[Snort-sigs] Voip attack

PAURON, GUILLAUME (GUILLAUME) guillaume.pauron at ...3570...
Wed Mar 9 19:13:38 EST 2011

Thank you for your response :)

I know how to enable it, but I was only wondering why it was deactivated. But after reflexion it is logic not enabling voip rules in a standard snort installation ;)

I am still searching for my other interrogations.

Mr Guillaume Pauron
Alcatel-Lucent France
Security Engineer 
Service: Threat Management Center (TMC) 
Office: NEW0.D22 Route de Villejust 91620 NOZAY (FRANCE)
Email: guillaume.pauron at ...3570...
Phone: +33 (0)1 3077 7167
-----Message d'origine-----
De : Nigel Houghton [mailto:nhoughton at ...435...] 
Envoyé : mercredi 9 mars 2011 00:36
Cc : snort-sigs at lists.sourceforge.net
Objet : Re: [Snort-sigs] Voip attack

On Wed, 9 Mar 2011 00:13:30 +0100, PAURON, GUILLAUME (GUILLAUME) wrote:
> Hello All,
> Iʼm pretty new with snort and Iʼm installing a snort device in Voip 
> environment.
> I downloaded VRT rules but most of the voip rules are disabled by 
> default. Is it deprecated rules?
> I also see that most of my traffic is UDP data on high ports; did 
> someone ever implement attack detection on such traffic? I saw some 
> things on articles like 
> but Iʼm afraid it will be too complex for my snort (Iʼm already 
> dropping a lot of traffic currently).
> Iʼm also aware of all return of experience or whatever with snort and 
> voip :)
> Regards,
> Pauron Guillaume

No, they are not deprecated. To enable them, make sure to include the 
rules file from your snort.conf and then enable the rules you want by 
uncommenting them in that file.

Nigel Houghton
Head Mentalist
SF VRT Department of Intelligence Excellence
http://vrt-blog.snort.org/ && http://labs.snort.org/

More information about the Snort-sigs mailing list