#alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP Asterisk Register with no URI or Version DOS Attempt"; content:"REGISTER|0d 0a|"; nocase; depth:10; content:!"SIP/"; distance:0; reference:url,labs.musecurity.com/advisories/MU-200703-01.txt; reference:url,tools.ietf.org/html/rfc3261; reference:url,doc.emergingthreats.net/2003474; classtype:attempted-dos; sid:2003474; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 20:56:44 UTC


#alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP Asterisk Register with no URI or Version DOS Attempt"; content:"REGISTER|0d 0a|"; nocase; depth:10; content:!"SIP/"; distance:0; reference:url,labs.musecurity.com/advisories/MU-200703-01.txt; reference:url,tools.ietf.org/html/rfc3261; reference:url,doc.emergingthreats.net/2003474; classtype:attempted-dos; sid:2003474; rev:6;)

Added 2017-04-20 17:48:41 UTC


alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP Asterisk Register with no URI or Version DOS Attempt"; content:"REGISTER|0d 0a|"; nocase; depth:10; content:!"SIP/"; distance:0; reference:url,labs.musecurity.com/advisories/MU-200703-01.txt; reference:url,tools.ietf.org/html/rfc3261; reference:url,doc.emergingthreats.net/2003474; classtype:attempted-dos; sid:2003474; rev:6;)

Added 2011-10-12 19:13:32 UTC


alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP Asterisk Register with no URI or Version DOS Attempt"; content:"REGISTER|0d 0a|"; nocase; depth:10; content:!"SIP/"; distance:0; classtype: attempted-dos; reference:url,labs.musecurity.com/advisories/MU-200703-01.txt; reference:url,tools.ietf.org/html/rfc3261; reference:url,doc.emergingthreats.net/2003474; sid:2003474; rev:6;)

Added 2011-09-14 22:26:31 UTC


alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP Asterisk Register with no URI or Version DOS Attempt"; content:"REGISTER|0d 0a|"; nocase; depth:10; content:!"SIP/"; distance:0; classtype: attempted-dos; reference:url,labs.musecurity.com/advisories/MU-200703-01.txt; reference:url,tools.ietf.org/html/rfc3261; reference:url,doc.emergingthreats.net/2003474; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VOIP/VOIP_Asterisk_DOS; sid:2003474; rev:6;)

Added 2011-02-04 17:22:29 UTC


alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP Asterisk Register with no URI or Version DOS Attempt"; content:"REGISTER|0d 0a|"; nocase; depth:10; content:!"SIP/"; distance:0; reference:url,labs.musecurity.com/advisories/MU-200703-01.txt; reference:url,tools.ietf.org/html/rfc3261; classtype: attempted-dos; reference:url,doc.emergingthreats.net/2003474; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VOIP/VOIP_Asterisk_DOS; sid:2003474; rev:5;)

Added 2009-02-16 21:30:26 UTC


alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP Asterisk Register with no URI or Version DOS Attempt"; content:"REGISTER|0d 0a|"; nocase; depth:10; content:!"SIP/"; distance:0; reference:url,labs.musecurity.com/advisories/MU-200703-01.txt; reference:url,tools.ietf.org/html/rfc3261; classtype: attempted-dos; reference:url,doc.emergingthreats.net/2003474; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VOIP/VOIP_Asterisk_DOS; sid:2003474; rev:5;)

Added 2009-02-16 21:30:26 UTC


alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP Asterisk Register with no URI or Version DOS Attempt"; content:"REGISTER|0d 0a|"; nocase; depth:10; content:!"SIP/"; distance:0; reference:url,labs.musecurity.com/advisories/MU-200703-01.txt; reference:url,tools.ietf.org/html/rfc3261; classtype: attempted-dos; sid:2003474; rev:4;)

Added 2008-05-18 19:52:13 UTC


alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP Asterisk Register with no URI or Version DOS Attempt"; content:"REGISTER|0d 0a|"; nocase; depth:10; content:!"SIP/"; distance:0; reference:url,labs.musecurity.com/advisories/MU-200703-01.txt; reference:url,tools.ietf.org/html/rfc3261; classtype: attempted-dos; sid:2003474; rev:4;)

Added 2008-05-18 19:52:13 UTC


alert udp any any -> $HOME_NET 5060 (msg:"ET VOIP Asterisk Register with no URI or Version DOS Attempt"; content:"REGISTER|0d 0a|"; nocase; depth:10; content:!"SIP/"; distance:0; reference:url,labs.musecurity.com/advisories/MU-200703-01.txt; reference:url,tools.ietf.org/html/rfc3261; classtype: attempted-dos; sid:2003474; rev:3;)

Added 2008-03-08 19:12:35 UTC


alert udp any any -> $HOME_NET 5060 (msg:"ET VOIP Asterisk Register with no URI or Version DOS Attempt"; content:"REGISTER|0d 0a|"; nocase; depth:10; content:!"SIP/"; distance:0; reference:url,labs.musecurity.com/advisories/MU-200703-01.txt; reference:url,tools.ietf.org/html/rfc3261; classtype: attempted-dos; sid:2003474; rev:3;)

Added 2008-03-08 19:12:35 UTC


alert udp any any -> $HOME_NET 5060 (msg:"ET VOIP Asterisk Register with no URI or Version DOS Attempt"; content:"REGISTER|0d 0a|"; nocase; depth:10; content:!"SIP/"; distance:0; reference:url,labs.musecurity.com/advisories/MU-200703-01.txt; reference:url,tools.ietf.org/html/rfc3261; sid:2003474; rev:2;)

Added 2008-01-29 11:02:27 UTC


alert udp any any -> $HOME_NET 5060 (msg:"ET VOIP Asterisk Register with no URI or Version DOS Attempt"; content:"REGISTER|0d 0a|"; nocase; depth:10; content:!"SIP/"; distance:0; reference:url,labs.musecurity.com/advisories/MU-200703-01.txt; reference:url,tools.ietf.org/html/rfc3261; sid:2003474; rev:2;)

Added 2008-01-29 11:02:27 UTC


alert udp any any -> $HOME_NET 5060 (msg:"BLEEDING-EDGE VOIP Asterisk Register with no URI or Version DOS Attempt"; content:"REGISTER|0d 0a|"; nocase; depth:10; content:!"SIP/"; distance:0; reference:url,labs.musecurity.com/advisories/MU-200703-01.txt; reference:url,tools.ietf.org/html/rfc3261; sid:2003474; rev:1; )

Added 2007-03-12 14:15:21 UTC

From Blake Hartstein:

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"BLEEDING-EDGE DOS Asterisk Register with no URI or Version"; content:"REGISTER|0d 0a|"; nocase; depth:10; reference:url,labs.musecurity.com/advisories/MU-200703-01.txt; sid:0000000; rev:1; )

This rule detects when the SIP Command Register is followed immediately by a Carriage Return and newline. It might also be affected by "INVITE|0d 0a|", but has not yet been verified.

-- MattJonkman - 12 Mar 2007

With the negated SIP and the CR right after the REGISTER this should be foolproof.

-- MattJonkman - 12 Mar 2007


Topic revision: r2 - 2007-03-12 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats