[SR-Users] bad cseq attack

Daniel-Constantin Mierla miconda at gmail.com
Thu Aug 22 15:48:41 CEST 2013


Hope I caught it and fixed now in master.

Regarding the verbosity, debug can be lowered, as one option that can be 
done now.

The second is to update the code so these log messages are printed to 
corelog level and change this value in config to be higher than debug:

http://www.kamailio.org/wiki/cookbooks/devel/core#corelog

Cheers,
Daniel

On 8/22/13 2:39 PM, Juha Heinanen wrote:
> Daniel-Constantin Mierla writes:
>
>> I backported the patch for the log message and now I pushed a patch that
>> executes event_route[core:receive-parse-error] in such case as well,
>> allowing for config interaction. Can you give it a test, I had no time
>> to do it so far and have to go for a while. Otherwise I will do it
>> sometimes soon.
> daniel,
>
> i tried with sipp by leaving out linefeed from request line:
>
> INVITE sip:[service]@test.tutpro.com:[remote_port] SIP/2.0      Via: SIP/2.0/[transport] [local_ip]:[local_port];branch=[branch]
>
> and event_route:
>
> event_route[core:receive-parse-error] { # Handle message with core syntax error
>
>      xlog("L_NOTICE", "Request from <$var(src_ip)> has invalid core syntax\n");
> }
>
> was NOT executed:
>
> Aug 22 15:32:40 siika /usr/sbin/sip-proxy[3428]: INFO: <core> [parser/parse_fline.c:229]: parse_first_line(): ERROR:parse_first_line: bad request first line
> Aug 22 15:32:40 siika /usr/sbin/sip-proxy[3428]: INFO: <core> [parser/parse_fline.c:231]: parse_first_line(): ERROR: at line 0 char 42:
> Aug 22 15:32:40 siika /usr/sbin/sip-proxy[3428]: INFO: <core> [parser/parse_fline.c:237]: parse_first_line(): ERROR: parsed so far: INVITE sip:jh at test.tutpro.com:5060 SIP/2.0
> Aug 22 15:32:40 siika /usr/sbin/sip-proxy[3428]: INFO: <core> [parser/parse_fline.c:242]: parse_first_line(): ERROR:parse_first_line: bad message
> Aug 22 15:32:40 siika /usr/sbin/sip-proxy[3428]: ERROR: <core> [parser/msg_parser.c:705]: parse_msg(): ERROR: parse_msg: message=<INVITE sip:jh at test.tutpro.com:5060 SIP/2.0      Via: SIP/2.0/UDP 192.98.102.10:5062;branch=z9hG4bK-3799-1-0#015#012From: sipp <sip:sipp at 192.98.102.10:5062>;tag=3799SIPpTag001#015#012To: sut <sip:jh at test.tutpro.com>#015#012Call-ID: 1-3799 at 192.98.102.10#015#012CSeq: 1 INVITE#015#012Contact: sip:sipp at 192.98.102.10:5062#015#012Max-Forwards: 70#015#012Subject: Performance Test#015#012Content-Type: application/sdp#015#012Content-Length:   137#015#012#015#012v=0#015#012o=user1 53655765 2353687637 IN IP4 192.98.102.10#015#012s=-#015#012c=IN IP4 192.98.102.10#015#012t=0 0#015#012m=audio 6000 RTP/AVP 0#015#012a=rtpmap:0 PCMU/8000#015#012>
> Aug 22 15:32:40 siika /usr/sbin/sip-proxy[3428]: ERROR: <core> [receive.c:148]: receive_msg(): core parsing of SIP message failed (192.98.102.10:5062/1)
>
> after the last line, i would expect that event route is executed:
>
> 	if (parse_msg(buf,len, msg)!=0){
> 		LOG(cfg_get(core, core_cfg, corelog),
> 				"core parsing of SIP message failed (%s:%d/%d)\n",
> 				ip_addr2a(&msg->rcv.src_ip), (int)msg->rcv.src_port,
> 				(int)msg->rcv.proto);
> 		sr_core_ert_run(msg, SR_CORE_ERT_RECEIVE_PARSE_ERROR);
> 		goto error02;
> 	}
>
> but it is not.
>
> also, as you see in above, a syntax error produced awfully lot of
> messages to syslog, which is good for attacker.  is it possible to turn
> some of them to debugs (e.g. the one that prints the whole message)?
>
> -- juha

-- 
Daniel-Constantin Mierla - http://www.asipto.com
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda




More information about the sr-users mailing list