Published on February 20th, 2011 | by NJ Ouchn0
Artemisa VoIP/SIP Honeypot v1.0.90 released!
What is Artemisa?
Artemisa is a VoIP/SIP-specific honeypot software designed to connect to a VoIP enterprise domain as a user-agent back-end in order to detect malicious activity at an early stage. It registers multiple SIP accounts, which do not represent real human subscribers, at one or more VoIP service providers, and wait for incomming attacks. Besides, Artemisa can play a role in the real-time adjustment of the security policies of the enterprise domain where it is deployed (e.g. setting rules in a firewall to ban IPs or in the VoIP PBX to ban caller-IDs).
How does it work?
Artemisa works as a conventional user-agent of a VoIP/SIP domain. To achieve this, we provide modular configuration files where the adminstrator can set up the connection parameters as well as the Artemisa’s behavior. The SIP registrar server of the domain should be also configured in order to let Artemisa be registered with a set of extensions (e.g. 5 extensions from 401 to 405). Once Artemisa is configured and launched, which is suggested to do on a separate machine or virtual machine, it keeps listening and waiting for SIP activity. Normally, it’s expected NOT to see SIP activity on the honeypot, such as a call, since the honeypot’s extensions don’t represent human beings. Thus, any call or message which reach the honeypot is suspicious and it’s analyzed.
The analysis involves the usage of different techniques and third-party tools to determine and classify the nature of the message. When the message is classified and a conclusion is obtained, Artemisa reports this in several ways , such as sending an e-mail report, and also takes some actinos like running user-configurable scrits. These scripts allow the administrator to give Artemisa the enough power to adjust the domain policies in real-time.
- Open source
- Conversation recording
- Self-protection against message flooding
- Administrator’s E-mail notification
- Information gathering capabilities
- Correlation rules to infer sequential and stateful attacks
- Rule-based fingerprinting ok known SIP attack tools
- Response scripts to automate an immediate reaction to the detected incidents
- Plain-Text/HTML logging and reporting