[asterisk-dev] [Code Review]: Generate security events in chan_sip using new Security Events Framework
Kevin P. Fleming
kpfleming at digium.com
Fri Aug 12 17:45:08 CDT 2011
On 08/12/2011 05:38 PM, Mike Myhre wrote:
> It is helpful to know whether the invalid password is different from
> the previous invalid password from this peer (if possible). You
> don't need to know what that previous guess was, as a security
> watcher can be expected to keep history. This can be important, to
> distinguish a misconfigured phone with the wrong password (false
> positive) from a scan attack.
>
> That sounds more like a firewall/brute force detector job than generating the security events. I am already checking for changing user names and have a structure to track that and assess points based on 'guesses' more than repeating the same thing like a phone would do. The security event structure I have seen so far, doesn't analyze the events, it just generates them. It seems like that should continue to be the case to give more flexibility to other modules that wish to analyze the events.
Absolutely correct; the security events framework is just a mechanism
for reporting potentially interesting/valuable pieces of information.
Interpretation of them falls outside its scope entirely. With that said,
though, if there are pieces of information that cannot be determined
after the fact (because they are temporary), it would be useful for them
to be included in the event... because the event generator, by
definition, cannot know for sure which pieces of information will be
'interesting' to the analyzer.
--
Kevin P. Fleming
Digium, Inc. | Director of Software Technologies
Jabber: kfleming at digium.com | SIP: kpfleming at digium.com | Skype: kpfleming
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at www.digium.com & www.asterisk.org
More information about the asterisk-dev
mailing list