Snort & VOIP



  • I have been trying to use VOIP with Pfsense and while I had a good experience so far, I have found that without deactivating snort, the ATA (VOIP adapter) loses connectivity to the VOIP server at the moment I place or receive a phone call.  Apparently Snort believes there is an attack happening and blocks the VOIP server which results in a dropped call.

    Annoying to say the least, but I think it just does its job.  I have been trying to prevent this from happening by adding an alias in the firewall (Firewall > Aliases) and adding the ATA's IP and port numbers.  Then under Snort > Whitelist, I have created a new whitelist and added the aliases I previously created.

    Nevertheless , snort still blocks the ATA.

    In systems logs, I see:

    
    Aug 28 23:04:24 	snort[4034]: [122:21:1] (portscan) UDP Filtered Portscan [Classification: Attempted Information Leak] [Priority: 2] {PROTO:255} YYY.YYY.YYY.YYY -> XXX.XXX.XXX.XXX
    Aug 28 23:04:24 	snort[4034]: [122:21:1] (portscan) UDP Filtered Portscan [Classification: Attempted Information Leak] [Priority: 2] {PROTO:255} YYY.YYY.YYY.YYY -> XXX.XXX.XXX.XXX
    Aug 28 23:04:21 	snort[23348]: [140:20:1] (spp_sip) Invite replay attack [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} XXX.XXX.XXX.XXX:5060 -> YYY.YYY.YYY.YYY:5060
    Aug 28 23:04:21 	snort[23348]: [140:20:1] (spp_sip) Invite replay attack [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} XXX.XXX.XXX.XXX:5060 -> YYY.YYY.YYY.YYY:5060
    Aug 28 23:03:48 	snort[23348]: [140:20:1] (spp_sip) Invite replay attack [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} XXX.XXX.XXX.XXX:5060 -> YYY.YYY.YYY.YYY:5060
    Aug 28 23:03:48 	snort[23348]: [140:20:1] (spp_sip) Invite replay attack [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} XXX.XXX.XXX.XXX:5060 -> YYY.YYY.YYY.YYY:5060
    Aug 28 23:03:12 	snort[4034]: [1:2008578:6] ET SCAN Sipvicious Scan [Classification: Attempted Information Leak] [Priority: 2] {UDP} 173.255.118.235:5068 -> XXX.XXX.XXX.XXX:5060
    Aug 28 23:03:12 	snort[4034]: [1:2008578:6] ET SCAN Sipvicious Scan [Classification: Attempted Information Leak] [Priority: 2] {UDP} 173.255.118.235:5068 -> XXX.XXX.XXX.XXX:5060
    Aug 28 23:03:12 	snort[4034]: [1:2011716:4] ET SCAN Sipvicious User-Agent Detected (friendly-scanner) [Classification: Attempted Information Leak] [Priority: 2] {UDP} 173.255.118.235:5068 -> XXX.XXX.XXX.XXX:5060
    Aug 28 23:03:12 	snort[4034]: [1:2011716:4] ET SCAN Sipvicious User-Agent Detected (friendly-scanner) [Classification: Attempted Information Leak] [Priority: 2] {UDP} 173.255.118.235:5068 -> XXX.XXX.XXX.XXX:5060
    

    Where XXX.XXX.XXX.XXX = My public IP, and YYY.YYY.YYY.YYY What I assume to be my service provider's VOIP server.

    Now two questions:

    • How can I reliably prevent snort from blocking the VOIP service??

      I did a quick Google search for the other IP that caught my attention:  173.255.118.235.  According to http://www.ip-adress.com/ip_tracer/173.255.118.235, this would be a Google IP!  What is Google doing on their port 5068 trying to communicate with MY port 5060 !?!?

    While I really want to put the first question to a rest, I am concerned about the second question.

    Someone can shed light on these questions!?

    Thanks!!



  • Not sure if this related but I've been using snort for many months pretty much without issue. However since a week or so ago a snort rule update has been playing havoc with VoIP.



  • Not sure if this related but I've been using snort for many months pretty much without issue. However since a week or so ago a snort rule update has been playing havoc with VoIP.

    Have you looked under your system logs to see if that "google" IP is being detected as a threat by Snort?  I have informed my service provider but they are rather technically incompetent and they will probably not be able to follow up …  Too bad.

    I will continue to investigate this strange situation.



  • Ok Ive done another round of tests, this time, starting snort while in a phone conversation immediately cut off the call.  In snort's alert list, I see two identical alerts such as:

    [b]Date[/b]:  09/03/13 23:08:21 [b]PRI[/b]:  2	Attempted Information Leak 	[b]Source[/b]:  198.199.100.18     [b]Destination[/b]:  XXX.XXX.XXX.XXX   [b]SID[/b]:  122:21    [b]Description[/b]: (portscan) UDP Filtered Portscan
    

    Strange though, these alerts always come in a pair of 2:  one from my ISP's VOIP server, the other from a random unknown server somewhere else. Last time it was a google server this time its a server (198.199.100.18) belonging to "akamai.skafari.com"….........

    Could it be for some DNS lookup or similar?  What would it have to do with my VOIP service!?


  • Banned

    There's nothing like self-induced borkage, huh?

    I ask a little more respect to other forum members.
    Thank you for your understanding.



  • @doktornotor:

    There's nothing like self-induced borkage, huh?

    doktornotor,

    1.  You're answers (if you consider them to be answers) are extremely rude and are not bringing any significant contributions to this community.  Complaining and insulting other members is not what I would consider participating in opensource projects and helping others.

    2.  How are we gonna learn how things work if we don't test, try and ask questions?  How will the packages get better if we dont try them and report issues?

    3.  If you take the time to post such answers, don't you have more significant things in your life to do?  I do, that's why I don't go around insulting people.  How old are you!?

    4.  I am extremely glad for you if you are an absolute pfsense blackbelt expert and semi-God at it, you see, we dont all have 24 hours a day to post on this forum, play with pfsense and routers, we dont all do that for a living and at the same time play with these things for a hobby…  So when normal people like me are trying stuff to test, we at least expect some positive feedback from other more experienced members.

    5.  You just insulted both me (in this thread and my other threads) and member drewy who also reported some issues with Snort.  With the rude things you said about Snort, HAVP, Squid, and Squidguard, I wonder what the developpers of these packages would think if they were hearing you?

    6.  General rule :  If you think these technologies are so bad, why dont you start your own IPS/IDS project and replace snort?  Why dont you fix Squid and HAVP?  We are ALL waiting to see your genius pop up and lighten up the world buddy!!

    7.  I had to report your reply as offensive,  I also invite other member to do the same.  Your reply made me feel I just walked in a daycare.  Not acceptable.  Plain simple, if this is the way I am now to be answered on this forum, I am gone.  I dont have time for this sh**.  I am NOT interested in being insulted by people who pretend to be a lot smarter than others.  This has never happened on any other forums ever, why here?!

    To wrap up, I am sad that I had to post this.  I would have never thought that I would have to post such reply in my life.



  • A couple of points:

    • Instead of a Whitelist, just Suppress the offending Snort rule.  I've had to suppress several SIP rules to prevent Snort interference.

    • If you are seeing two "hits" when you start a call,  that tells me that the RTP stream is not being proxied by a Session Border Controller.  The RTP stream is being initiated to a voice gateway that is a different IP address than the SIP signaling is going to.

    • Don't worry about the sipvicious and similiar scans.  I get dozens of them every day from various sources.  That's just life on the net.


  • Banned

    Sigh. Apologies to anyone insulted. You have obviously broken snort rules wreaking havoc on things. What's the debate about really? Suppress the broken rules or stop using snort. If my opinion about snort being the ultimate source of absolutely pointless borkage insults someone, sorry, but that's just the way it is. The package has been kicked out of multiple firewall distros for a reason.



  • I didn't have any hits from the google ip you mentioned. Snort was blocking my VoIP providers sip proxy, so I added that to my whitelist. Seems to be working for now, I currently have other issues that are causing very frequent wan fail overs which is also playing havoc with VoIP so can't be absolutely sure that snort is fixed just yet.



  • I ask a little more respect to other forum members.
    Thank you for your understanding.

    Thanks for moderating!

    I am myself quite fast at pulling the trigger sometimes, but usually I am also fast enough to hit the backspace button before I press "Post"…  I understand what you're saying doktornotor, I absolutely get your point.  Snort is a PITA no doubt about that.  I am only playing with it for now.  When Im tired of it, I will eradicate it.  Plain simple.  Until then, please understand that Im NOT complaining (although it may sound like that) but Im WONDERING!  Quite different.

    Instead of a Whitelist, just Suppress the offending Snort rule.

    Good point, Ill try that!

    If you are seeing two "hits" when you start a call,  that tells me that the RTP stream is not being proxied by a Session Border Controller.  The RTP stream is being initiated to a voice gateway that is a different IP address than the SIP signaling is going to.

    Thanks a million times for explaining that! Thats what I tried to get for a while now!I will look into that and post back my findings.


  • Banned

    @lpallard:

    but Im WONDERING!  Quite different.

    I am wondering as well… if all the people wondering about all the borkage started nagging upstream directly about their obviously untested uberparanoid rules, would that fix something or is this just a completely lost cause.  ??? :-\ I wouldn't bet a dime on the commercial rulesets being any better.


Log in to reply