Which may be found at http://www.grotto-group.com/~gulfie/projects... maybe
| ./snortrules-COMM-2.4/rules/community-sip.rules Fri Dec 2 01:26:26 2005 | |
|---|---|
| Filename : line | Rules |
| ./snortrules-COMM-2.4/rules/community-sip.rules : 1 | # Copyright 2005 Sourcefire, Inc. All Rights Reserved.
|
| ./snortrules-COMM-2.4/rules/community-sip.rules : 2 | # These rules are licensed under the GNU General Public License.
|
| ./snortrules-COMM-2.4/rules/community-sip.rules : 3 | # Please see the file LICENSE in this directory for more details.
|
| ./snortrules-COMM-2.4/rules/community-sip.rules : 4 | # $Id: community-sip.rules,v 1.2 2005/09/26 15:01:12 akirk Exp $
|
| ./snortrules-COMM-2.4/rules/community-sip.rules : 5 |
|
| ./snortrules-COMM-2.4/rules/community-sip.rules : 6 | #Rules submitted by Jiri Markl
|
| ./snortrules-COMM-2.4/rules/community-sip.rules : 7 | #Rule for alerting of INVITE flood attack:
|
| ./snortrules-COMM-2.4/rules/community-sip.rules : 8 | alert ip any any -> any 5060 (msg:"COMMUNITY SIP INVITE message flooding"; content:"INVITE"; depth:6; threshold: type both, track by_src, count 100, seconds 60; sid:100000158; rev:1;)
|
| ./snortrules-COMM-2.4/rules/community-sip.rules : 9 | #Rule for alerting of REGISTER flood attack:
|
| ./snortrules-COMM-2.4/rules/community-sip.rules : 10 | alert ip any any -> any 5060 (msg:"COMMUNITY SIP REGISTER message flooding"; content:"REGISTER"; depth:8; threshold: type both, track by_src, count 100, seconds 60; sid:100000159; rev:1;)
|
| ./snortrules-COMM-2.4/rules/community-sip.rules : 11 | #Rule for alerting common TCP/UDP flood attack:
|
| ./snortrules-COMM-2.4/rules/community-sip.rules : 12 | alert ip any any -> any 5060 (msg:"COMMUNITY SIP TCP/IP message flooding directed to SIP proxy"; threshold: type both, track by_src, count 300, seconds 60; sid:100000160; rev:1;)
|
| ./snortrules-COMM-2.4/rules/community-sip.rules : 13 | #Rule for alerting attack using unresolvable DNS names:
|
| ./snortrules-COMM-2.4/rules/community-sip.rules : 14 | alert udp $DNS_SERVERS 53 -> any any (msg:"COMMUNITY SIP DNS No such name treshold - Abnormaly high count of No such name responses"; content:"|83|"; offset:3; depth:1; threshold: type both, track by_dst, count 100, seconds 60; sid:100000161; rev:1;)
|
| ./snortrules-COMM-2.4/rules/community-sip.rules : 15 | #Threshold rule for unauthorized responses:
|
| ./snortrules-COMM-2.4/rules/community-sip.rules : 16 | alert ip any any -> any 5060 (msg:"COMMUNITY SIP 401 Unauthorized Flood"; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_src, count 100, seconds 60; sid:100000162; rev:1;)
|
| ./snortrules-COMM-2.4/rules/community-sip.rules : 17 | alert ip any any -> any 5060 (msg:"COMMUNITY SIP 407 Proxy Authentication Required Flood"; content:"SIP/2.0 407 Proxy Authentication Required"; depth:42; threshold: type both, track by_src, count 100, seconds 60; sid:100000163; rev:1;)
|