11-13-2014 05:14 PM
Hello everyone,
This is my first post here. So i started a new job couple months ago and we have a PA 3050 . The daily reports is showing Sipvicious.Gen User-Agent Traffic coming from IP's all over the world.
Any ideas?
Thanks
11-13-2014 05:18 PM
Welcome to forums !
I think you are talking about threat 13272 Sipvicious.Gen User-Agent traffic, this threat detects SipVicious User-Agent traffic in SIP request headers : https://threatvault.paloaltonetworks.com/Home/ThreatDetail/13272
You might have SIP packets coming in with SipVicious user-agent traffic in the headers.
Hope it helps !
11-13-2014 05:18 PM
Hello martinriveran ,
Could you please provide some more detail information regarding this threat.
You can go to Web-UI of the PAN firewall and open Monitor > Logs > Threat. Open the threat and take a snapshot.
Thanks
11-13-2014 05:22 PM
Hi martinriveran,
Do you trust source and destination of VOIP traffic. If yes, this might be a potential false positive and you can ingore it.
Regards,
Hardik Shah
11-13-2014 05:24 PM
It is the 13272 indeed.
11-13-2014 05:28 PM
Is the victim and attacker address is trusted IP addresses on your network...? If so, then it might be a false positive and you can add an "exception" to your vulnerability profile to avoid such logs in future. But, if those addresses are unknown, then you may open a support ticket to verify the traffic/signature.
Hope this helps.
Thanks
11-13-2014 05:30 PM
Since, this is SIP traffic, please check address with Call-manager and EPBX address.
Thanks
11-13-2014 05:34 PM
The attacker IP's are unknown...
Also this a DC. There should be no SIP traffic at all....
Thanks for all the help!
11-13-2014 05:35 PM
The above threat just checks for the User-Agent "friendly-scanner" in the SIP headers. For more information about SipVicious: The Less Than Friendly-scanner, Sipvicious
Again if you do not trust the source of this traffic you can create an exception and change the action from alert to block:To create an exception follow this document:https://live.paloaltonetworks.com/docs/DOC-3699
Hope it helps !
11-13-2014 05:55 PM
Hi Martin,
Is Victim a Domain Controller? If you dont expect a SIP traffic on Domain controller than do further investigation.
Regards,
Hardik Shah
11-13-2014 06:29 PM
This is a DC environment where they should be no SIP traffic at all...that is the weird thing....
The way our PA is setup is only a tab...so not inline.
Agan, i really appreciate everyones help
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
