Indeed, core:receive-parse-error combined with sanity_check is what I needed. Thank you.
On Sat, Oct 26, 2024 at 12:56 PM Fred Posner via sr-users < [email protected]> wrote: > Thanks for mentioning APIBAN. You may also want to consider the core > receive parse error route. I wrote about it here: > > [image: kamailio.png] > > Handling Non-SIP Attacks With Kamailio > <https://www.fredposner.com/handling-non-sip-kamailio/> > fredposner.com <https://www.fredposner.com/handling-non-sip-kamailio/> > <https://www.fredposner.com/handling-non-sip-kamailio/> > > > —fred > > Fred Posner > Contact info via https://fredoso.com > > > On Oct 24, 2024, at 6:21 AM, Who AmI via sr-users < > [email protected]> wrote: > > > +1 for APIBAN- its so good for this exact use case. > > In the short term you can use something like pike module with some logic > to look for any special characters and block them in a htable and just drop > the traffic whilst you figure APIBAN out though. > > Thanks, > > John. > > On Thu, 24 Oct 2024 at 10:44, Sergio Charrua via sr-users < > [email protected]> wrote: > >> Hi ! >> >> you might want to check this APIBAN - Block Bad SIP Traffic >> <https://apiban.org/> >> >> Fred Posner is the one to blame for this fantastic tool :) >> >> Atenciosamente / Kind Regards / Cordialement / Un saludo, >> >> >> *Sérgio Charrua* >> >> >> >> On Thu, Oct 24, 2024 at 3:49 AM mayamatakeshi via sr-users < >> [email protected]> wrote: >> >>> Hi, >>> I was going through some old company tickets that I am assigned to and >>> found a case when possibly an attacker flooded our kamailio server with >>> invalid sip messages like this: >>> >>> 2019-04-27T20:14:05.533554+09:00 IPX051 >>> /usr/local/src/git/sip-router/kamailio[1732]: ERROR: <core> >>> [parser/msg_parser.c:714]: ERROR: parse_msg: >>> message=<[F#016sD#026Z<8D>97<F8><B5>;<A9><E7>-<D2>(<E2><F6> >>> >>> v;/#021k\<CC>8<B1>λ<F4>#004M<B6><BE><EC>#035#003<94><E1>=<A0><FF><E3><AF>Kwzr<8B>A#036B<D7>#027#023cu<82>Y<D4>#037<FB><AC>S_<C4>Qg<AB><DE>F<88>I#006<8C><FA><F4>~#y3G<C7>H<80>b<BC><AD>#035<89>#002<DB><C8>#001U<9E>#007<CB><F9>nT<E5><EE><8E><F1>#0144> >>> >>> At that time we manually banned the IP. >>> But it would be helpful to have this done automatically by fail2ban. >>> So I was thinking this log should include the src IP address. >>> I looked at the latest kamailio commit and core/parser/msg_parser.c does >>> this log the same way so I was thinking in opening an issue for this. >>> But maybe this should be dealt with differently. >>> Any ideas? >>> >>> >>> >>> __________________________________________________________ >>> Kamailio - Users Mailing List - Non Commercial Discussions >>> To unsubscribe send an email to [email protected] >>> Important: keep the mailing list in the recipients, do not reply only to >>> the sender! >>> Edit mailing list options or unsubscribe: >>> >> __________________________________________________________ >> Kamailio - Users Mailing List - Non Commercial Discussions >> To unsubscribe send an email to [email protected] >> Important: keep the mailing list in the recipients, do not reply only to >> the sender! >> Edit mailing list options or unsubscribe: >> > __________________________________________________________ > Kamailio - Users Mailing List - Non Commercial Discussions > To unsubscribe send an email to [email protected] > Important: keep the mailing list in the recipients, do not reply only to > the sender! > Edit mailing list options or unsubscribe: > > __________________________________________________________ > Kamailio - Users Mailing List - Non Commercial Discussions > To unsubscribe send an email to [email protected] > Important: keep the mailing list in the recipients, do not reply only to > the sender! > Edit mailing list options or unsubscribe: >
__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to [email protected] Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
