In this paper, we propose a novel online monitoring approach able to distinguish between attacks and normal activity in SIP based Voice over IP environments. We demonstrate the efficiency of the approach even in presence of very limited data sets for the learning phase. The solution builds on the monitoring of a set of 38 features in VoIP flows and on Support Vector Machines for the classification part. We validate our proposal through large offline experiments performed over a mix of real world traces from a large VoIP provider and attacks locally generated on our own testbed. Results show high accuracy to detect SPIT and flooding attacks and promising performance for an online deployment are measured.