[Spce-user] Upgrade from 5.5.5 to 6.5.3 - Block Useragent Edit

qabane me qabaneitsolutions at gmail.com
Wed Mar 20 07:19:44 EDT 2019 

Thanks Matthias,

There are a few that I did not have in my list so will add them.

Sadly I have found that more and more they use user agents that look legit.
Freepbx, cisco, etc.

On Wed, Mar 20, 2019 at 1:14 PM Hohl Matthias <matthias.hohl at telematica.at>
wrote:

> Thanks for the info:
>
>
>
> Btw, if anybody need it, here is a list of malicious UA for copy&paste:
>
>
>
>       ua_patterns: []
>
>       - friendly-scanner
>
>       - friendly-request
>
>       - sipvicious
>
>       - ^sipcli.+
>
>       - sip-scan
>
>       - sipsak
>
>       - sundayddr
>
>       - iWar
>
>       - CSipSimple
>
>       - SIVuS
>
>       - Gulp
>
>       - sipv
>
>       - smap
>
>       - VaxIPUserAgent
>
>       - VaxSIPUserAgent
>
>       - siparmyknife
>
>       - Test Agent
>
>
>
> *Von:* Spce-user <spce-user-bounces at lists.sipwise.com> *Im Auftrag von *Alex
> Lutay
> *Gesendet:* Mittwoch, 20. März 2019 11:47
> *An:* spce-user at lists.sipwise.com
> *Betreff:* Re: [Spce-user] Upgrade from 5.5.5 to 6.5.3 - Block Useragent
> Edit
>
>
>
> Hi,
> On 3/20/19 11:40 AM, Hohl Matthias wrote:
> > Oh okay thank you. In version 6.5.3 I didn’t found this information in
> > the handbook 😊
>
> Correct, it is new documentation and has been backported to mr6.5 LTS
> already. It will be the part of the next mr6.5 build: mr6.5.4
>
> > Thanks again. BTW: the xlog entry is also there then if something got
> > blocked?
>
> You can check it in kamailio tt2 config yourself ;-)
>
> > if([% IF kamailio.proxy.block_useragents.mode == "whitelist" %]![% END
> %]([% FOREACH item IN kamailio.proxy.block_useragents.ua_patterns
> -%]$x_hdr(User-Agent) =~ "[% item %]"[% IF
> kamailio.proxy.block_useragents.ua_patterns.last != item %] || [% END %][%
> END -%]))
> > {
> > xlog("L_INFO", "Request rejected, bad UA='$x_hdr(User-Agent)' - [%
> logreq_init -%]\n");
>
> --
> Alex Lutay
> _______________________________________________
> Spce-user mailing list
> Spce-user at lists.sipwise.com
> https://lists.sipwise.com/listinfo/spce-user
> _______________________________________________
> Spce-user mailing list
> Spce-user at lists.sipwise.com
> https://lists.sipwise.com/listinfo/spce-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20190320/502d6029/attachment-0001.html>

More information about the Spce-user mailing list