Sipvicious.Gen User-Agent Traffic

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Sipvicious.Gen User-Agent Traffic

Not applicable

Hello everyone,

This is my first post here. So i started a new job couple months ago and we have a PA 3050 . The daily reports is showing Sipvicious.Gen User-Agent Traffic coming from IP's all over the world.

Any ideas?

Thanks

10 REPLIES 10

L5 Sessionator

Hi martinriveran

Welcome to forums !

I think you are talking about threat 13272 Sipvicious.Gen User-Agent traffic, this threat detects SipVicious User-Agent traffic in SIP request headers : https://threatvault.paloaltonetworks.com/Home/ThreatDetail/13272

You might have SIP packets coming in with SipVicious user-agent traffic in the headers.

Hope it helps !

L7 Applicator

Hello martinriveran ,

Could you please provide some more detail information regarding this threat.

You can go to Web-UI of the PAN firewall and open Monitor > Logs > Threat. Open the threat and take a snapshot.

Thanks

L6 Presenter

Hi martinriveran,

Do you trust source and destination of VOIP traffic. If yes, this might be a potential false positive and you can ingore it.

Regards,

Hardik Shah

It is the 13272 indeed.
sip.jpg

Is the victim and attacker address is trusted IP addresses on your network...? If so, then it might be a false positive and you can add an "exception" to your vulnerability profile to  avoid such logs in future. But, if those addresses are unknown, then you may open a support ticket to verify the traffic/signature.

Hope this helps.

Thanks

Since, this is SIP traffic, please check address with Call-manager and EPBX address.

Thanks

The attacker IP's are unknown...
Also this a DC. There should be no SIP traffic at all....

Thanks for all the help!

martinriveran

The above threat just checks for the User-Agent "friendly-scanner" in the SIP headers. For more information about SipVicious: The Less Than Friendly-scanner, Sipvicious

Again if you do not trust the source of this traffic you can create an exception and change the action from alert to block:To create an exception follow this document:https://live.paloaltonetworks.com/docs/DOC-3699

Hope it helps !

Hi Martin,

Is Victim a Domain Controller? If you dont expect a SIP traffic on Domain controller than do further investigation.

Regards,

Hardik Shah

Not applicable

This is a DC environment where they should be no SIP traffic at all...that is the weird thing....
The way our PA is setup is only a tab...so not inline.

Agan, i really appreciate everyones help

  • 7093 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!