[Bro-Dev] [JIRA] (BIT-1458) Lots of binpac exceptions in SIP

[Michal Purzynski (JIRA)]

    [ 
https://bro-tracker.atlassian.net/browse/BIT-1458?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21700#comment-21700
 ] 

Michal Purzynski commented on BIT-1458:
---------------------------------------

1439957552.911479       ChGboH2ZriUae63ufg      23.92.80.45     5089    
10.252.40.4     5060    0       INVITE  sip:972597843739@63.245.221.35  -       
1999<sip:1999@63.245.221.35>    972597843739<sip:972597843739@63.245.221.35>    
1999<sip:1999@63.245.221.35>    
972597843739<sip:972597843739@63.245.221.35>;tag=as48ce1fbf     -       
cf292d314f99f06d120345b1305ed920        1 INVITE        -       SIP/2.0/UDP 
23.92.80.45:5089,SIP/2.0/UDP 23.92.80.45:5089       SIP/2.0/UDP 
23.92.80.45:5089    sipcli/v1.8     401     Unauthorized    -278    0       -

Looks like a scan

> Lots of binpac exceptions in SIP
> --------------------------------
>
>                 Key: BIT-1458
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1458
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: BinPAC
>    Affects Versions: 2.4
>         Environment: Linux 3.19, Ubuntu 14.04 LTS, Asterisk for VOIP, plain 
> SIP plus RDP no encryption
>            Reporter: Michal Purzynski
>
> There's quite a bit of binpac exception in dpd.log on office sensors, that 
> can see SIP traffic. The log message is always the same (I think).
> 1439957552.911869     ChGboH2ZriUae63ufg      23.92.80.45     5089    
> 10.252.40.4     5060    udp     SIP     Binpac exception: binpac exception: 
> string mismatch at 
> /home/mpurzynski/src/bro/bro-2.4-pfring/src/analyzer/protocol/sip/sip-protocol.pac:70:
>  \x0aexpected pattern: ":"\x0aactual data: " 496704993 2096249773 IN IP4 
> 23.92.80.45\x0d\x0as=sipcli\x0d\x0ac=IN IP4 23.92.80.45\x0d\x0at=0 
> 0\x0d\x0am=audio 5097 RTP/AVP 18 0 8 101\x0d\x0aa=fmtp:101 
> 0-15\x0d\x0aa=rtpmap:18 G729/8000\x0d\x0aa=rtpmap:0 
> PCMU/8000\x0d\x0aa=rtpmap:8 PCMA/8000\x0d\x0aa=rtpmap:101 
> telephone-event/8000\x0d\x0aa=ptime:20\x0d\x0aa=sendrecv\x0d\x0a"
> What kind of data do you want me to attach, to help debugging the issue?



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-01-193#70101)
_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev