Forums

Luis Perez
Luis Perez
Offline
Resolved
0 votes
This is more of an informative thread rather.

A few minutes ago, all inbound and outbound VoIP connections stopped from devices that are behind the ClearOS Server. Encountering this before, I was sure that an assumed security threat was detected by ClearOS and that the Intrusion Detection or Prevention locked out the VoIP Server's IP from communicating through the network.

To determine if this is true, you will need to:
1. find out what is the IP Address of the VoIP Server.
2. ClearOS > Gateway > Intrusion Protection > Intrusion Prevention & find the IP Address listed in #1.
3. Note the ID (probably) 1394, and then select "Exempt List" on the right.


This adds the server to the exempt list, and after a few moments, you will be able to ping the server again...call flow will resume.

As for why the Intrusion Prevention service is blocking the IP Address, well here is what the
1394 code means to SNORT:

SID 1394

This event is generated when an attempt is made to possibly overflow a buffer. The NOOP warning occurs when a series of NOOP (no operation) are found in a stream. Most buffer overflow exploits typically use NOOPs sleds to pad the code.

Impact
This might indicate someone is trying to use a buffer overflow exploit. Full compromise of system is possible if the exploit is successful.

Detailed Information
This rule detects a large number of consecutive NOOP instructions used in padding code. It's not specific to a particular service exploit, but rather used to try and detect buffer overflows in general. It is common for buffer overflow code to contain a large sequence of NOOP instructions as it increases the odds of successful execution of the useful shellcode.

False Positives
High, This event may be generated by applications such as ftp and http when binary data is being transfered. A false Positive can be generated if the snort sensor detects text from an IRC client or any other application that passes data plaintext. The event is generated if snort detects several (a) characters in a row - such as 'aaaaaaaaaa'. Netbios name service lookup may also generate false positive events.

Corrective Action
Apply a non-executable user stack patch to your kernel Secure programming/execution of a program Check the destination host and service to verify if any buffer overflow vulnerability exists.

FYI: We use an Asterisk based system that is running the FreePBX 2.8 module on a Linux platform.

Hopefully, this will also give the ClearOS Developer team something to run with, in an effort to eliminate this from occurring in the future.
Wednesday, January 11 2012, 01:52 AM
Share this post:
Responses (0)
  • There are no replies here yet.
Your Reply