On 5/18/2011 4:42 PM, anorexicpoodle wrote:
The biggest gripe I have with Asterisk and other open source based PBXs, is the symmetry in logs. Its not fluid. One of the reasons I never built an "all out" honeypot. I have to modify so much across different versions. However, this is also the beauty of Asterisk and similar open source type PBXs, there is so much you can do but it almost always needs to be custom. I also have an insane expect to .bashrc script back to expect + ssh key script which runs on an SBC, parses some of the SBC logs, pushes the output to a Linux machine, gets re-parsed on the Linux box, triggers alert (right now to my SIP Blackberry client & Snom) based on predefined params (volume of calls, destination of calls) and has the capability of doing trigger based blocking (expect). Right now though, its only running on our nCite SBCs and once I become more comfortable with our Acme's logging capabilities, I may do the same type of scripting: From syslog based machine, parse elsewhere, sort out, pick out a trigger, create a rule, send it via expect to some defense mechanism. Depends on how REALLY bored I get and whether or not I actually even start looking at our Acmes. (Personally, I'd rather leave this to my colleague ;))
Interesting you should bring this up as it is something I have been fiddling with now for a little while. I have all our Acmes feeding a syslog server in SQL, and parsing those logs to generate lists of particularly bad offenders, then using that process to seed a blacklist BGP feed that all my edge routers draw from and then null route those offenders at the edge of my network, or for particularly bad attacks using BGP communities to signal our bandwidth provider to null them.
This has the benefit of providing a measure of intelligent protection network wide, even when the attack is focused on a single element and can guard against both SIP based attacks and more traditional DDOS attacks as well.
Un cc'd you guys to stop the dupes ;) The logic you have sounds cool however, I would have to be cautious blacklisting an entire ASNs as we do have some clients abroad with interconnected trunks to their offices here. I like running phorensix since it gives me an indication of "which country is hot" for fraud right now. I called "Romania" back in Sept of 2010 and lo and behold arrests hit that country for fraud. In Oct I called "Egypt" which is a hotspot (ASN 8452). Soon I'll tinker around with Acme via syslog and maybe I'll revise something for phorensix soon and make it public. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF