API tools faq
paste
Guest User

Untitled

a guest
Oct 8th, 2025
41
0
362 days
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 15.49 KB | Software | 0 0
raw download clone embed print report
  1. root@debian:~# grep -i voip /var/lib/suricata/rules/suricata.rules
  2. alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Skype VOIP Checking Version (Startup)"; flow: to_server,established; http.uri; content:"/ui/"; nocase; content:"/getlatestversion?ver="; nocase; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; classtype:policy-violation; sid:2001595; rev:12; metadata:created_at 2010_07_30, signature_severity Informational, updated_at 2020_09_02;)
  3. alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Attempted Mitel MiVoice Connect Data Validation RCE Inbound (CVE-2022-29499)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/scripts/vtest.php?get_url=http://127.0.0.1/ucbsync.php?cmd=syncfile:db_files/"; http.header_names; content:!"Referer"; reference:url,www.crowdstrike.com/blog/novel-exploit-detected-in-mitel-voip-appliance/; reference:cve,2022-29499; classtype:attempted-admin; sid:2037121; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_06_24, cve CVE_2022_29499, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_06_24, reviewed_at 2024_09_17;)
  4. alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.tradevoip .co .uk Domain"; dns.query; content:".tradevoip.co.uk"; fast_pattern; nocase; endswith; reference:url,freedns.afraid.org/domain/registry/page-9.html; classtype:bad-unknown; sid:2053104; rev:2; metadata:attack_target Client_and_Server, created_at 2024_05_30, deployment Perimeter, performance_impact Low, confidence High, signature_severity Informational, updated_at 2024_06_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1568, mitre_technique_name Dynamic_Resolution;)
  5. alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.tradevoip .co .uk Domain"; flow:established,to_server; http.host; content:".tradevoip.co.uk"; endswith; reference:url,freedns.afraid.org/domain/registry/page-9.html; classtype:bad-unknown; sid:2053105; rev:2; metadata:attack_target Client_and_Server, created_at 2024_05_30, deployment Perimeter, performance_impact Low, confidence High, signature_severity Informational, updated_at 2024_06_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1568, mitre_technique_name Dynamic_Resolution;)
  6. # alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banload Checkin"; flow:to_server,established; content:"GET"; nocase; http_method; content:"c=voip&ord="; nocase; http_uri; content:"=&SCRNSZ"; http_uri; content:"&BRSRSZ="; http_uri; content:"&TIMEZONE="; http_uri; classtype:command-and-control; sid:2010266; rev:6; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_07_26;)
  7. alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET RETIRED Win32/VoipRaider Data Collection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/latestversion.aspx?requestversion="; content:"&ip="; distance:0; content:"&mac="; distance:0; pcre:"/^[A-F0-9]{12}/R"; content:"&ir="; distance:0; content:"&MAJORV="; distance:0; content:"&MINORV="; distance:0; content:"&BUILDV="; distance:0; content:"&OS="; distance:0; content:"&BV="; distance:0; content:"&UT="; distance:0; http.user_agent; content:"WebRequestSession"; fast_pattern; bsize:17; reference:md5,1fe3f8dffd016b3fefce8d62fb60309a; classtype:pup-activity; sid:2044035; rev:2; metadata:attack_target Client_Endpoint, created_at 2023_01_31, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, confidence High, signature_severity Minor, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_09_30, reviewed_at 2024_09_30;)
  8. alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sivus VOIP Vulnerability Scanner SIP Scan"; content:"SIVuS_VoIP_Scanner <sip|3a|SIVuS"; offset:130; threshold:type threshold, track by_src, count 3, seconds 10; reference:url,www.security-database.com/toolswatch/SiVus-VoIP-Security-Scanner-1-09.html; reference:url,www.vopsecurity.org/; classtype:attempted-recon; sid:2008609; rev:4; metadata:created_at 2010_07_30, confidence Medium, signature_severity Informational, updated_at 2019_07_26;)
  9. alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sivus VOIP Vulnerability Scanner SIP Components Scan"; content:"sip|3a|[email protected]"; offset:110; reference:url,www.security-database.com/toolswatch/SiVus-VoIP-Security-Scanner-1-09.html; reference:url,www.vopsecurity.org/; classtype:attempted-recon; sid:2008610; rev:3; metadata:created_at 2010_07_30, confidence Medium, signature_severity Informational, updated_at 2019_07_26;)
  10. alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Smap VOIP Device Scan"; content:"<sip|3a|smap@"; offset:80; depth:40; reference:url,www.go2linux.org/smap-find-voip-enabled-devices; classtype:attempted-recon; sid:2008526; rev:5; metadata:created_at 2010_07_30, confidence Medium, signature_severity Informational, updated_at 2019_07_26;)
  11. alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Voiper Toolkit Torturer Scan"; content:"interesting-Method"; content:"sip|3a|1_unusual.URI"; content:"to-be!sure"; offset:20; depth:60; reference:url,sourceforge.net/projects/voiper; classtype:attempted-recon; sid:2008568; rev:3; metadata:created_at 2010_07_30, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)
  12. alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Voiper Fuzzing Scan"; content:"sip|3a|tester@"; content:"Via|3a| SIP/2.0"; offset:20; depth:60; threshold: type threshold, track by_dst, count 5, seconds 15; reference:url,sourceforge.net/projects/voiper; classtype:attempted-recon; sid:2008577; rev:3; metadata:created_at 2010_07_30, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)
  13. alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN SIP erase_registrations/add registrations attempt"; content:"REGISTER "; depth:9; content:"User-Agent|3a| Hacker"; reference:url,www.hackingvoip.com/sec_tools.html; classtype:attempted-recon; sid:2008640; rev:5; metadata:created_at 2010_07_30, confidence Medium, signature_severity Informational, updated_at 2019_07_26;)
  14. alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN sipscan probe"; content:"sip|3a|thisisthecanary@"; content:"sip|3a|test@"; offset:30; depth:70; reference:url,www.hackingvoip.com/sec_tools.html; classtype:attempted-recon; sid:2008641; rev:4; metadata:created_at 2010_07_30, confidence Medium, signature_severity Informational, updated_at 2019_07_26;)
  15. alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN SipCLI VOIP Scan - TCP"; flow:established,to_server; content:"|0D 0A|User-Agent|3A 20|sipcli/"; fast_pattern; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.yasinkaplan.com/SipCli/; classtype:attempted-recon; sid:2017161; rev:2; metadata:created_at 2013_07_17, confidence Medium, signature_severity Informational, updated_at 2019_10_08;)
  16. alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN SipCLI VOIP Scan"; content:"|0D 0A|User-Agent|3A 20|sipcli/"; fast_pattern; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.yasinkaplan.com/SipCli/; classtype:attempted-recon; sid:2017162; rev:3; metadata:created_at 2013_07_17, confidence Medium, signature_severity Informational, updated_at 2019_10_08;)
  17. alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP INVITE Message Flood TCP"; flow:established,to_server; content:"INVITE"; depth:6; threshold: type both , track by_src, count 100, seconds 60; classtype:attempted-dos; sid:2003192; rev:4; metadata:created_at 2010_07_30, confidence Medium, signature_severity Informational, updated_at 2019_07_26;)
  18. alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP INVITE Message Flood UDP"; content:"INVITE"; depth:6; threshold: type both , track by_src, count 100, seconds 60; classtype:attempted-dos; sid:2009698; rev:1; metadata:created_at 2010_07_30, confidence Medium, signature_severity Informational, updated_at 2019_07_26;)
  19. alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP REGISTER Message Flood TCP"; flow:established,to_server; content:"REGISTER"; depth:8; threshold: type both , track by_src, count 100, seconds 60; classtype:attempted-dos; sid:2003193; rev:5; metadata:created_at 2010_07_30, confidence Medium, signature_severity Informational, updated_at 2019_07_26;)
  20. alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP REGISTER Message Flood UDP"; content:"REGISTER"; depth:8; threshold: type both , track by_src, count 100, seconds 60; classtype:attempted-dos; sid:2009699; rev:1; metadata:created_at 2010_07_30, confidence Medium, signature_severity Informational, updated_at 2019_07_26;)
  21. # alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP SIP UDP Softphone INVITE overflow"; dsize:>1000; content:"INVITE"; depth:6; nocase; pcre:"/\r?\n\r?\n/R"; isdataat:1000,relative; reference:bugtraq,16213; reference:cve,2006-0189; classtype:attempted-user; sid:2002848; rev:7; metadata:created_at 2010_07_30, confidence Medium, signature_severity Informational, updated_at 2019_07_26;)
  22. # alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP MultiTech SIP UDP Overflow"; content:"INVITE"; nocase; depth:6; isdataat:65,relative; content:!"|0a|"; within:61; reference:cve,2005-4050; classtype:attempted-user; sid:2003237; rev:8; metadata:created_at 2010_07_30, confidence Medium, signature_severity Informational, updated_at 2019_07_26;)
  23. alert tcp $HOME_NET 5060 -> $EXTERNAL_NET any (msg:"ET VOIP Multiple Unauthorized SIP Responses TCP"; flow:established,from_server; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_src, count 5, seconds 360; classtype:attempted-dos; sid:2003194; rev:6; metadata:created_at 2010_07_30, confidence Medium, signature_severity Informational, updated_at 2019_07_26;)
  24. alert udp $HOME_NET 5060 -> $EXTERNAL_NET any (msg:"ET VOIP Multiple Unauthorized SIP Responses UDP"; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_src, count 5, seconds 360; classtype:attempted-dos; sid:2009700; rev:1; metadata:created_at 2010_07_30, confidence Medium, signature_severity Informational, updated_at 2019_07_26;)
  25. # alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP Asterisk Register with no URI or Version DOS Attempt"; content:"REGISTER|0d 0a|"; nocase; depth:10; content:!"SIP/"; distance:0; reference:url,labs.musecurity.com/advisories/MU-200703-01.txt; reference:url,tools.ietf.org/html/rfc3261; classtype:attempted-dos; sid:2003474; rev:6; metadata:created_at 2010_07_30, confidence Medium, signature_severity Informational, updated_at 2019_07_26;)
  26. alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP Modified Sipvicious Asterisk PBX User-Agent"; content:"|0d 0a|User-Agent|3A| Asterisk PBX"; nocase; threshold: type limit, count 1, seconds 60, track by_src; reference:url,blog.sipvicious.org/2010/11/distributed-sip-scanning-during.html; classtype:attempted-recon; sid:2012296; rev:2; metadata:created_at 2011_02_07, confidence Medium, signature_severity Informational, updated_at 2019_07_26;)
  27. alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP Possible Inbound VOIP Scan/Misuse With User-Agent Zoiper"; content:"|0d 0a|User-Agent|3A| Zoiper"; nocase; threshold: type limit, count 1, seconds 60, track by_src; reference:url,blog.sipvicious.org/2010/12/11-million-euro-loss-in-voip-fraud-and.html; classtype:attempted-recon; sid:2012297; rev:2; metadata:created_at 2011_02_07, confidence Medium, signature_severity Informational, updated_at 2019_07_26;)
  28. alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP Possible Modified Sipvicious OPTIONS Scan"; content:"OPTIONS "; depth:8; content:"ccxllrlflgig|22|<sip|3A|100"; nocase; distance:0; reference:url,code.google.com/p/sipvicious/; reference:url,blog.sipvicious.org/; classtype:attempted-recon; sid:2011422; rev:2; metadata:created_at 2010_09_28, confidence Medium, signature_severity Informational, updated_at 2019_07_26;)
  29. alert ip any any -> any 5060 (msg:"GPL VOIP SIP INVITE message flooding"; content:"INVITE"; depth:6; threshold: type both, track by_src, count 100, seconds 60; classtype:attempted-dos; sid:2100158; rev:4; metadata:created_at 2010_09_23, signature_severity Informational, updated_at 2019_07_26;)
  30. alert ip any any -> any 5060 (msg:"GPL VOIP SIP 407 Proxy Authentication Required Flood"; content:"SIP/2.0 407 Proxy Authentication Required"; depth:42; threshold: type both, track by_src, count 100, seconds 60; classtype:attempted-dos; sid:2100163; rev:4; metadata:created_at 2010_09_23, signature_severity Informational, updated_at 2019_07_26;)
  31. alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"GPL VOIP EXPLOIT SIP UDP Softphone overflow attempt"; content:"|3B|branch|3D|"; content:"a|3D|"; pcre:"/^a\x3D[^\n]{1000,}/smi"; reference:bugtraq,16213; reference:cve,2006-0189; classtype:misc-attack; sid:2100223; rev:2; metadata:created_at 2010_09_23, cve CVE_2006_0189, confidence Medium, signature_severity Informational, updated_at 2019_07_26;)
  32. alert ip any 5060 -> any any (msg:"GPL VOIP SIP 401 Unauthorized Flood"; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_dst, count 100, seconds 60; classtype:attempted-dos; sid:2100162; rev:5; metadata:created_at 2010_09_23, signature_severity Informational, updated_at 2019_07_26;)
  33. alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"ET VOIP Possible Misuse Call from MERA RTU"; flow:to_server,established; content:"|22 c0 09 00 7a b7 07|MERA RTU|08|"; classtype:misc-attack; sid:2022022; rev:1; metadata:created_at 2015_11_03, confidence Medium, signature_severity Informational, updated_at 2019_07_26;)
  34. # alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"ET VOIP Q.931 Call Setup - Inbound"; flow:to_server,established; content:"|08|"; offset:4; depth:1; content:"|05 04|"; distance:3; within:2; classtype:misc-activity; sid:2022023; rev:1; metadata:created_at 2015_11_03, confidence Medium, signature_severity Informational, updated_at 2019_07_26;)
  35. alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"ET VOIP H.323 in Q.931 Call Setup - Inbound"; flow:to_server,established; content:"|08|"; offset:4; depth:1; byte_jump:1,0,relative; content:"|05 04|"; within:2; byte_jump:1,0,relative; content:"|70|"; byte_jump:1,0,relative; content:"|7E|"; within:1; byte_test:1,!&,0x0F,3,relative; isdataat:31; classtype:misc-activity; sid:2022024; rev:1; metadata:created_at 2015_11_03, confidence Medium, signature_severity Informational, updated_at 2019_07_26;)
  36. # alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET VOIP Centrality IP Phone (PA-168 Chipset) Session Hijacking"; flow:established,to_server; content:"POST "; nocase; depth:5; content:"/g"; http_uri; nocase; content:"back=++Back++"; nocase; pcre:"/^\/g($|[?#])/Ui"; reference:url,www.milw0rm.com/exploits/3189; reference:cve,2007-0528; classtype:attempted-user; sid:2003329; rev:7; metadata:created_at 2010_07_30, confidence Medium, signature_severity Unknown, updated_at 2019_08_22;)
  37. alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"ET VOIP Possible Misuse Call from Cisco ooh323"; flow:to_server,established; content:"|28 06|cisco|00|"; offset:14; depth:8; content:"|b8 00 00 27 05|ooh323|06|"; within:60; reference:url,videonationsltd.co.uk/2015/04/h-323-cisco-spam-calls/; classtype:misc-attack; sid:2021066; rev:2; metadata:created_at 2015_05_07, confidence Medium, signature_severity Informational, updated_at 2020_08_19;)
Tags: suricata
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!