11-26-2015 05:25 AM
We seem to have a new h.225/h.323 scanning campaign going on that disturbs meetings. The strings that seem to be the same throughout are "productId: MERA RTU" and "versionId: 4.4.0-06a".
So I've tried two different methods of catching this traffic. Custom threat signatures and custom apps with the same pattern matched, but neither work. Here's a sample custom threat signature:
<vulnerability-threat version="6.1.0"> <entry name="42006"> <signature> <standard> <entry name="H323 productId MERA RTU"> <and-condition> <entry name="And Condition 1"> <or-condition> <entry name="Or Condition 1"> <operator> <pattern-match> <pattern>\x4d45524120525455\x</pattern> <context>unknown-req-tcp-payload</context> </pattern-match> </operator> </entry> </or-condition> </entry> </and-condition> <order-free>yes</order-free> <scope>protocol-data-unit</scope> </entry> </standard> </signature> <default-action> <alert/> </default-action> <threatname>H323 MERA Test 4</threatname> <severity>high</severity> <direction>client2server</direction> <affected-host> <server>yes</server> </affected-host> </entry> </vulnerability-threat>
I've also tried matching with the versionId pattern (\x342e342e302d303661\x) or the word "MERA", both fail. Any idea how to catch this with a signature?
Here are the relevant parts of the pcap:
I've a case open with support, but our partner support can be slow...
11-26-2015 06:27 AM
The initial session setup is an h.225 connection on tcp/1720, which is where this value is found.
11-26-2015 08:25 AM
I've reviewed some of the documentation available, and I don't believe we have any exposed contexts to make signatures for h225/h323 traffic.
I don't believe attempting to match this as unknown-req-tcp-payload will work given that the traffic is likely being interpreted by the correct decoder and isn't technically "unknown."
A custom application may be possible; I have less experience here, but am willing to investigate when I return to the office on Monday. If you attach a full packet capture, I can toy around with it in my lab to see what is possible?
11-26-2015 09:54 AM
Thanks for the reply.
This sounds about right. The PAN totally sees it as an h.225 app, and so it makes sense that it's not "unknown".
I didn't see a place to attach a file, so here's a link to dropbox: h225-fw.pcap It's not sanitized, but there's nothing you can't find out from a scan...
I tried setting up a custom app, but the signature options I saw were the same. Hopefully, you'll have more success.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!