[Spce-user] catch null useragent in register or invite.

gerry kernan gerry.kernan at infinityit.ie
Mon Feb 15 08:17:50 EST 2016 

Hi Barry and Daniel
 
Thanks for your quick responses .
 
 
Gerry Kernan
 
 
Infinity IT   |   17 The Mall   |   Beacon Court   |   Sandyford   |   Dublin D18 E3C8   |   Ireland
Tel:  +353 - (0)1 - 293 0090   |   E-Mail:  gerry.kernan at infinityit.ie
 
Managed IT Services       Infinity IT - www.infinityit.ie
IP Telephony                    Asterisk Consulting - www.asteriskconsulting.com
Contact Centre                Total Interact - www.totalinteract.com
 
From: Spce-user [mailto:spce-user-bounces at lists.sipwise.com] On Behalf Of Daniel Grotti
Sent: Monday 15 February 2016 13:15
To: spce-user at lists.sipwise.com
Subject: Re: [Spce-user] catch null useragent in register or invite.
 
Hi Gerry,
please try this in kamilio/proxy/kamailio.cfg it works for me.
For the null, try to check $ua == $null:


if( is_method("REGISTER|INVITE") && $sp != "5080" && !has_totag() )
        {
                if($ua =~ "^friendly.+" || $ua =~ "^sipvici.+" || $ua =~ "^sipcli.+" || $ua =~ "^VaxSIPUser.+" || $ua == "MizuPhone" || $ua == "voip" || $ua == $null )
                {
                        xlog("L_NOTICE", "UA='$ua' rejected - S=$rs SS='$rr' M=$rm R=$ru F=$fu T=$tu IP=$pr:$si:$sp UAIP=$si UA='$ua' ID=$ci \n");
                        exit;
                }
        }
        ##end



I would be careful for the $null, cause you may reject good messages, just without User-Agent header.



Daniel Grotti 
Head of Customer Support 
Sipwise GmbH , Campus 21/Europaring F15
AT-2345 Brunn am Gebirge 
Phone:  +43(0)1 301 2032 
Email:  dgrotti at sipwise.com 
Website:  www.sipwise.com 
Particulars according Austrian Companies Code paragraph 14
"Sipwise GmbH" - Europaring F15 - 2345 Brunn am Gebirge
FN:305595f, Commercial Court Vienna, ATU64002206 
On 02/15/2016 02:06 PM, gerry kernan wrote:
Hi 
 
I'm using the line in below kamailio-loadbalancer to catch any malicious registers or invites from known malicious UA types. I've noticed recently that we are getting invites and registers without any UA, I'm trying to catch these attempts with 
 
$ua == "<null>"  but I'm not catching them, is the syntax correct ?. all other regex are catching correctly so maybe <null> is incorrect.
 
 
if(is_method("REGISTER|INVITE") && ($ua =~ "^friendly.+" || $ua =~ "^sipvici.+" || $ua =~ "^sipcli.+" || $ua =~ "^VaxSIPUser.+" || $ua == "MizuPhone" || $ua == "voip" || $ua == "<null>"))
        {
                xlog("L_WARN", "Request rejected, malicious UA='$ua' IP='$si' - [% logreq_init -%]\n");
                exit;
 
 
 
 
Gerry Kernan
 
 
Infinity IT   |   17 The Mall   |   Beacon Court   |   Sandyford   |   Dublin D18 E3C8   |   Ireland
Tel:  +353 - (0)1 - 293 0090   |   E-Mail:  gerry.kernan at infinityit.ie
 
Managed IT Services       Infinity IT - www.infinityit.ie
IP Telephony                    Asterisk Consulting - www.asteriskconsulting.com
Contact Centre                Total Interact - www.totalinteract.com
 



_______________________________________________Spce-user mailing listSpce-user at lists.sipwise.comhttps://lists.sipwise.com/listinfo/spce-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20160215/8478ea29/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 2681 bytes
Desc: not available
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20160215/8478ea29/attachment-0001.jpg>

More information about the Spce-user mailing list