1

I scan using tcpdump for user-agents that hit my phone server.

I get interesting results. i add them to a list that protects alot of my servers out there.

This works good. The problem is I get blank or empty user-agents. how do i block that?

here is my tcpdump scan and results with blank user-agents

tcpdump -i eth0 port sip -l -A | egrep -i 'User-Agent'
Fri May 18 09:37:50 EDT 2018
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
User-Agent: friendly-scanner
User-Agent: UK Dialer
User-Agent: UK Dialer
User-Agent: friendly-scanner
User-Agent: friendly-scanner
User-Agent: friendly-scanner
User-Agent: friendly-scanner
User-Agent: friendly-scanner
User-Agent: friendly-scanner
User-Agent: Asterisk PBX 1.6.5
User-Agent: friendly-scanner
User-Agent: friendly-scanner
User-Agent: friendly-scanner
User-Agent:
User-Agent:
User-Agent:
User-Agent:
User-Agent: friendly-scanner
User-Agent: friendly-scanner

Here is what I use to block

iptables INPUT -p udp -m udp --dport 5060 -m string --string "friendly-scanner" --algo bm --to 65535 -j DROP
user2630659
  • 43
  • 3

1 Answers1

0

You can use a longer match, include records delimiters, and use hexadecimal for non-printable. Your rule can then become:

iptables -A INPUT -p udp -m udp --dport 5060 -m string --icase --hex-string '|a|User-Agent: |0d0a|' --algo bm --to 65535 -j DROP

which will print back (using iptables-save) as:

iptables -A INPUT -p udp -m udp --dport 5060 -m string --icase --hex-string '|0a557365722d4167656e743a200d0a|' --algo bm --to 65535 -j DROP

Now you should be aware of white space syntax in SIP's Header Field Format. Since there's no regex match available, there are almost infinite possibilities (even if only one is encouraged), so you should regularly check your "spam" with Wireshark instead of tcpdump to have the exact content. Here's a Sample SIP call capture from Wireshark's sample captures.

Headers are also case insensitive, but for having tested, --icase does work with the contents of --hex-string thus it would also match USER-AGENT: .

Community
  • 1
A.B
  • 11,090
  • 2
  • 24
  • 45