Configuring Malicious Signatures - AudioCodes Mediant 4000 SBC User Manual

User's Manual
28

Configuring Malicious Signatures

The Malicious Signature table lets you configure up to 30 Malicious Signature patterns.
Malicious Signatures are signature patterns that identify SIP user agents (UA) who perform
malicious attacks on SIP servers by SIP scanning. Malicious Signatures allow you to
protect SBC calls handled by the device from such malicious activities, thereby increasing
your SIP security. The Malicious Signature patterns identify specific scanning tools used by
attackers to search for SIP servers in the network. The feature identifies and protects
against SIP (Layer 5) threats by examining new inbound SIP dialog messages. Once the
device identifies an attack based on the configured malicious signature pattern, it marks
the SIP message as invalid and discards it or alternatively, rejects it with a SIP response
(by default, 400), configured in the Message Policies table. Protection applies only to new
dialogs (e.g., INVITE and REGISTER messages) and unauthenticated dialogs.
Malicious signatures can also be used with the Intrusion Detection System (IDS) feature
(see ''Configuring IDS Policies'' on page 172). You can configure an IDS Policy that is
activated if the device detects a malicious signature (when the 'Reason' parameter is
configured to Dialog establishment failure).
Malicious signature patterns are typically based on the value of SIP User-Agent headers,
which attackers use as their identification string (e.g., "User-Agent: VaxSIPUserAgent").
However, you can configure signature patterns based on any SIP header. To configure
signature patterns, use the same syntax as that used for configuring Conditions in the
Message Manipulations table (see ''Configuring SIP Message Manipulation'' on page 395).
Below are configured signature patterns based on the User-Agent header:

Malicious signature for the VaxSIPUserAgent malicious UA:
header.user-agent.content prefix 'VaxSIPUserAgent'

Malicious signature for the scanning tool "sip-scan":
Header.User-Agent.content prefix 'sip-scan'
By default, the table provides preconfigured malicious signatures of known, common
attackers.
Note:
•
Malicious Signatures do not apply to the following:
√
√
√
•
If you delete all the entries in the table, when you next reset the device, the table
is populated again with all the default signatures.
You can export / import Malicious Signatures in CSV file format to / from a remote server
through HTTP, HTTPS, or TFTP. To do this, use the following CLI commands:
(config-voip)# sbc malicious-signature-database <export-csv-to |
import-csv-from> <URL>
To apply malicious signatures to calls, you need to enable the use of malicious signatures
for a Message Policy and then assign the Message Policy to the SIP Interface associated
with the calls (i.e., IP Group). To configure Message Policies, see ''Configuring SIP
Message Policy Rules''.
The following procedure describes how to configure Malicious Signatures through the Web
interface. You can also configure it through ini file (MaliciousSignatureDB) or CLI (configure
voip > sbc malicious-signature-database).
Version 7.2
Calls from IP Groups where Classification is by Proxy Set.
In-dialog SIP sessions (e.g., refresh REGISTER requests and re-INVITEs).
Calls from users that are registered with the device.
28. Configuring Malicious Signatures
559 Mediant 4000 SBC