<p dir="ltr">Hi,</p>
<p dir="ltr">You should probably check out TM docs - specifically failure route (<a href="http://kamailio.org/docs/modules/stable/modules/tm.html#tm.f.t_on_failure">http://kamailio.org/docs/modules/stable/modules/tm.html#tm.f.t_on_failure</a>) and t_is_expired (<a href="http://kamailio.org/docs/modules/stable/modules/tm.html#tm.f.t_is_expired">http://kamailio.org/docs/modules/stable/modules/tm.html#tm.f.t_is_expired</a>).</p>
<p dir="ltr">From there you can do what you like.</p>
<p dir="ltr">Cheers,</p>
<p dir="ltr">Charles</p>
<div class="gmail_quote">On 5 Apr 2016 1:22 p.m., "Marrold" <<a href="mailto:kamailio@marrold.co.uk">kamailio@marrold.co.uk</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I am interested in 'fingerprinting' various SIP scanner attacks and using them to intelligently block attacks, rather than just blindly black listing any SIP message to a honey pot. <div><br></div><div>Additionally I think it would be wise to detect these missing ACKs and/or incomplete transactions from a legitimately mis-configured or malfunctioning end point, to help protect the core network from needless re-transmissions.</div><div><br></div><div>Having checked the Asterisk logs, this is what I'm looking to block if a certain threshold is exceeded-</div><div><br></div><div>[2016-04-05 13:10:52] WARNING[2010] chan_sip.c: Retransmission timeout reached on transmission eff430b8c1b6d21c2058049f41a7ec57 for seqno 1 (Critical Response) <br><div><br></div><div>Thanks</div><div><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Apr 5, 2016 at 1:14 PM, Daniel Tryba <span dir="ltr"><<a href="mailto:d.tryba@pocos.nl" target="_blank">d.tryba@pocos.nl</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On Tue, Apr 05, 2016 at 12:09:29AM +0100, Marrold wrote:<br>
> I have been running a couple of Asterisk honey pots to get a better<br>
> understanding of the tools and methods potential hackers are using to<br>
> exploit SIP servers.<br>
><br>
> I have observed many attacks from the 'sipcli' user agent that don't send<br>
> ACKs.<br>
</span>[...]<br>
<span>> Please could anyone point me in the right direction to detect these non<br>
> completed calls with a missing ACK in Kamailio? I am unsure on the<br>
> terminology I should be using to search the online documentation.<br>
<br>
</span>Why do you care? The attacker doesn't care about receiving SIP messages,<br>
they are only interested in initiating a call to a target, if the target<br>
gets dialled you will be abused, by either an other source with a fully<br>
function SIP stack or just something that might be spoofed.<br>
<br>
What I do is blacklist addresses that send any SIP messages to my<br>
honeypots, might be dangerous since with UDP anything can be spoofed (so<br>
better make sure you have a whitelist and there is no connection between<br>
the honeypots and your client facing SIP platform)<br>
<div><div><br>
_______________________________________________<br>
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list<br>
<a href="mailto:sr-users@lists.sip-router.org" target="_blank">sr-users@lists.sip-router.org</a><br>
<a href="http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer" target="_blank">http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users</a><br>
</div></div></blockquote></div><br></div>
<br>_______________________________________________<br>
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list<br>
<a href="mailto:sr-users@lists.sip-router.org">sr-users@lists.sip-router.org</a><br>
<a href="http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer" target="_blank">http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users</a><br>
<br></blockquote></div>
<br>
<div><font color="gray" style="font-size:10pt;font-family:Helvetica,Arial,sans-serif">Sipcentric Ltd.
Company registered in England & Wales no. 7365592.</font><span style="font-size:10pt;font-family:Helvetica,Arial,sans-serif"> </span><font color="gray" style="font-size:10pt;font-family:Helvetica,Arial,sans-serif">Registered
office: Faraday Wharf, Innovation Birmingham Campus, Holt Street, Birmingham Science Park, Birmingham B7 4BB.</font></div>