A security scanner tripped on Brekeke

Discuss any topic about Brekeke SIP Server.

Moderator: Brekeke Support Team

Post Reply
ajlindy
Posts: 53
Joined: Tue Sep 12, 2017 1:47 pm

Post by ajlindy »

Hello!
Sorry to take so long to get back this.
I wanted to let you know we did a WireShark capture where our live filter was to check for ip.addr == 10.22.38.223

So the whole thing captures a lot more but we could see exactly when (or if) the scanning server hit our contact platform where Brekeke SIP Proxy is at.

It definitely hits the server and the scanner knows Brekeke is there because the vulnerability shows that is where the problem is.

We definitely have the right rule listed first and yet we have no logs anywhere from Brekeke that show the IP 10.22.38.223 hit it. Or that sip:test@10.23.38.17 hit it.

I don't know where to go from here. I know they are not on the absolute latest version of Brekeke but we're really close (3.9.4.3 vs 3.9.5.8).

I'm sorry to give a stream of thought here, but I just looked and I do see this:

^REGISTER (from scanner)
401 Unauthorized (from our server)
^OPTIONS (scanner)
404 Not Found (us)
^INVITE (scanner)
100 Trying (us)
481 Call Leg/Transaction Does Not Exist (us)


So we're still in the boat where nothing is logged (no rule trip, no error) but....this looks like it's answering the ^INVITE with something.

Thoughts?
Top
Niloc
Posts: 70
Joined: Tue Sep 19, 2017 9:49 pm
Location: NL

Post by Niloc »

If you want to block REGISTER and OPTIONS too, remove "$request = ^INVITE" from the DialPlan rule for blocking the scanner.

Matching Patterns
$addr = 10.22.38.223

Deploy Patterns
$accept = false

Note the above rule should be in [Dial Plan] -> [Preliminary].
Top
ajlindy
Posts: 53
Joined: Tue Sep 12, 2017 1:47 pm

That worked!

Post by ajlindy »

Good day!
putting that rule in the Preliminary Dial Plan rule worked like a charm!

We blocked the scanner, finally!

Now I have a different angle on this same thing.

We noticed that there is a Filtering Policy tab in the same general vicinity of "Blocked IP Address"

In the Filtering Policy is the ability to Block / Allow the IP address as an Exact Match / Regular Expression / IP Address Range.

If we were to tell Brekeke to ALLOW address from two or three specific IP addresses, would it by default BLOCK everything else?

If not, would I set Policy 1 (priority 1) to allow the first IP, Policy 2 (priority 2) to allow the second IP and then Policy 3 (priority 3) to Block some IP range that is EVERYTHING else?

Thank you!
Top
Niloc
Posts: 70
Joined: Tue Sep 19, 2017 9:49 pm
Location: NL

Post by Niloc »

> If we were to tell Brekeke to ALLOW address from two or three specific IP addresses, would it by default BLOCK everything else?

No. An IP address marked "Allow" should not be blocked even if the BlockList detects malicious activities from the IP address.

If an IP address is marked "Block", the BlockList always blocks packets sent from the IP address.

For other IP addresses which are not listed in Filtering Policy, the BlockList accepts their packets but blocks automatically if a malicious activity is detected.
Top
Post Reply

Return to “Brekeke SIP Server Forum”