[Snort-devel] Snort whit SS7/Sigtran

Joel Esler (jesler) jesler at cisco.com
Tue Feb 13 13:49:51 EST 2018

Adding the snort-team on this one.

Joel Esler | Talos: Manager | jesler at cisco.com<mailto:jesler at cisco.com>

On Feb 13, 2018, at 8:27 AM, ALEJANDRO CORLETTI ESTRADA <alejandro.corlettiestrada.ext at telefonica.com<mailto:alejandro.corlettiestrada.ext at telefonica.com>> wrote:


My name is Alejandro Corletti Estrada, I am a  Engineering Doctor, I have been working in networks and security for many years (I have written 3 books in Spanish:  "Seguridad por Niveles",  "Seguridad en Redes" y "Ciberseguridad, una Estrategia Informático/Militar  - "Security by Levels", "Security in Networks" and "Cybersecurity, a Computer / Military Strategy").    With Snort I have been working for almost 20 years, in 2001 I published an article called "Nessus Methodology - Snort" and another one " Level of immaturity of the NIDS "(both in Spanish), were very successful in the Hispanic world.

Currently I am in the "Corporate Audit of Security in Networks and Systems" of the Telefónica Group.

I am writing to you, because there is a critical safety problem with the Signaling System 7 (SS7), more particularly in the "Sigtran" stack, which is responsible for transporting SS7 over IP. I have been studying the subject for months and now (with my team) we are analyzing traffic patterns of this family of protocols and looking for anomalous traffic in them. We are using, as we did before, Wireshark in combination with Snort.

Within the known vulnerabilities (which are several), to work with Snort there are two fundamental problems:

1. The SCTP protocol (Stream Control Transmission Protocol) that replaces TCP in Sigtran.
2. Absence of rules for SS7 (this includes several protocols: MAP, TCAP, ISUP, CAMEL, etc ...)

I would like to open with you a new "work team" or committee that is responsible for this issue, because I believe that Snort could be the solution to this International problem. Currently, all the telephone operators in the world are suffering, and we at this moment (with my team) can do much about it, if we count on your support, because we have access to all the nodes and network elements that operate ss7 / Sigtran and access to this traffic.

Within this line of action there would be two aspects on which I would like to join efforts with the entire Snort community:

1. Create the necessary library to be able to call rules with "SCTP" protocol (instead of ip, tcp, icmp .... etc) this would be very important.
2. Begin to SS7 develop rules for detecting anomalous traffic patterns.

Please tell me what steps or actions I should take to move forward on this topic.

With all sincerity, I can assure you that I am one of the few people who know this topic in depth (for in the 90's I was teaching the SS7 courses, before its integration with Sigtran), I have studied it in detail and I have access to all the traffic that is needed.

This project can be an international initiative to which undoubtedly, as it becomes public, all the telephone operators in the world will be added.

Regards and I am waiting for your response
Alejandro Corletti Estrada.

PS: my English level is not very good (sorry)


Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.

The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.

Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20180213/c714ea8d/attachment-0001.html>

More information about the Snort-devel mailing list