[SR-Users] bad cseq attack

Juha Heinanen jh at tutpro.com
Thu Aug 22 14:39:38 CEST 2013 

Daniel-Constantin Mierla writes:

> I backported the patch for the log message and now I pushed a patch that 
> executes event_route[core:receive-parse-error] in such case as well, 
> allowing for config interaction. Can you give it a test, I had no time 
> to do it so far and have to go for a while. Otherwise I will do it 
> sometimes soon.

daniel,

i tried with sipp by leaving out linefeed from request line:

INVITE sip:[service]@test.tutpro.com:[remote_port] SIP/2.0      Via: SIP/2.0/[transport] [local_ip]:[local_port];branch=[branch]

and event_route:

event_route[core:receive-parse-error] { # Handle message with core syntax error

    xlog("L_NOTICE", "Request from <$var(src_ip)> has invalid core syntax\n");
}

was NOT executed:

Aug 22 15:32:40 siika /usr/sbin/sip-proxy[3428]: INFO: <core> [parser/parse_fline.c:229]: parse_first_line(): ERROR:parse_first_line: bad request first line
Aug 22 15:32:40 siika /usr/sbin/sip-proxy[3428]: INFO: <core> [parser/parse_fline.c:231]: parse_first_line(): ERROR: at line 0 char 42: 
Aug 22 15:32:40 siika /usr/sbin/sip-proxy[3428]: INFO: <core> [parser/parse_fline.c:237]: parse_first_line(): ERROR: parsed so far: INVITE sip:jh at test.tutpro.com:5060 SIP/2.0
Aug 22 15:32:40 siika /usr/sbin/sip-proxy[3428]: INFO: <core> [parser/parse_fline.c:242]: parse_first_line(): ERROR:parse_first_line: bad message
Aug 22 15:32:40 siika /usr/sbin/sip-proxy[3428]: ERROR: <core> [parser/msg_parser.c:705]: parse_msg(): ERROR: parse_msg: message=<INVITE sip:jh at test.tutpro.com:5060 SIP/2.0      Via: SIP/2.0/UDP 192.98.102.10:5062;branch=z9hG4bK-3799-1-0#015#012From: sipp <sip:sipp at 192.98.102.10:5062>;tag=3799SIPpTag001#015#012To: sut <sip:jh at test.tutpro.com>#015#012Call-ID: 1-3799 at 192.98.102.10#015#012CSeq: 1 INVITE#015#012Contact: sip:sipp at 192.98.102.10:5062#015#012Max-Forwards: 70#015#012Subject: Performance Test#015#012Content-Type: application/sdp#015#012Content-Length:   137#015#012#015#012v=0#015#012o=user1 53655765 2353687637 IN IP4 192.98.102.10#015#012s=-#015#012c=IN IP4 192.98.102.10#015#012t=0 0#015#012m=audio 6000 RTP/AVP 0#015#012a=rtpmap:0 PCMU/8000#015#012>
Aug 22 15:32:40 siika /usr/sbin/sip-proxy[3428]: ERROR: <core> [receive.c:148]: receive_msg(): core parsing of SIP message failed (192.98.102.10:5062/1)

after the last line, i would expect that event route is executed:

	if (parse_msg(buf,len, msg)!=0){
		LOG(cfg_get(core, core_cfg, corelog),
				"core parsing of SIP message failed (%s:%d/%d)\n",
				ip_addr2a(&msg->rcv.src_ip), (int)msg->rcv.src_port,
				(int)msg->rcv.proto);
		sr_core_ert_run(msg, SR_CORE_ERT_RECEIVE_PARSE_ERROR);
		goto error02;
	}

but it is not.

also, as you see in above, a syntax error produced awfully lot of
messages to syslog, which is good for attacker.  is it possible to turn
some of them to debugs (e.g. the one that prints the whole message)?

-- juha

More information about the sr-users mailing list