sip.txt - Mentat - Homeproj: Redmine for CESNET

Feature #2903 » sip.txt

Radomír Orkáč, 10/17/2016 09:58 PM

       V databazi jiz udalosti nebyly...
       Spolecne: 'Attempt.Exploit_+++_Honeypot:Protocol'
       "filter": {"$and": [{"Category" : "Attempt.Exploit"}, {"Node.Type": {"$eq": "Honeypot"}}, {"Node.Type": {"$eq": "Protocol"}}]}
       Dale pak ale maji spolecny Target.Port, ktery ma spolecna i Dionaea, pokud vynechame Node.Type: Protocol:
       # grep -A6 Target  * | grep 5060
       Attempt.Exploit_+++_Honeypot:Protocol_+++_*__+++_SIP_attack_classification:_call_test.idea-                5060
       Attempt.Exploit_+++_Honeypot:Protocol_+++_*__+++_SIP_attack_classification:_opt_scan.idea-                5060
       Attempt.Exploit_+++_Honeypot:Protocol_+++_*__+++_SIP_attack_classification:_opt_test.idea-                5060
       Attempt.Exploit_+++_Honeypot:Protocol_+++_*__+++_SIP_attack_classification:_reg&call.idea-                5060
       Attempt.Exploit_+++_Honeypot:Protocol_+++_*__+++_SIP_attack_classification:_reg_attempt.idea-                5060
       Attempt.Exploit_+++_Honeypot:Protocol_+++_*__+++_SIP_attack_classification:_reg_test.idea-                5060
       Attempt.Exploit_+++_Honeypot:Protocol_+++_*__+++_SIP_attack_classification:_reg_test_high.idea-                5060
       Attempt.Exploit_+++_Honeypot:Protocol_+++_*__+++_SIP_attack_classification:_ukwSIP_noSIP.idea-                5060
       {   'Category': ['Attempt.Exploit'],
           'Node': [   {   'AggrWin': '00:05:00',
                           'Name': 'cz.nic.dionaea1',
                           'SW': ['Dionaea'],
                           'Type': ['Connection', 'Honeypot', 'Recon']}],
           'Source': [   {   'IP4': [   {   'ip': b'\xd5\xca\xfd ',
                                            'max': b'\xd5\xca\xfd ',
                                            'min': b'\xd5\xca\xfd '}],
                             'Port': [5081]}],
           'Target': [   {   'Anonymised': True,
                             'IP4': [   {   'ip': b'\xd9\x1f\xc0\x00',
                                            'max': b'\xd9\x1f\xcf\xff',
                                            'min': b'\xd9\x1f\xc0\x00'}],
                             'Port': [5060],
                             'Proto': ['udp']}],
       TEST: {"$and": [{"Category" : "Attempt.Exploit"}, {"Node.Type": {"$eq": "Honeypot"}}, {"Target.Port" : 5060 }, {"Node.SW": {"$ne": "Dionaea"}}]}
       Pokud chceme tedy do skatulky zaradit i Dionaea, pak je pravidlo pro SIP takto:
       FILTER1: "filter": {"$and": [{"Category" : "Attempt.Exploit"}, {"Node.Type": {"$eq": "Honeypot"}}, {"Target.Port" : 5060 }]}
       Chceme-li pouze vyse uvedene, pak je skatulka takto:
       FILTER2: "filter": {"$and": [{"Category" : "Attempt.Exploit"}, {"Node.Type": {"$eq": "Honeypot"}}, {"Node.Type": {"$eq": "Protocol"}}, {"Target.Port" : 5060 }]}
       'Attempt.Exploit_+++_Honeypot:Protocol_+++_*__+++_SIP_attack_classification:_call_test': 837,
       'Attempt.Exploit_+++_Honeypot:Protocol_+++_*__+++_SIP_attack_classification:_opt_scan': 3,
       'Attempt.Exploit_+++_Honeypot:Protocol_+++_*__+++_SIP_attack_classification:_opt_test': 464,
       'Attempt.Exploit_+++_Honeypot:Protocol_+++_*__+++_SIP_attack_classification:_reg&call': 1,
       'Attempt.Exploit_+++_Honeypot:Protocol_+++_*__+++_SIP_attack_classification:_reg_attempt': 9,
       'Attempt.Exploit_+++_Honeypot:Protocol_+++_*__+++_SIP_attack_classification:_reg_test': 1,
       'Attempt.Exploit_+++_Honeypot:Protocol_+++_*__+++_SIP_attack_classification:_reg_test_high': 4,
       'Attempt.Exploit_+++_Honeypot:Protocol_+++_*__+++_SIP_attack_classification:_ukwSIP_noSIP': 8,
       LABEL_CZ: Pokus o neoprávněné připojení k SIP serveru
       LABEL_EN: Unauthorized attempts to connect to the SIP server
       SEVERITY: 2 (Za středně nebezpečné považujeme (útoky na SSH a RDP))
       URL: https://csirt.cesnet.cz/cs/services

(6-6/7)

Project

General

Profile

Mentat

Feature #2903 » sip.txt