[Spce-user] catch null useragent in register or invite.

Daniel Grotti dgrotti at sipwise.com
Mon Feb 15 08:15:28 EST 2016


Hi Gerry,
please try this in kamilio/proxy/kamailio.cfg it works for me.
For the null, try to check $ua == $null:


if( is_method("REGISTER|INVITE") && $sp != "5080" && !has_totag() )
         {
                 if($ua =~ "^friendly.+" || $ua =~ "^sipvici.+" || $ua 
=~ "^sipcli.+" || $ua =~ "^VaxSIPUser.+" || $ua == "MizuPhone" || $ua == 
"voip" || $ua == $null )
                 {
                         xlog("L_NOTICE", "UA='$ua' rejected - S=$rs 
SS='$rr' M=$rm R=$ru F=$fu T=$tu IP=$pr:$si:$sp UAIP=$si UA='$ua' ID=$ci 
\n");
                         exit;
                 }
         }
         ##end



I would be careful for the $null, cause you may reject good messages, 
just without User-Agent header.




*Daniel Grotti *
Head of Customer Support

Sipwise GmbH <http://www.sipwise.com> , Campus 21/Europaring F15
AT-2345 Brunn am Gebirge

Phone: +43(0)1 301 2032 <callto:+4313012032>
Email: dgrotti at sipwise.com <mailto:dgrotti at sipwise.com>
Website: www.sipwise.com <http://www.sipwise.com>

Particulars according Austrian Companies Code paragraph 14
"Sipwise GmbH" - Europaring F15 - 2345 Brunn am Gebirge
FN:305595f, Commercial Court Vienna, ATU64002206

On 02/15/2016 02:06 PM, gerry kernan wrote:
>
> Hi
>
> I’m using the line in below kamailio-loadbalancer to catch any 
> malicious registers or invites from known malicious UA types. I’ve 
> noticed recently that we are getting invites and registers without any 
> UA, I’m trying to catch these attempts with
>
> $ua == "<null>"  but I’m not catching them, is the syntax correct ?. 
> all other regex are catching correctly so maybe <null> is incorrect.
>
> if(is_method("REGISTER|INVITE") && ($ua =~ "^friendly.+" || $ua =~ 
> "^sipvici.+" || $ua =~ "^sipcli.+" || $ua =~ "^VaxSIPUser.+" || $ua == 
> "MizuPhone" || $ua == "voip" || $ua == "<null>"))
>
>         {
>
>                 xlog("L_WARN", "Request rejected, malicious UA='$ua' 
> IP='$si' - [% logreq_init -%]\n");
>
>                 exit;
>
> *Gerry Kernan*
>
> cid:image001.jpg at 01D105A5.2701B0E0
>
> *Infinity IT   |   17 The Mall   |   Beacon Court   |   Sandyford |   
> Dublin D18 E3C8   |   Ireland*
>
> *Tel: +353 - (0)1 - 293 0090   |   E-Mail: *gerry.kernan at infinityit.ie 
> <mailto:gerry.kernan at infinityit.ie>**
>
> **
>
> *Managed IT Services__Infinity IT*- www.infinityit.ie 
> <http://www.infinityit.ie/>
>
> *IP Telephony__Asterisk Consulting*– www.asteriskconsulting.com 
> <http://www.asteriskconsulting.com>
>
> *Contact Centre__Total Interact*– www.totalinteract.com 
> <http://www.totalinteract.com>
>
>
>
> _______________________________________________
> Spce-user mailing list
> Spce-user at lists.sipwise.com
> https://lists.sipwise.com/listinfo/spce-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20160215/6adfc12d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 2681 bytes
Desc: not available
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20160215/6adfc12d/attachment-0001.jpe>


More information about the Spce-user mailing list