Custom App for SIP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Custom App for SIP

L0 Member

As a SIP provider, looking for to create a custom signature that matches a SUBSCRIBE message from the packet payload w/ 10 or 11 digits. We first tried this w/ Data Patterns under the Custom Objects but that didn't solve/address our issues.

We then created a custom app (SIP-SUBSCRIBE) to match the sip application already available in the DB, and then created a new signature called 'Subscribe' with a 'Session' Scope type. Furthermore, we selected the "Ordered Condition Match" in order to actually be able to match a regex string against the packet.

 

The regex in question was written as follows: .*(SUBSCRIBE sip:[0-9]\{10-11}@) and is to match any sip packet w/ a Subscribe message containing a string of 10 or 11 digits. (At least, that was our intention)

 

We then created a security rule where we matched the custom application called SIP_SUBSCRIBE and set it to Allow at first so we could see that it was actually matching what we were looking for but unfortunately didn't see any matches. (Even though the attack was still ongoing)

2 REPLIES 2

L5 Sessionator

Hi Markibr,

 

How was the attack logged, as which application? Do you have any pcaps from that, a session or two? Did you already open a case with support?


Best regards,
Luciano

Logged as SIP which is what is supposed to be since they are an VoIP provider. I have no pcap files currently.

  • 3036 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!