SRX Services Gateway
Highlighted
SRX Services Gateway

SRX custom attack SIP header analysis

[ Edited ]
‎11-19-2018 02:05 AM

Hello community,

We are trying to implement an IDP custom configuration to check our environment.

We want to inspect sip traffic to permit only certain phone numbers, but all the traffic is flowing regardless our config.

This is some relevant information from config file:

set security idp idp-policy IPS_SIP rulebase-ips rule "SIP header from contains 600001" description "SIP header from contains 600001"
set security idp idp-policy IPS_SIP rulebase-ips rule "SIP header from contains 600001" match application default
set security idp idp-policy IPS_SIP rulebase-ips rule "SIP header from contains 600001" match attacks custom-attacks VOIP:SIP:AUDIT:HEADER-ATS-CODE-600001
set security idp idp-policy IPS_SIP rulebase-ips rule "SIP header from contains 600001" then action drop-connection
set security idp idp-policy IPS_SIP rulebase-ips rule "SIP header from contains 600001" then notification log-attacks
set security idp idp-policy IPS_SIP rulebase-ips rule "SIP header from contains 600001" then severity info

set security idp custom-attack VOIP:SIP:AUDIT:HEADER-DDATMCS severity info
set security idp custom-attack VOIP:SIP:AUDIT:HEADER-DDATMCS attack-type signature context sip-header-from
set security idp custom-attack VOIP:SIP:AUDIT:HEADER-DDATMCS attack-type signature pattern ddatmcs
set security idp custom-attack VOIP:SIP:AUDIT:HEADER-DDATMCS attack-type signature direction client-to-server
set security idp custom-attack VOIP:SIP:AUDIT:HEADER-ATS-CODE-100001 severity info
set security idp custom-attack VOIP:SIP:AUDIT:HEADER-ATS-CODE-100001 attack-type signature context sip-header-from
set security idp custom-attack VOIP:SIP:AUDIT:HEADER-ATS-CODE-100001 attack-type signature pattern 100001
set security idp custom-attack VOIP:SIP:AUDIT:HEADER-ATS-CODE-100001 attack-type signature direction client-to-server
set security idp custom-attack VOIP:SIP:AUDIT:HEADER-ATS-CODE-100002 severity info
set security idp custom-attack VOIP:SIP:AUDIT:HEADER-ATS-CODE-100002 attack-type signature context sip-header-from
set security idp custom-attack VOIP:SIP:AUDIT:HEADER-ATS-CODE-100002 attack-type signature pattern 100002
set security idp custom-attack VOIP:SIP:AUDIT:HEADER-ATS-CODE-100002 attack-type signature direction client-to-server
set security idp custom-attack VOIP:SIP:AUDIT:HEADER-ATS-CODE-600001 severity info
set security idp custom-attack VOIP:SIP:AUDIT:HEADER-ATS-CODE-600001 attack-type signature context sip-header-from
set security idp custom-attack VOIP:SIP:AUDIT:HEADER-ATS-CODE-600001 attack-type signature pattern *600001*
set security idp custom-attack VOIP:SIP:AUDIT:HEADER-ATS-CODE-600001 attack-type signature direction client-to-server
set security idp custom-attack VOIP:SIP:AUDIT:HEADER-ATS-CODE-600002 severity info
set security idp custom-attack VOIP:SIP:AUDIT:HEADER-ATS-CODE-600002 attack-type signature context sip-header-from
set security idp custom-attack VOIP:SIP:AUDIT:HEADER-ATS-CODE-600002 attack-type signature pattern 600002
set security idp custom-attack VOIP:SIP:AUDIT:HEADER-ATS-CODE-600002 attack-type signature direction client-to-server

set security policies global policy SIP_OUT description VoiP
set security policies global policy SIP_OUT match source-address VCS_Vlan21
set security policies global policy SIP_OUT match destination-address VCS_Vlan21_site1
set security policies global policy SIP_OUT match destination-address Wan_Router
set security policies global policy SIP_OUT match destination-address VCS_Vlan21_Site2
set security policies global policy SIP_OUT match application junos-sip
set security policies global policy SIP_OUT then permit application-services idp-policy IPS_SIP
set security policies global policy SIP_OUT then log session-init
set security policies global policy SIP_OUT then log session-close
set security policies global policy SIP_OUT then count

 

As I said the calls are working.

I am not sure if I wrote wrong the pattern or it's another problem.

I tried with some different patterns, like .*600001.* but the call always progresses.

Besides L4 filtering, we want to inspect telephone number, and  to be able to filter by a range of numbers.

 

Could somebody help me?

Thanks

 

Feedback