[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: Re: [Emerging-Sigs] Inbound H.323 Scanning
From: Will Metcalf <wmetcalf () emergingthreatspro ! com>
Date: 2015-04-07 16:09:02
Message-ID: CAKrkXrMxeYjWX-jnKXAeq2wUB=E9EPVV6AVoM3RYRfh8OKgUaA () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Awesome! Thanks Andre!
On Tue, Apr 7, 2015 at 10:59 AM, Andre DiMino <adimino@sempersecurus.org>
wrote:
> In most cases, they seem to scan an entire netblock for open tcp/1720,
> then followup with the H.323 scans to that subset.
> We're using a threshold of 1 alert over 30 seconds, which seems to work
> well.
>
>
>
> On Tue, Apr 7, 2015 at 11:46 AM, Will Metcalf <
> wmetcalf@emergingthreatspro.com> wrote:
>
>> Nice thanks! Scanning across an entire netblock? Maybe we should add a
>> threshold of 1 alert per 60 seconds or something tracking by src.
>>
>> Regards,
>>
>> Will
>>
>> On Tue, Apr 7, 2015 at 10:42 AM, Andre DiMino <adimino@sempersecurus.org>
>> wrote:
>>
>>> I've been seeing a huge amount of inbound scans and spam calls for H.323
>>> protocol devices.
>>> The following post describes it well.
>>>
>>> http://www.videonationsltd.co.uk/2014/11/h-323-cisco-spam-calls/
>>>
>>> Most of the inbound scanners are set to a source system ID of ‘Cisco'.
>>>
>>> I wrote the following rule to detect such scan events.
>>>
>>> alert tcp any any -> $HOME_NET 1720 (sid:1000224; gid:1; content:"|40 04
>>> 00 63 00 69 00 73 00 63 00 6f|"; fast_pattern; offset:55; depth:12;
>>> msg:"H.323 Scanning by \"Cisco\" device"; classtype:network-scan; rev:2; )
>>>
>>> --
>>>
>>> Andre' M. DiMino
>>> DeepEnd Research
>>> http://deependresearch.org
>>> http://sempersecurus.org
>>>
>>> "Make sure that nobody pays back wrong for wrong, but always try to be
>>> kind to each other and to everyone else" - 1 Thess 5:15 (NIV)
>>>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs@lists.emergingthreats.net
>>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>>> http://www.emergingthreats.net
>>>
>>>
>>>
>>
>
>
> --
>
> Andre' M. DiMino
> DeepEnd Research
> http://deependresearch.org
> http://sempersecurus.org
>
> "Make sure that nobody pays back wrong for wrong, but always try to be
> kind to each other and to everyone else" - 1 Thess 5:15 (NIV)
>
[Attachment #5 (text/html)]
<div dir="ltr">Awesome! Thanks Andre!<br></div><div class="gmail_extra"><br><div \
class="gmail_quote">On Tue, Apr 7, 2015 at 10:59 AM, Andre DiMino <span \
dir="ltr"><<a href="mailto:adimino@sempersecurus.org" \
target="_blank">adimino@sempersecurus.org</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr">In most cases, they seem to scan an entire \
netblock for open tcp/1720, then followup with the H.323 scans to that \
subset.<div>We're using a threshold of 1 alert over 30 seconds, which seems to \
work well.<br><div><br><div><br></div></div></div></div><div class="HOEnZb"><div \
class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Apr 7, 2015 \
at 11:46 AM, Will Metcalf <span dir="ltr"><<a \
href="mailto:wmetcalf@emergingthreatspro.com" \
target="_blank">wmetcalf@emergingthreatspro.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr"><div><div>Nice thanks! Scanning across an \
entire netblock? Maybe we should add a threshold of 1 alert per 60 seconds or \
something tracking by src.<br><br></div>Regards,<br><br></div>Will<br></div><div \
class="gmail_extra"><br><div class="gmail_quote"><div><div>On Tue, Apr 7, 2015 at \
10:42 AM, Andre DiMino <span dir="ltr"><<a href="mailto:adimino@sempersecurus.org" \
target="_blank">adimino@sempersecurus.org</a>></span> \
wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div><div \
dir="ltr"><div><div>I've been seeing a huge amount of inbound scans and spam \
calls for H.323 protocol devices.</div><div>The following post describes it \
well.</div><div><br></div><div><a \
href="http://www.videonationsltd.co.uk/2014/11/h-323-cisco-spam-calls/" \
target="_blank">http://www.videonationsltd.co.uk/2014/11/h-323-cisco-spam-calls/</a></div><div><br></div><div>Most \
of the inbound scanners are set to a source system ID of \
‘Cisco'.</div><div><br></div><div>I wrote the following rule to detect such scan \
events. </div><div><br></div><div>alert tcp any any -> $HOME_NET 1720 \
(sid:1000224; gid:1; content:"|40 04 00 63 00 69 00 73 00 63 00 6f|"; \
fast_pattern; offset:55; depth:12; msg:"H.323 Scanning by \"Cisco\" \
device"; classtype:network-scan; rev:2; )</div></div><span><font \
color="#888888"><div><br></div>-- <br><div><br>Andre' M. DiMino<br>DeepEnd \
Research<br><a href="http://deependresearch.org" \
target="_blank">http://deependresearch.org</a><br><a href="http://sempersecurus.org" \
target="_blank">http://sempersecurus.org</a><br><br>"Make sure that nobody pays \
back wrong for wrong, but always try to be<br>kind to each other and to everyone \
else" - 1 Thess 5:15 (NIV)</div> </font></span></div>
<br></div></div>_______________________________________________<br>
Emerging-sigs mailing list<br>
<a href="mailto:Emerging-sigs@lists.emergingthreats.net" \
target="_blank">Emerging-sigs@lists.emergingthreats.net</a><br> <a \
href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" \
target="_blank">https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br>
<br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a \
href="http://www.emergingthreats.net" \
target="_blank">http://www.emergingthreats.net</a><br> <br>
<br></blockquote></div><br></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div><br>Andre' M. \
DiMino<br>DeepEnd Research<br><a href="http://deependresearch.org" \
target="_blank">http://deependresearch.org</a><br><a href="http://sempersecurus.org" \
target="_blank">http://sempersecurus.org</a><br><br>"Make sure that nobody pays \
back wrong for wrong, but always try to be<br>kind to each other and to everyone \
else" - 1 Thess 5:15 (NIV)</div> </div>
</div></div></blockquote></div><br></div>
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic