CHAPTER 14 Security
Parameter
[IDSRule_RuleID]
'Reason'
reason
[IDSRule_Reason]
Defines the type of intrusion attack (malicious event).
■
[0] Any = All events listed below are considered as attacks and
are counted together.
■
[1] Connection abuse = (Default) Connection failures, which
includes the following:
✔
Incoming TLS authentication (handshake) failure
✔
Incoming WebSocket connection establishment failure
■
[2] Malformed message = Malformed SIP messages, which
includes the following:
✔
Message exceeds a user-defined maximum message
length (50K)
✔
Any SIP parser error
✔
Message Policy match (see
Policy
Rules)
✔
Basic headers not present
✔
Content length header not present (for TCP)
✔
Header overflow
■
[3] Authentication failure = SIP authentication failure, which
includes the following:
✔
Local authentication ("Bad digest" errors)
✔
Remote authentication (SIP 401/407 is sent if original
message includes authentication)
■
[4] Dialog establish failure = SIP dialog establishment (e.g.,
INVITE) failure, which includes the following:
✔
Classification failure (see
✔
Call Admission Control (CAC) threshold exceeded (see
Configuring Call Admission Control
✔
Routing failure (i.e., no routing rule was matched)
✔
Local reject by device (prior to SIP 180 response):
REGISTER not allowed due to IP Group's
'RegistrationMode' parameter, or SIP requests rejected
based on a registered users policy (configured by the SRD_
BlockUnRegUsers or SIPInterface_
BlockUnRegUsersblocks parameters).
✔
No user found when routing to a User-type IP Group (similar
to a SIP 404)
✔
Remote rejects (prior to SIP 18x response). To specify SIP
response codes to exclude from the IDS count, see
Configuring SIP Response Codes to Exclude from IDS
page 154.
✔
Malicious signature pattern detected (see
Malicious
Signatures)
■
[5] Abnormal flow = SIP call flow that is abnormal, which
includes the following:
- 148 -
Mediant 4000 SBC | User's Manual
Description
Configuring SIP Message
Configuring Classification
on page 530)
Configuring
Rules).
on