topic Re: SIPVicious Scanner Detection in General Topics

SIPVicious Scanner Detection

SThatipelly — Fri, 09 Aug 2019 00:32:10 GMT

is it just me or anyone seeing SIPVicious Scanner Detection alerts a lot recently?

Re: SIPVicious Scanner Detection

OtakarKlier — Fri, 09 Aug 2019 19:52:01 GMT

Hello,

Join the club. I have seen them for over 7 years now. I created a special modified policy to drop the traffic. Yes it common and so are a bunch of others such as shodan, etc.

Regards,

Re: SIPVicious Scanner Detection

SThatipelly — Mon, 14 Oct 2019 13:37:40 GMT

@OtakarKlier can you please let me know the policy details. I'll try to create it on my end. these are creating a lot of noise on my firewalls.

Re: SIPVicious Scanner Detection

Cliff_Lai — Wed, 30 Oct 2019 02:03:35 GMT

Same problem! Could you please share with me the policy details?

Re: SIPVicious Scanner Detection

Cliff_Lai — Thu, 31 Oct 2019 00:26:39 GMT

@OtakarKlier Same problem! Could you please share with me the policy details?

Re: SIPVicious Scanner Detection

Craig_Nackerud — Wed, 04 Nov 2020 14:17:19 GMT

Any chance I could get the details on the rule you created or is it posted somewhere?

Re: SIPVicious Scanner Detection

OtakarKlier — Wed, 04 Nov 2020 22:40:35 GMT

Hello,

In your Vulnerability profile, set it to block anything medium and higher. SipVicious used to be low but since I block anything medium and higher, a custom policy is not longer required for me. But you can still block/unblock is with an exception.

Just change the action to like drop.

Regards,

Re: SIPVicious Scanner Detection

Bridget_Nee — Tue, 22 Nov 2022 18:40:09 GMT

I am a new user of a Palo Alto firewall. Where would I set up this policy? we are running version 9.1.12. Sorry, just a newbie here. I have tried finding it and am having problems.

Thank you,

Bridget

Re: SIPVicious Scanner Detection

OtakarKlier — Tue, 22 Nov 2022 20:40:14 GMT

Hello,

Welcome. Here is how you would perform this.

Click on 'Objects' at the top

Then 'Vulnerability Protection' on the left.

Click on the name of the policy you wish to add the exclusion to (you cannot change the strict or default policies that are there by default, you will need to 'Clone' (at the bottom) one and edit that.

Once the profile is opened, click 'Exceptions tab.

At the bottom click 'Show All Signatures', in the search/filter bar type SIPVicious

This will display the policy that is alerting.

Click the 'Enable' checkbox on the left.

Click OK

Click 'Commit' in the upper right to send the changes to the configuration (running and start)

Hope this helps.

Re: SIPVicious Scanner Detection

Bridget_Nee — Tue, 22 Nov 2022 21:02:13 GMT

So first I have to set up a policy to check for these alerts?

Re: SIPVicious Scanner Detection

OtakarKlier — Tue, 22 Nov 2022 21:16:16 GMT

Hello,

That is correct. The Security Policy is the one that actually does the enforcement on the configuration set on it. Say you have a security policy and no profiles set, then this policy will not be looking for such things as the SIPVicious scanner, etc. I would recommend setting up your Security Profiles first then add those to the Security Policies.

Hope that makes sense.