Asterisk & OSSEC Part.II

In this post I’m going to explain how to define rules, decoders and active response in OSSEC server to prevent attacks in our Asterisk.

This is a schema of how OSSEC handles every events received.

More information of OSSEC:

http://www.ossec.net/wiki/OSSEC

DECODERS

Firstly I’m going to config decoders. Default, there are some decoders of Asterisk for SIP protocol and I’ve added decoders for IAX protocol. At this moment I’m working to add more decoders for SIP, IAX, etc.

/var/ossec/etc# vim decoder.xml (in green my adds)

<!– Asterisk logs–>
<decoder name=”asterisk”>
<program_name>^asterisk</program_name>
</decoder>

<decoder name=”asterisk-hijacking”>
<parent>asterisk</parent>
<prematch>^WARNING[\d+]: \S+ in \S+: Don’t know </prematch>
<order>user</order>
<regex offset=”after_prematch”>^\S+ how to respond via ‘(\w+/\d.\d/\w+)’</regex>
</decoder>

<decoder name=”asterisk-denied”>
<parent>asterisk</parent>
<prematch>^NOTICE[\d+]: \S+ in \S+: Registration from </prematch>
<regex offset=”after_prematch”>^(\S+) failed for ‘(\d+.\d+.\d+.\d+)’</regex>
<order>srcip</order>
</decoder>

<decoder name=”asterisk-denied2″>
<parent>asterisk</parent>
<prematch>Registration from </prematch>
<regex offset=”after_prematch”>failed for ‘(\d+.\d+.\d+.\d+)’</regex>
<order>srcip</order>
</decoder>

<decoder name=”asterisk-iax-enumeration”>
<parent>asterisk</parent>
<prematch>^NOTICE[\d+]: \S+ in \S+: No registration for peer </prematch>
<regex offset=”after_prematch”>^’(\S+)’ \(\S+ (\d+.\d+.\d+.\d+)\)</regex>
<order>user, srcip</order>
</decoder>

<decoder name=”asterisk-iax-authentication-denied”>
<parent>asterisk</parent>
<prematch>^NOTICE[\d+]: \S+ in \S+: Host </prematch>
<regex offset=”after_prematch”>^(\d+.\d+.\d+.\d+) failed MD5 authentication for (\S+)</regex>
<order>srcip, user</order>
</decoder>

RULES

Secondly, We have to set rules:

/var/ossec/rules# vim asterisk_rules.xml (in

<!– Asterisk Log messages –>
<group name=”syslog,asterisk,”>
<rule id=”6200″ level=”0″>
<decoded_as>asterisk</decoded_as>
<description>Asterisk messages grouped.</description>
</rule>

<rule id=”6201″ level=”1″>
<if_sid>6200</if_sid>
<match>^NOTICE</match>
<description>Asterisk notice messages grouped.</description>
</rule>

<rule id=”6202″ level=”3″>
<if_sid>6200</if_sid>
<match>^WARNING</match>
<description>Asterisk warning message.</description>
</rule>

<rule id=”6203″ level=”3″>
<if_sid>6200</if_sid>
<match>^ERROR</match>
<description>Asterisk error message.</description>
</rule>

<rule id=”6210″ level=”5″>
<if_sid>6201</if_sid>
<match>Wrong password</match>
<description>Login session failed.</description>
<group>authentication_failed,</group>
</rule>

<rule id=”6211″ level=”5″>
<if_sid>6201</if_sid>
<match>Username/auth name mismatch</match>
<description>Login session failed (invalid user).</description>
<group>invalid_login,</group>
</rule>

<rule id=”6212″ level=”5″>
<if_sid>6201</if_sid>
<match>No matching peer found</match>
<description>Login session failed (invalid extension).</description>
<group>invalid_login,</group>

<rule id=”6250″ level=”10″ frequency=”6″ timeframe=”300″>
<if_matched_sid>6211</if_matched_sid>
<same_source_ip />
<description>Multiple failed logins (user enumeration in process).</description>
</rule>

<rule id=”6251″ level=”10″ frequency=”6″ timeframe=”300″>
<if_matched_sid>6210</if_matched_sid>
<same_source_ip />
<description>Multiple failed logins.</description>

</rule>

<rule id=”6252″ level=”10″ frequency=”6″ timeframe=”300″>
<if_matched_sid>6212</if_matched_sid>
<same_source_ip />
<description>Extension enumeration.</description>
</rule>

<rule id=”100007″ level=”5″>
<if_sid>6201</if_sid>
<match>No registration for peer</match>
<description>Login session failed (invalid iax user).</description>
<group>invalid_login,</group>

</rule>

<rule id=”100008″ level=”10″ frequency=”3″ timeframe=”300″>
<if_matched_sid>100007</if_matched_sid>
<same_source_ip />
<description>Extension IAX Enumeration.</description>
</rule>

<rule id=”100009″ level=”5″>
<if_sid>6202</if_sid>
<match>Don’t know how to respond via</match>
<description>Possible Registration Hijacking.</description>
<group>invalid_login,</group>
</rule>

<rule id=”100010″ level=”5″>
<if_sid>6201</if_sid>
<match>failed MD5 authentication</match>
<description>IAX peer Wrong Password.</description>
<group>invalid_login,</group>
</rule>

<rule id=”100011″ level=”10″ frequency=”3″ timeframe=”300″>
<if_matched_sid>100010</if_matched_sid>
<same_source_ip />
<description>Multiple failed logins.</description>
</rule>

</group> <!– ASTERISK –>

more information about rules : http://www.ossec.net/wiki/FAQ

ACTIVE-RESPONSE

Now we are going to define active response to protect our Asterisk.

vim /var/ossec/ossec.conf.

<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>

<active-response>
<disabled>no</disabled>
<command>firewall-drop</command>
<location>local</location>
<agent_id>007</agent_id>
<level>10</level>
<rules_id>6252</rules_id>
<timeout>600</timeout>
</active-response>

We have defined an active response against extension enumeration attacks. When OSSEC detect this attack it’ll send to Asterisk a firewall-drop.sh script (iptables rule).

You can see different active responses in /var/ossec/active-response/bin/ directory.

TESTING

We’ve already configured our system and now We are going to test it.

http://code.google.com/p/sipvicious/downloads/list

1.- Search server with SIP port open: python  svmap.py 192.168.1.1-254

| 192.168.1.60:5060 | Asterisk PBX |

2.- We’ve discovered one server with SIP port opened. Now We are going to search extensions available.

python svwar.py -e0000-9999 192.168.1.60

Without protection of Ossec We can detect available extensions in our Asterisk
| Extension | Authentication |
——————————
| 4999      | reqauth        |

If We configure our Asterisk with this tutorial, this is the result of extensions scan.

sudo python svwar.py -e0000-9999 192.168.1.60
WARNING:root:found nothing
ERROR:TakeASip:socket error: timed out

Logs in our Ossec /var/ossec/alerts/logs/alerts.log:

** Alert 1274262205.108674992: mail  – syslog,asterisk,
2010 May 19 11:43:25 (asterisk) 192.168.1.60->/var/log/messages
Rule: 6252 (level 10) -> ‘Extension enumeration.’
Src IP: 192.168.210.48
User: (none)
May 19 11:42:17 asterisk asterisk[5200]: NOTICE[14808]: chan_sip.c:15889 in handle_request_register: Registration from ‘”361″<sip:361@192.168.1.60>’ failed for ’192.168.210.48′ – No matching peer found
May 19 11:42:17 asterisk asterisk[5200]: NOTICE[14808]: chan_sip.c:15889 in handle_request_register: Registration from ‘”360″<sip:360@192.168.1.60>’ failed for ’192.168.210.48′ – No matching peer found
May 19 11:42:17 asterisk asterisk[5200]: NOTICE[14808]: chan_sip.c:15889 in handle_request_register: Registration from ‘”359″<sip:359@192.168.1.60>’ failed for ’192.168.210.48′ – No matching peer found
May 19 11:42:17 asterisk asterisk[5200]: NOTICE[14808]: chan_sip.c:15889 in handle_request_register: Registration from ‘”358″<sip:358@192.168.1.60>’ failed for ’192.168.210.48′ – No matching peer found
May 19 11:42:17 asterisk asterisk[5200]: NOTICE[14808]: chan_sip.c:15889 in handle_request_register: Registration from ‘”357″<sip:357@192.168.1.60>’ failed for ’192.168.210.48′ – No matching peer found
May 19 11:42:17 asterisk asterisk[5200]: NOTICE[14808]: chan_sip.c:15889 in handle_request_register: Registration from ‘”356″<sip:356@192.168.1.60>’ failed for ’192.168.210.48′ – No matching peer found
May 19 11:42:17 asterisk asterisk[5200]: NOTICE[14808]: chan_sip.c:15889 in handle_request_register: Registration from ‘”355″<sip:355@192.168.1.60>’ failed for ’192.168.210.48′ – No matching peer found

To check that Ossec has sent command to our Asterisk you can check active-response log (/var/ossec/logs/active-responses.log) or cheking in the ip tables rules of Asterisk

iptables in our Asterisk:

root@asterisk:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       0    –  192.168.210.48       anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DROP       0    –  192.168.210.48       anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

If you have any questions or need help, post here.

About these ads

4 responses to “Asterisk & OSSEC Part.II

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: