[SR-Users] bad cseq attack
Sergey Okhapkin
sos at sokhapkin.dyndns.org
Thu Aug 22 00:18:27 CEST 2013
Actually nothing needs to be done in kamailio core. I's a simple scripting
logic.
if(!sanity_check("whatever_you wan't_check")) {
xlog("L_INFO","Malformed message from $proto:$si:$sp\n$mb\n");
break;
}
On Thursday 22 August 2013 00:07:56 Daniel-Constantin Mierla wrote:
> On 8/21/13 12:53 PM, Juha Heinanen wrote:
> > i have noticed lots of these kind of attacks in my syslog:
> >
> > /var/log/syslog.1:Aug 21 04:23:46 host /usr/sbin/sip-proxy[13490]: ERROR:
> > <core> [parser/parse_cseq.c:95]: parse_cseq(): ERROR: CSeq EoL expected
> > /var/log/syslog.1:Aug 21 04:23:46 host /usr/sbin/sip-proxy[13490]: ERROR:
> > <core> [parser/parse_cseq.c:98]: parse_cseq(): ERROR: parse_cseq: bad
> > cseq /var/log/syslog.1:Aug 21 04:23:46 host /usr/sbin/sip-proxy[13490]:
> > ERROR: <core> [parser/msg_parser.c:161]: get_hdr_field(): ERROR:
> > get_hdr_field: bad cseq
> >
> > in order to be able to fail2ban the attacker, source ip address should
> > appear in syslog message.
> >
> > is there a way to catch sip request syntax errors in config file so that
> > appropriate syslog message could be generated?
>
> We can add an event_route for it as well as print the src ip in the log
> message for quick fix (this one can be backported easy).
>
> Cheers,
> Daniel
More information about the sr-users
mailing list