Custom App for SIP

markibr — Wed, 30 Aug 2017 17:36:36 GMT

As a SIP provider, looking for to create a custom signature that matches a SUBSCRIBE message from the packet payload w/ 10 or 11 digits. We first tried this w/ Data Patterns under the Custom Objects but that didn't solve/address our issues.

We then created a custom app (SIP-SUBSCRIBE) to match the sip application already available in the DB, and then created a new signature called 'Subscribe' with a 'Session' Scope type. Furthermore, we selected the "Ordered Condition Match" in order to actually be able to match a regex string against the packet.

The regex in question was written as follows: .*(SUBSCRIBE sip:[0-9]\{10-11}@) and is to match any sip packet w/ a Subscribe message containing a string of 10 or 11 digits. (At least, that was our intention)

We then created a security rule where we matched the custom application called SIP_SUBSCRIBE and set it to Allow at first so we could see that it was actually matching what we were looking for but unfortunately didn't see any matches. (Even though the attack was still ongoing)

Re: Custom App for SIP

Lucky — Thu, 31 Aug 2017 12:18:29 GMT

Hi Markibr,

How was the attack logged, as which application? Do you have any pcaps from that, a session or two? Did you already open a case with support?

Best regards,
Luciano

Re: Custom App for SIP

markibr — Thu, 31 Aug 2017 18:22:54 GMT

Logged as SIP which is what is supposed to be since they are an VoIP provider. I have no pcap files currently.

topic Re: Custom App for SIP in Custom Signatures

Custom App for SIP

Re: Custom App for SIP

Re: Custom App for SIP