Parsing and extracting VOIP/SIP using SO
109 views
Skip to first unread message
Brant Hale
Apr 8, 2015, 6:53:22 AM4/8/15
to securit...@googlegroups.com
I have been running Security Onion at home testing it out and everything is running well.
One type of traffic is eluding me - VOIP traffic esp SIP.
I would like to query ELSA to show all SIP conversations and then pull them via capme into xplico.
Am I missing something easy?
I can pull all the days pcaps into xplico and see the traffic carved out, but I would prefer to pull the SIP traffic together into a session. I know SIP is fairly aggravating due to the RTP streams so I was hoping someone else tackled this.
If no one has anything I will try and do something with BRO.
Why do I care about SIP traffic ? Right now it is self training ( I am trying to play back my vonage connection for fun. ) In the future, I want to catch unallowed SIP on the production network.
Thanks for any help or pointers!
One type of traffic is eluding me - VOIP traffic esp SIP.
I would like to query ELSA to show all SIP conversations and then pull them via capme into xplico.
Am I missing something easy?
I can pull all the days pcaps into xplico and see the traffic carved out, but I would prefer to pull the SIP traffic together into a session. I know SIP is fairly aggravating due to the RTP streams so I was hoping someone else tackled this.
If no one has anything I will try and do something with BRO.
Why do I care about SIP traffic ? Right now it is self training ( I am trying to play back my vonage connection for fun. ) In the future, I want to catch unallowed SIP on the production network.
Thanks for any help or pointers!
Doug Burks
Apr 10, 2015, 12:07:28 AM4/10/15
to securit...@googlegroups.com
Hi Brant,
Is your SIP traffic using a standard port like 5060 and/or 5061?
Depending on your needs, you may want to carve that particular port
from the full pcaps on disk to an output pcap using tcpdump like this:
tcpdump -r /nsm/sensor_data/HOSTNAME-INTERFACE/dailylogs/2015-04-10/snort.log.EPOCH
-w /tmp/sip.pcap 'port 5060'
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Is your SIP traffic using a standard port like 5060 and/or 5061?
Depending on your needs, you may want to carve that particular port
from the full pcaps on disk to an output pcap using tcpdump like this:
tcpdump -r /nsm/sensor_data/HOSTNAME-INTERFACE/dailylogs/2015-04-10/snort.log.EPOCH
-w /tmp/sip.pcap 'port 5060'
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Seth Hall
Apr 10, 2015, 1:10:14 AM4/10/15
to securit...@googlegroups.com
> On Apr 7, 2015, at 11:46 PM, Brant Hale <bran...@gmail.com> wrote:
>
> One type of traffic is eluding me - VOIP traffic esp SIP.
>
> If no one has anything I will try and do something with BRO.
There is a *nearly done* (so many things in this state) parser for SIP in the Bro repository actually, so this is something that will be coming to Bro eventually. Unfortunately it’s not quite there yet though. :)
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
Reply all
Reply to author
Forward
0 new messages