#
# $Id: bleeding-voip.rules $
# Bleeding Edge Threats VOIP rules. 
#
# SID's are 2000000+ to avoid conflicts
#
# Only basic testing has been done. At this point all we guarantee is that they won't crash a recent snort release. 
#
# More information available at www.bleedingthreats.net
#
# Please submit any custom rules or ideas to bleeding@bleedingthreats.net or the bleeding-sigs mailing list
#
#*************************************************************
#
#  Copyright (c) 2003-2007, Bleeding Edge Threats
#  All rights reserved.
#  
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
#  following conditions are met:
#  
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
#    from this software without specific prior written permission.
#  
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
#
#
#by Blake Hartstein
alert udp any any -> $HOME_NET 5060 (msg:"BLEEDING-EDGE VOIP Asterisk Register with no URI or Version DOS Attempt"; content:"REGISTER|0d 0a|"; nocase; depth:10; content:!"SIP/"; distance:0; reference:url,labs.musecurity.com/advisories/MU-200703-01.txt; reference:url,tools.ietf.org/html/rfc3261; sid:2003474; rev:1; )

#These sigs are adapted from those at nextsoft.cz
# this set are for general SIP specific flooding
alert ip any any -> $HOME_NET 5060 (msg:"BLEEDING-EDGE VOIP INVITE Message Flood"; content:"INVITE"; depth:6; threshold: type both , track by_src, count 100, seconds 60; classtype:attempted-dos; sid:2003192; rev:1;)
alert ip any any -> $HOME_NET 5060 (msg:"BLEEDING-EDGE VOIP REGISTER Message Flood"; content:"REGISTER"; depth:8; threshold: type both , track by_src, count 100, seconds 60; classtype:attempted-dos; sid:2003193; rev:1;)


#from the rules at nextsoft.cz
#intended to catch unusual numbers of unauthorized responses from sip servers
alert ip $HOME_NET 5060 -> any any (msg:"BLEEDING-EDGE VOIP Multiple Unauthorized SIP Responses"; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_src, count 5, seconds 360; classtype:attempted-dos; sid:2003194; rev:2;)