Re: Snort whit SS7/Sigtran

["Al Lewis \(allewi\) via Snort-devel" <snort-devel () lists snort org>]

Hello,

A good place to start with this would be with Snort++.

It’s a lot more flexible and you should be able to create a plugin pretty quickly.

https://github.com/snortadmin/snort3 or on https://snort.org/downloads



Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com<mailto:allewi () cisco com>
From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of "Joel Esler (jesler) via Snort-devel" 
<snort-devel () lists snort org>
Reply-To: "Joel Esler (jesler)" <jesler () cisco com>
Date: Tuesday, February 13, 2018 at 1:52 PM
To: ALEJANDRO CORLETTI ESTRADA <alejandro.corlettiestrada.ext () telefonica com>
Cc: "roesch () snort org" <roesch () snort org>, "snort-devel () lists snort org" <snort-devel () lists snort org>, 
"snort-team(mailer list)" <snort-team () cisco com>
Subject: Re: [Snort-devel] Snort whit SS7/Sigtran

Adding the snort-team on this one.

--
Joel Esler | Talos: Manager | jesler () cisco com<mailto:jesler () cisco com>






On Feb 13, 2018, at 8:27 AM, ALEJANDRO CORLETTI ESTRADA <alejandro.corlettiestrada.ext () telefonica 
com<mailto:alejandro.corlettiestrada.ext () telefonica com>> wrote:

Hello,

My name is Alejandro Corletti Estrada, I am a  Engineering Doctor, I have been working in networks and security for 
many years (I have written 3 books in Spanish:  "Seguridad por Niveles",  "Seguridad en Redes" y "Ciberseguridad, una 
Estrategia Informático/Militar  - "Security by Levels", "Security in Networks" and "Cybersecurity, a Computer / 
Military Strategy").    With Snort I have been working for almost 20 years, in 2001 I published an article called 
"Nessus Methodology - Snort" and another one " Level of immaturity of the NIDS "(both in Spanish), were very successful 
in the Hispanic world.

Currently I am in the "Corporate Audit of Security in Networks and Systems" of the Telefónica Group.

I am writing to you, because there is a critical safety problem with the Signaling System 7 (SS7), more particularly in 
the "Sigtran" stack, which is responsible for transporting SS7 over IP. I have been studying the subject for months and 
now (with my team) we are analyzing traffic patterns of this family of protocols and looking for anomalous traffic in 
them. We are using, as we did before, Wireshark in combination with Snort.

Within the known vulnerabilities (which are several), to work with Snort there are two fundamental problems:

1. The SCTP protocol (Stream Control Transmission Protocol) that replaces TCP in Sigtran.
2. Absence of rules for SS7 (this includes several protocols: MAP, TCAP, ISUP, CAMEL, etc ...)

I would like to open with you a new "work team" or committee that is responsible for this issue, because I believe that 
Snort could be the solution to this International problem. Currently, all the telephone operators in the world are 
suffering, and we at this moment (with my team) can do much about it, if we count on your support, because we have 
access to all the nodes and network elements that operate ss7 / Sigtran and access to this traffic.

Within this line of action there would be two aspects on which I would like to join efforts with the entire Snort 
community:

1. Create the necessary library to be able to call rules with "SCTP" protocol (instead of ip, tcp, icmp .... etc) this 
would be very important.
2. Begin to SS7 develop rules for detecting anomalous traffic patterns.

Please tell me what steps or actions I should take to move forward on this topic.

With all sincerity, I can assure you that I am one of the few people who know this topic in depth (for in the 90's I 
was teaching the SS7 courses, before its integration with Sigtran), I have studied it in detail and I have access to 
all the traffic that is needed.

This project can be an international initiative to which undoubtedly, as it becomes public, all the telephone operators 
in the world will be added.

Regards and I am waiting for your response
Alejandro Corletti Estrada.

PS: my English level is not very good (sorry)




Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o 
confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, 
queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud 
de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por 
esta misma vía y proceda a su destrucción.

The information contained in this transmission is privileged and confidential information intended only for the use of 
the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby 
notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have 
received this transmission in error, do not read it. Please immediately reply to the sender that you have received this 
communication in error and then delete it.

Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou 
confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, 
fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da 
legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via 
e proceda a sua destruição

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!