https://live.paloaltonetworks.com/t5/general-topics/sipvicious-gen-user-agent-traffic/m-p/24856#M18132 <HTML><HEAD></HEAD><BODY><P>Hi <A href="https://live.paloaltonetworks.com/u1/30719">martinriveran</A></P><P></P><P>Welcome to forums !</P><P></P><P>I think you are talking about threat 13272 Sipvicious.Gen User-Agent traffic, this threat detects SipVicious User-Agent traffic in SIP request headers : <A href="https://threatvault.paloaltonetworks.com/Home/ThreatDetail/13272" title="https://threatvault.paloaltonetworks.com/Home/ThreatDetail/13272">https://threatvault.paloaltonetworks.com/Home/ThreatDetail/13272</A></P><P></P><P>You might have SIP packets coming in with SipVicious user-agent traffic in the headers.</P><P></P><P>Hope it helps !</P></BODY></HTML> Fri, 14 Nov 2014 01:18:29 GMT bat 2014-11-14T01:18:29Z https://live.paloaltonetworks.com/t5/general-topics/sipvicious-gen-user-agent-traffic/m-p/24855#M18131 <HTML><HEAD></HEAD><BODY><P>Hello everyone,</P><P></P><P>This is my first post here. So i started a new job couple months ago and we have a PA 3050 . The daily reports is showing Sipvicious.Gen User-Agent Traffic coming from IP's all over the world. </P><P>Any ideas?</P><P></P><P>Thanks</P></BODY></HTML> Fri, 14 Nov 2014 01:14:04 GMT https://live.paloaltonetworks.com/t5/general-topics/sipvicious-gen-user-agent-traffic/m-p/24855#M18131 martinriveran 2014-11-14T01:14:04Z https://live.paloaltonetworks.com/t5/general-topics/sipvicious-gen-user-agent-traffic/m-p/24856#M18132 <HTML><HEAD></HEAD><BODY><P>Hi <A href="https://live.paloaltonetworks.com/u1/30719">martinriveran</A></P><P></P><P>Welcome to forums !</P><P></P><P>I think you are talking about threat 13272 Sipvicious.Gen User-Agent traffic, this threat detects SipVicious User-Agent traffic in SIP request headers : <A href="https://threatvault.paloaltonetworks.com/Home/ThreatDetail/13272" title="https://threatvault.paloaltonetworks.com/Home/ThreatDetail/13272">https://threatvault.paloaltonetworks.com/Home/ThreatDetail/13272</A></P><P></P><P>You might have SIP packets coming in with SipVicious user-agent traffic in the headers.</P><P></P><P>Hope it helps !</P></BODY></HTML> Fri, 14 Nov 2014 01:18:29 GMT https://live.paloaltonetworks.com/t5/general-topics/sipvicious-gen-user-agent-traffic/m-p/24856#M18132 bat 2014-11-14T01:18:29Z https://live.paloaltonetworks.com/t5/general-topics/sipvicious-gen-user-agent-traffic/m-p/24857#M18133 <HTML><HEAD></HEAD><BODY><P>Hello <STRONG style="font-size: 11.8181819915771px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"><A _jive_internal="true" class="jiveTT-hover-user jive-username-link" data-avatarid="-1" data-externalid="" data-presence="null" data-userid="30719" data-username="martinriveran" href="https://live.paloaltonetworks.com/people/martinriveran" style="padding: 0 3px 0 0; font-weight: inherit; font-style: inherit; font-size: 1.1em; font-family: inherit; color: #006595;"><SPAN class="GINGER_SOFTWARE_mark">martinriveran</SPAN></A></STRONG><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 11.8181819915771px;"><SPAN class="GINGER_SOFTWARE_mark"> ,</SPAN></SPAN></P><P></P><P>Could you please provide some more detail information regarding this threat.</P><P></P><P>You can go to Web-UI of the PAN firewall and open Monitor &gt; Logs &gt; Threat. Open the threat and take a snapshot.</P><P></P><P>Thanks</P></BODY></HTML> Fri, 14 Nov 2014 01:18:35 GMT https://live.paloaltonetworks.com/t5/general-topics/sipvicious-gen-user-agent-traffic/m-p/24857#M18133 HULK 2014-11-14T01:18:35Z https://live.paloaltonetworks.com/t5/general-topics/sipvicious-gen-user-agent-traffic/m-p/24858#M18134 <HTML><HEAD></HEAD><BODY><P>Hi <A href="https://live.paloaltonetworks.com/u1/30719">martinriveran</A>,</P><P></P><P>Do you trust source and destination of VOIP traffic. If yes, this might be a potential false positive and you can ingore it.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Fri, 14 Nov 2014 01:22:32 GMT https://live.paloaltonetworks.com/t5/general-topics/sipvicious-gen-user-agent-traffic/m-p/24858#M18134 hshah 2014-11-14T01:22:32Z https://live.paloaltonetworks.com/t5/general-topics/sipvicious-gen-user-agent-traffic/m-p/24859#M18135 <HTML><HEAD></HEAD><BODY><P>It is the 13272 indeed.<BR /><IMG alt="sip.jpg" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/16870_sip.jpg" style="height: 275px; width: 620px;" /></P></BODY></HTML> Fri, 14 Nov 2014 01:24:26 GMT https://live.paloaltonetworks.com/t5/general-topics/sipvicious-gen-user-agent-traffic/m-p/24859#M18135 martinriveran 2014-11-14T01:24:26Z https://live.paloaltonetworks.com/t5/general-topics/sipvicious-gen-user-agent-traffic/m-p/24860#M18136 <HTML><HEAD></HEAD><BODY><P>Is the victim and attacker address is trusted IP addresses on your network...? If so, then it might be a false positive and you can add an "exception" to your vulnerability profile to&nbsp; avoid such logs in future. But, if those addresses are unknown, then you may open a support ticket to verify the traffic/signature.</P><P></P><P>Hope this helps.</P><P></P><P>Thanks</P></BODY></HTML> Fri, 14 Nov 2014 01:28:01 GMT https://live.paloaltonetworks.com/t5/general-topics/sipvicious-gen-user-agent-traffic/m-p/24860#M18136 HULK 2014-11-14T01:28:01Z https://live.paloaltonetworks.com/t5/general-topics/sipvicious-gen-user-agent-traffic/m-p/24861#M18137 <HTML><HEAD></HEAD><BODY><P>Since, this is SIP traffic, please check address with Call-manager and EPBX address.</P><P></P><P>Thanks</P></BODY></HTML> Fri, 14 Nov 2014 01:30:28 GMT https://live.paloaltonetworks.com/t5/general-topics/sipvicious-gen-user-agent-traffic/m-p/24861#M18137 HULK 2014-11-14T01:30:28Z https://live.paloaltonetworks.com/t5/general-topics/sipvicious-gen-user-agent-traffic/m-p/24862#M18138 <HTML><HEAD></HEAD><BODY><P>The attacker IP's are unknown...<BR />Also this a DC. There should be no SIP traffic at all....</P><P></P><P>Thanks for all the help!</P></BODY></HTML> Fri, 14 Nov 2014 01:34:18 GMT https://live.paloaltonetworks.com/t5/general-topics/sipvicious-gen-user-agent-traffic/m-p/24862#M18138 martinriveran 2014-11-14T01:34:18Z https://live.paloaltonetworks.com/t5/general-topics/sipvicious-gen-user-agent-traffic/m-p/24863#M18139 <HTML><HEAD></HEAD><BODY><P><A href="https://live.paloaltonetworks.com/u1/30719">martinriveran</A></P><P></P><P>The above threat just checks for the User-Agent "friendly-scanner" in the SIP headers. For more information about SipVicious: <A href="http://advantia.ca/weblog/less-than-friendly-scanner--sipvicious" title="http://advantia.ca/weblog/less-than-friendly-scanner--sipvicious">The Less Than Friendly-scanner, Sipvicious</A></P><P></P><P>Again if you do not trust the source of this traffic you can create an exception and change the action from alert to block:<SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px;"><SPAN>To create an exception follow this document:</SPAN><A class="jive-link-wiki-small" data-containerid="2027" data-containertype="14" data-objectid="3699" data-objecttype="102" href="https://live.paloaltonetworks.com/docs/DOC-3699">https://live.paloaltonetworks.com/docs/DOC-3699</A><SPAN> </SPAN></SPAN></P><P></P><P>Hope it helps !</P></BODY></HTML> Fri, 14 Nov 2014 01:35:23 GMT https://live.paloaltonetworks.com/t5/general-topics/sipvicious-gen-user-agent-traffic/m-p/24863#M18139 bat 2014-11-14T01:35:23Z https://live.paloaltonetworks.com/t5/general-topics/sipvicious-gen-user-agent-traffic/m-p/24864#M18140 <HTML><HEAD></HEAD><BODY><P>Hi Martin,</P><P></P><P>Is Victim a Domain Controller? If you dont expect a SIP traffic on Domain controller than do further investigation.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Fri, 14 Nov 2014 01:55:27 GMT https://live.paloaltonetworks.com/t5/general-topics/sipvicious-gen-user-agent-traffic/m-p/24864#M18140 hshah 2014-11-14T01:55:27Z https://live.paloaltonetworks.com/t5/general-topics/sipvicious-gen-user-agent-traffic/m-p/24865#M18141 <HTML><HEAD></HEAD><BODY><P>This is a DC environment where they should be no SIP traffic at all...that is the weird thing....<BR />The way our PA is setup is only a tab...so not inline.</P><P></P><P>Agan, i really appreciate everyones help</P></BODY></HTML> Fri, 14 Nov 2014 02:29:38 GMT https://live.paloaltonetworks.com/t5/general-topics/sipvicious-gen-user-agent-traffic/m-p/24865#M18141 martinriveran 2014-11-14T02:29:38Z