[SR-Users] bad cseq attack
Daniel-Constantin Mierla
miconda at gmail.com
Thu Aug 22 00:07:56 CEST 2013
On 8/21/13 12:53 PM, Juha Heinanen wrote:
> i have noticed lots of these kind of attacks in my syslog:
>
> /var/log/syslog.1:Aug 21 04:23:46 host /usr/sbin/sip-proxy[13490]: ERROR: <core> [parser/parse_cseq.c:95]: parse_cseq(): ERROR: CSeq EoL expected
> /var/log/syslog.1:Aug 21 04:23:46 host /usr/sbin/sip-proxy[13490]: ERROR: <core> [parser/parse_cseq.c:98]: parse_cseq(): ERROR: parse_cseq: bad cseq
> /var/log/syslog.1:Aug 21 04:23:46 host /usr/sbin/sip-proxy[13490]: ERROR: <core> [parser/msg_parser.c:161]: get_hdr_field(): ERROR: get_hdr_field: bad cseq
>
> in order to be able to fail2ban the attacker, source ip address should
> appear in syslog message.
>
> is there a way to catch sip request syntax errors in config file so that
> appropriate syslog message could be generated?
We can add an event_route for it as well as print the src ip in the log
message for quick fix (this one can be backported easy).
Cheers,
Daniel
--
Daniel-Constantin Mierla - http://www.asipto.com
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
More information about the sr-users
mailing list