These sigs are adapted from those at nextsoft.cz
# this set are for general SIP specific flooding
alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP INVITE Message Flood TCP"; flow:established,to_server; content:"INVITE"; depth:6; threshold: type both , track by_src, count 100, seconds 60; classtype:attempted-dos; reference:url,doc.emergingthreats.net/2003192; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VOIP/VOIP_Flooding; sid:2003192; rev:4;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP INVITE Message Flood UDP"; content:"INVITE"; depth:6; threshold: type both , track by_src, count 100, seconds 60; classtype:attempted-dos; reference:url,doc.emergingthreats.net/2009698; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VOIP/VOIP_Flooding; sid:2009698; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP REGISTER Message Flood TCP"; flow:established,to_server; content:"REGISTER"; depth:8; threshold: type both , track by_src, count 100, seconds 60; classtype:attempted-dos; reference:url,doc.emergingthreats.net/2003193; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VOIP/VOIP_Flooding; sid:2003193; rev:5;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP REGISTER Message Flood UDP"; content:"REGISTER"; depth:8; threshold: type both , track by_src, count 100, seconds 60; classtype:attempted-dos; reference:url,doc.emergingthreats.net/2009699; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VOIP/VOIP_Flooding; sid:2009699; rev:1;)


#By Shirkdog and Blake Hartstein
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET VOIP Centrality IP Phone (PA-168 Chipset) Session Hijacking"; flow:established,to_server; content:"POST "; nocase; depth:5; uricontent:"/g"; nocase; content:"back=++Back++"; nocase; pcre:"/^\/g($|[?#])/Ui"; reference:url,www.milw0rm.com/exploits/3189; classtype:attempted-user; reference:url,doc.emergingthreats.net/bin/view/Main/2003329; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VOIP/VOIP_IP_Phone; reference:cve,2007-0528; sid:2003329; rev:5;)

#by Blake Hartstein of Demarc
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP SIP UDP Softphone INVITE overflow"; dsize:>1000; content:"INVITE"; depth:6; nocase; pcre:"/\r?\n\r?\n/R"; isdataat:1000,relative; reference: bugtraq,16213; reference:cve,2006-0189; classtype:attempted-user; reference:url,doc.emergingthreats.net/bin/view/Main/2002848; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_SIP; sid:2002848; rev:7;)

#by Blake Hartstein of Demarc
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP MultiTech SIP UDP Overflow"; content:"INVITE"; nocase; depth:6; isdataat:65,relative; content:!"|0a|"; within:61; reference:cve,2005-4050; classtype:attempted-user; reference:url,doc.emergingthreats.net/2003237; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VOIP/VOIP_Multitech; sid:2003237; rev:8;)

#by Kevin Ross
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN SIP erase_registrations/add registrations attempt"; content:"REGISTER sip\:"; content:"User-Agent\: Hacker"; offset:25; distance:190; reference:url,www.hackingvoip.com/sec_tools.html; classtype:attempted-recon; reference:url,doc.emergingthreats.net/2008640; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VOIP/VOIP_SIP_erase; sid:2008640; rev:3;)

#by Kevin Ross
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN sipscan probe"; content:"sip\:thisisthecanary@"; content:"sip\:test@"; offset:30; distance:70; classtype:attempted-recon; reference:url,www.hackingvoip.com/sec_tools.html; reference:url,doc.emergingthreats.net/2008641; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VOIP/VOIP_SIPscan; sid:2008641; rev:2;)

#from the rules at nextsoft.cz
#intended to catch unusual numbers of unauthorized responses from sip servers
alert tcp $HOME_NET 5060 -> $EXTERNAL_NET any (msg:"ET VOIP Multiple Unauthorized SIP Responses TCP"; flow:established,from_server; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_src, count 5, seconds 360; classtype:attempted-dos; reference:url,doc.emergingthreats.net/2003194; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VOIP/VOIP_Unauth; sid:2003194; rev:6;)
alert udp $HOME_NET 5060 -> $EXTERNAL_NET any (msg:"ET VOIP Multiple Unauthorized SIP Responses UDP"; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_src, count 5, seconds 360; classtype:attempted-dos; reference:url,doc.emergingthreats.net/2009700; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VOIP/VOIP_Unauth; sid:2009700; rev:1;)