topic Custom App for unknown SIP traffic in Custom Signatures https://live.paloaltonetworks.com/t5/custom-signatures/custom-app-for-unknown-sip-traffic/m-p/462772#M422 <P>Hi.</P><P>&nbsp;</P><P>I need to create a Custom App for SIP traffic that is not identified by the firewall. I see that you can match on the sip headers but not sure how to write the pattern.&nbsp;</P><P>&nbsp;</P><P>Have done capture of the traffic and this is what I got...</P><P>What can be used here and how do I write the pattern?</P><P>&nbsp;</P><P><SPAN>INVITE sip:2574@10.100.118.40 SIP/2.0</SPAN></P><P><SPAN>Min-SE: 300</SPAN></P><P><SPAN>Date: Wed, 02 Feb 2022 11:11:28 GMT</SPAN></P><P><SPAN>CSeq: 1 INVITE</SPAN></P><P><SPAN>Via: SIP/2.0/UDP 10.100.254.103:5060;branch=z9hG4bK1b1aeaa5-f022-1910-8d14-00d8614b2eed;rport</SPAN></P><P><SPAN>Session-Expires: 3600;refresher=uas</SPAN></P><P><SPAN>User-Agent: NVTVoIP/8.3.0.1765</SPAN></P><P><SPAN>From: "Seng 2128" &lt;sip:nvm@10.100.254.103&gt;;tag=1b1aeaa5-f022-1910-8d11-00d8614b2eed</SPAN></P><P><SPAN>Call-ID: 1b1aeaa5-f022-1910-8d12-00d8614b2eed@FANTOFTMBB</SPAN></P><P><SPAN>Supported: timer, x-siemens-sipqv2</SPAN></P><P><SPAN>Organization: New Voice</SPAN></P><P><SPAN>To: &lt;sip:2574@10.100.118.40&gt;</SPAN></P><P><SPAN>P-Asserted-Identity: "Seng 2128" &lt;sip:nvm@10.100.254.103&gt;</SPAN></P><P><SPAN>Contact: &lt;sip:nvm@10.100.254.103&gt;</SPAN></P><P><SPAN>Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,SUBSCRIBE,NOTIFY,REFER,MESSAGE,INFO,PING</SPAN></P><P><SPAN>Content-Type: application/sdp</SPAN></P><P><SPAN>Content-Length: 308</SPAN></P><P><SPAN>Max-Forwards: 70</SPAN></P><P>&nbsp;</P><P><SPAN>v=0</SPAN></P><P><SPAN>o=- 1643800288 1 IN IP4 10.100.254.103</SPAN></P><P><SPAN>s=Opal SIP Session</SPAN></P><P><SPAN>c=IN IP4 10.100.254.103</SPAN></P><P><SPAN>t=0 0</SPAN></P><P><SPAN>m=audio 5144 RTP/AVP 8 0 101 100</SPAN></P><P><SPAN>a=sendrecv</SPAN></P><P><SPAN>a=rtpmap:8 PCMA/8000/1</SPAN></P><P><SPAN>a=rtpmap:0 PCMU/8000/1</SPAN></P><P><SPAN>a=rtpmap:101 telephone-event/8000</SPAN></P><P><SPAN>a=fmtp:101 0-16,32,36</SPAN></P><P><SPAN>a=rtpmap:100 NSE/8000</SPAN></P><P><SPAN>a=fmtp:100 192-193</SPAN></P><P><SPAN>a=maxptime:240</SPAN></P><P><SPAN>SIP/2.0 100 Trying</SPAN></P><P><SPAN>To: &lt;sip:2574@10.100.118.40&gt;</SPAN></P><P><SPAN>From: "Seng 2128" &lt;sip:nvm@10.100.254.103&gt;;tag=1b1aeaa5-f022-1910-8d11-00d8614b2eed</SPAN></P><P><SPAN>Call-ID: 1b1aeaa5-f022-1910-8d12-00d8614b2eed@FANTOFTMBB</SPAN></P><P><SPAN>CSeq: 1 INVITE</SPAN></P><P><SPAN>Via: SIP/2.0/UDP 10.100.254.103:5060;received=10.100.254.103;branch=z9hG4bK1b1aeaa5-f022-1910-8d14-00d8614b2eed;rport=5060</SPAN></P><P><SPAN>Content-Length: 0</SPAN></P><P>&nbsp;</P><P><SPAN>SIP/2.0 180 Ringing</SPAN></P><P><SPAN>Allow: INVITE, ACK, CANCEL, BYE, PRACK, NOTIFY, REFER, SUBSCRIBE, OPTIONS, UPDATE</SPAN></P><P><SPAN>Contact: sip:10.100.118.40</SPAN></P><P><SPAN>User-Agent: OmniPCX Enterprise R11.2.2 l2.300.31.b</SPAN></P><P><SPAN>P-Asserted-Identity: "Gruppe 7-1 Oster" &lt;sip:2574@nordhord;user=phone&gt;</SPAN></P><P><SPAN>To: &lt;sip:2574@10.100.118.40&gt;;tag=b2de9e36b543975d4ff88de7dec5e216</SPAN></P><P><SPAN>From: "Seng 2128" &lt;sip:nvm@10.100.254.103&gt;;tag=1b1aeaa5-f022-1910-8d11-00d8614b2eed</SPAN></P><P><SPAN>Call-ID: 1b1aeaa5-f022-1910-8d12-00d8614b2eed@FANTOFTMBB</SPAN></P><P><SPAN>CSeq: 1 INVITE</SPAN></P><P><SPAN>Via: SIP/2.0/UDP 10.100.254.103:5060;received=10.100.254.103;branch=z9hG4bK1b1aeaa5-f022-1910-8d14-00d8614b2eed;rport=5060</SPAN></P><P><SPAN>Content-Length: 0</SPAN></P> Wed, 02 Feb 2022 11:51:59 GMT OyvindM 2022-02-02T11:51:59Z Custom App for unknown SIP traffic https://live.paloaltonetworks.com/t5/custom-signatures/custom-app-for-unknown-sip-traffic/m-p/462772#M422 <P>Hi.</P><P>&nbsp;</P><P>I need to create a Custom App for SIP traffic that is not identified by the firewall. I see that you can match on the sip headers but not sure how to write the pattern.&nbsp;</P><P>&nbsp;</P><P>Have done capture of the traffic and this is what I got...</P><P>What can be used here and how do I write the pattern?</P><P>&nbsp;</P><P><SPAN>INVITE sip:2574@10.100.118.40 SIP/2.0</SPAN></P><P><SPAN>Min-SE: 300</SPAN></P><P><SPAN>Date: Wed, 02 Feb 2022 11:11:28 GMT</SPAN></P><P><SPAN>CSeq: 1 INVITE</SPAN></P><P><SPAN>Via: SIP/2.0/UDP 10.100.254.103:5060;branch=z9hG4bK1b1aeaa5-f022-1910-8d14-00d8614b2eed;rport</SPAN></P><P><SPAN>Session-Expires: 3600;refresher=uas</SPAN></P><P><SPAN>User-Agent: NVTVoIP/8.3.0.1765</SPAN></P><P><SPAN>From: "Seng 2128" &lt;sip:nvm@10.100.254.103&gt;;tag=1b1aeaa5-f022-1910-8d11-00d8614b2eed</SPAN></P><P><SPAN>Call-ID: 1b1aeaa5-f022-1910-8d12-00d8614b2eed@FANTOFTMBB</SPAN></P><P><SPAN>Supported: timer, x-siemens-sipqv2</SPAN></P><P><SPAN>Organization: New Voice</SPAN></P><P><SPAN>To: &lt;sip:2574@10.100.118.40&gt;</SPAN></P><P><SPAN>P-Asserted-Identity: "Seng 2128" &lt;sip:nvm@10.100.254.103&gt;</SPAN></P><P><SPAN>Contact: &lt;sip:nvm@10.100.254.103&gt;</SPAN></P><P><SPAN>Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,SUBSCRIBE,NOTIFY,REFER,MESSAGE,INFO,PING</SPAN></P><P><SPAN>Content-Type: application/sdp</SPAN></P><P><SPAN>Content-Length: 308</SPAN></P><P><SPAN>Max-Forwards: 70</SPAN></P><P>&nbsp;</P><P><SPAN>v=0</SPAN></P><P><SPAN>o=- 1643800288 1 IN IP4 10.100.254.103</SPAN></P><P><SPAN>s=Opal SIP Session</SPAN></P><P><SPAN>c=IN IP4 10.100.254.103</SPAN></P><P><SPAN>t=0 0</SPAN></P><P><SPAN>m=audio 5144 RTP/AVP 8 0 101 100</SPAN></P><P><SPAN>a=sendrecv</SPAN></P><P><SPAN>a=rtpmap:8 PCMA/8000/1</SPAN></P><P><SPAN>a=rtpmap:0 PCMU/8000/1</SPAN></P><P><SPAN>a=rtpmap:101 telephone-event/8000</SPAN></P><P><SPAN>a=fmtp:101 0-16,32,36</SPAN></P><P><SPAN>a=rtpmap:100 NSE/8000</SPAN></P><P><SPAN>a=fmtp:100 192-193</SPAN></P><P><SPAN>a=maxptime:240</SPAN></P><P><SPAN>SIP/2.0 100 Trying</SPAN></P><P><SPAN>To: &lt;sip:2574@10.100.118.40&gt;</SPAN></P><P><SPAN>From: "Seng 2128" &lt;sip:nvm@10.100.254.103&gt;;tag=1b1aeaa5-f022-1910-8d11-00d8614b2eed</SPAN></P><P><SPAN>Call-ID: 1b1aeaa5-f022-1910-8d12-00d8614b2eed@FANTOFTMBB</SPAN></P><P><SPAN>CSeq: 1 INVITE</SPAN></P><P><SPAN>Via: SIP/2.0/UDP 10.100.254.103:5060;received=10.100.254.103;branch=z9hG4bK1b1aeaa5-f022-1910-8d14-00d8614b2eed;rport=5060</SPAN></P><P><SPAN>Content-Length: 0</SPAN></P><P>&nbsp;</P><P><SPAN>SIP/2.0 180 Ringing</SPAN></P><P><SPAN>Allow: INVITE, ACK, CANCEL, BYE, PRACK, NOTIFY, REFER, SUBSCRIBE, OPTIONS, UPDATE</SPAN></P><P><SPAN>Contact: sip:10.100.118.40</SPAN></P><P><SPAN>User-Agent: OmniPCX Enterprise R11.2.2 l2.300.31.b</SPAN></P><P><SPAN>P-Asserted-Identity: "Gruppe 7-1 Oster" &lt;sip:2574@nordhord;user=phone&gt;</SPAN></P><P><SPAN>To: &lt;sip:2574@10.100.118.40&gt;;tag=b2de9e36b543975d4ff88de7dec5e216</SPAN></P><P><SPAN>From: "Seng 2128" &lt;sip:nvm@10.100.254.103&gt;;tag=1b1aeaa5-f022-1910-8d11-00d8614b2eed</SPAN></P><P><SPAN>Call-ID: 1b1aeaa5-f022-1910-8d12-00d8614b2eed@FANTOFTMBB</SPAN></P><P><SPAN>CSeq: 1 INVITE</SPAN></P><P><SPAN>Via: SIP/2.0/UDP 10.100.254.103:5060;received=10.100.254.103;branch=z9hG4bK1b1aeaa5-f022-1910-8d14-00d8614b2eed;rport=5060</SPAN></P><P><SPAN>Content-Length: 0</SPAN></P> Wed, 02 Feb 2022 11:51:59 GMT https://live.paloaltonetworks.com/t5/custom-signatures/custom-app-for-unknown-sip-traffic/m-p/462772#M422 OyvindM 2022-02-02T11:51:59Z