| Author |
Message |
ajlindy
Brekeke Talented
Joined: 12 Sep 2017
Posts: 53
|
 Posted: Mon Oct 12, 2020 10:44 am Post subject: |
 |
|
Hello!
Sorry to take so long to get back this.
I wanted to let you know we did a WireShark capture where our live filter was to check for ip.addr == 10.22.38.223
So the whole thing captures a lot more but we could see exactly when (or if) the scanning server hit our contact platform where Brekeke SIP Proxy is at.
It definitely hits the server and the scanner knows Brekeke is there because the vulnerability shows that is where the problem is.
We definitely have the right rule listed first and yet we have no logs anywhere from Brekeke that show the IP 10.22.38.223 hit it. Or that sip:test@10.23.38.17 hit it.
I don't know where to go from here. I know they are not on the absolute latest version of Brekeke but we're really close (3.9.4.3 vs 3.9.5. .
I'm sorry to give a stream of thought here, but I just looked and I do see this:
^REGISTER (from scanner)
401 Unauthorized (from our server)
^OPTIONS (scanner)
404 Not Found (us)
^INVITE (scanner)
100 Trying (us)
481 Call Leg/Transaction Does Not Exist (us)
So we're still in the boat where nothing is logged (no rule trip, no error) but....this looks like it's answering the ^INVITE with something.
Thoughts? |
|
| Back to top |
|
Niloc
Brekeke Talented
Joined: 19 Sep 2017
Posts: 70
Location: NL
|
| Posted: Mon Oct 12, 2020 4:12 pm Post subject: |
|
|
If you want to block REGISTER and OPTIONS too, remove "$request = ^INVITE" from the DialPlan rule for blocking the scanner.
| Matching Patterns | $addr = 10.22.38.223
| | Deploy Patterns | $accept = false
|
Note the above rule should be in [Dial Plan] -> [Preliminary]. |
|
| Back to top |
|
ajlindy
Brekeke Talented
Joined: 12 Sep 2017
Posts: 53
|
| Posted: Thu Oct 22, 2020 6:22 am Post subject: That worked! |
|
|
Good day!
putting that rule in the Preliminary Dial Plan rule worked like a charm!
We blocked the scanner, finally!
Now I have a different angle on this same thing.
We noticed that there is a Filtering Policy tab in the same general vicinity of "Blocked IP Address"
In the Filtering Policy is the ability to Block / Allow the IP address as an Exact Match / Regular Expression / IP Address Range.
If we were to tell Brekeke to ALLOW address from two or three specific IP addresses, would it by default BLOCK everything else?
If not, would I set Policy 1 (priority 1) to allow the first IP, Policy 2 (priority 2) to allow the second IP and then Policy 3 (priority 3) to Block some IP range that is EVERYTHING else?
Thank you! |
|
| Back to top |
|
Niloc
Brekeke Talented
Joined: 19 Sep 2017
Posts: 70
Location: NL
|
| Posted: Thu Oct 22, 2020 8:37 am Post subject: |
|
|
> If we were to tell Brekeke to ALLOW address from two or three specific IP addresses, would it by default BLOCK everything else?
No. An IP address marked "Allow" should not be blocked even if the BlockList detects malicious activities from the IP address.
If an IP address is marked "Block", the BlockList always blocks packets sent from the IP address.
For other IP addresses which are not listed in Filtering Policy, the BlockList accepts their packets but blocks automatically if a malicious activity is detected. |
|
| Back to top |
|
|
