The problem is that in some cases, it doesn't get to execute the config
file at all. The core does some basic parsing to detect the type of
message (request or reply) and looks for mandatory headers (CSeq is one
of them). When its a failure in this process, the config file is not
executed, because the message is invalid and the afferent internal
structure cannot be filled properly.
Cheers,
Daniel
On 8/22/13 12:18 AM, Sergey Okhapkin wrote:
Actually nothing needs to be done in kamailio core. I's a simple scripting
logic.
if(!sanity_check("whatever_you wan't_check")) {
xlog("L_INFO","Malformed message from $proto:$si:$sp\n$mb\n");
break;
}
On Thursday 22 August 2013 00:07:56 Daniel-Constantin Mierla wrote:
On 8/21/13 12:53 PM, Juha Heinanen wrote:
i have noticed lots of these kind of attacks in my syslog:
/var/log/syslog.1:Aug 21 04:23:46 host /usr/sbin/sip-proxy[13490]: ERROR:
<core> [parser/parse_cseq.c:95]: parse_cseq(): ERROR: CSeq EoL expected
/var/log/syslog.1:Aug 21 04:23:46 host /usr/sbin/sip-proxy[13490]: ERROR:
<core> [parser/parse_cseq.c:98]: parse_cseq(): ERROR: parse_cseq: bad
cseq /var/log/syslog.1:Aug 21 04:23:46 host /usr/sbin/sip-proxy[13490]:
ERROR: <core> [parser/msg_parser.c:161]: get_hdr_field(): ERROR:
get_hdr_field: bad cseq
in order to be able to fail2ban the attacker, source ip address should
appear in syslog message.
is there a way to catch sip request syntax errors in config file so that
appropriate syslog message could be generated?
We can add an event_route for it as well as print the src ip in the log
message for quick fix (this one can be backported easy).
Cheers,
Daniel
--
Daniel-Constantin Mierla - http://www.asipto.com
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
