Skip to main content
Sandro Gauci

Sandro Gauci, Enable Security

Using OSSEC to detect attacks on an Asterisk box

Published on Mar 15, 2008 in , ,

This post is an echo on the previous post which describes how to configure snort to detect SIP attacks. This time we look at detecting attacks at the PBX’s end rather than by monitoring network traffic. OSSEC allows us to do just this - it is a host intrusion detection system that can do matching on log files and actively react to attack.

By default OSSEC does not have support for Asterisk. To add this functionality place a new xml file called asterisk.xml in the OSSEC rules directory (typically at /var/ossec/rules/). This file contains rules for the following violations:

  • User/Extension enumeration
  • Password cracking attacks

The actual rules file can be downloaded here.

This rules file needs to be referenced from the main configuration usually found in /var/ossec/etc/ossec.conf. This can be done by adding the following line to this file:

<include>asterisk.xml</include>

Then we need to add a decoder entry so that OSSEC can extract the offending IP address. This is done by including the below section to the decoder definition file usually found at /var/ossec/etc/decoder.conf:

<decoder name="asterisk">
<program_name>^asterisk</program_name>
</decoder>

<decoder name="asterisk-denied">
<parent>asterisk</parent>
<prematch>Registration from </prematch>
<regex offset="after_prematch">failed for '(\d+.\d+.\d+.\d+)'</regex>
<order>srcip</order>
</decoder>

Do not forget to restart OSSEC. Typically done by executing the following command:

/etc/init.d/ossec restart

Finally - it is important to make sure that Asterisk is configured to log to syslog and restarted. The next commands to execute are:

echo "syslog.local0 => notice,warning,error" >> /etc/asterisk/logger.conf

/etc/init.d/asterisk restart

Note: Check out Laureano’s post on how to just reload the logger configuration.

That’s it. Note that this has been tested on a Trixbox VM and your Asterisk configuration might require some modifications since it appears that Asterisk log files are not so standard.

Oh, and to test these rules you can obviously use SIPVicious tool suite ;-)


Sandro Gauci

Sandro Gauci

CEO, Chief Mischief Officer at Enable Security

Sandro Gauci leads the operations and research at Enable Security. He is the original developer of SIPVicious OSS, the SIP security testing toolset. His role is to focus on the vision of the company, design offensive security tools and engage in security research and testing. Therefore, he is the proud owner of the title of Chief Mischief Officer at Enable Security.

He offers public office hours and is reachable here.