sipShield Plug-in

The sipShield SPL Plug-in enables the Oracle Communications Session Border Controller to drop SIP messages containing the identifying characteristics of known malicious tools. Common attack types include information collection, denial-of-service, and toll fraud.

This version of the sipShield SPL Plug-in, 1.9, may be run on an SBC that supports SPL Engine C2.0.1. A list of supported SPL Engines may be found in the SBC Release Notes.

Tools identified include:
  • SIPVicious
  • SIPScan
  • SMap
  • Sipsak
  • Sipcli
  • Sivus
  • Protos
  • Gulp
  • Sipv
  • Sundayddr Worm
  • Spoofed eyeBeam Client
  • VaxIPUserAgent
  • sipArmyKnife
  • Viproy

How It Works

Draft comment:
test

The plug-in scans SIP message fields (User-Agent, From, To, Subject, etc.) for identifying characteristics of known attack tools. Once a SIP message is flagged as a threat, the message is dropped and all processing of the message ceases.

The administrator can also specify a regex to match an expected User-Agent value to aid in identifying potentially fraudulent traffic quickly. This strategy is called “whitelisting”. If the whitelist passes, sipShield will continue processing, looking for other indicators of abuse.

The system creates a log entry for each drop event that includes the source IP address and the flagged portion of the message.

You must still configure proper SBC security settings such as registration policies, ACL, and signaling thresholds for attacks that may randomize their identifying fields.

Enabling the Plug-in

  1. Access the plug-in via My Oracle Support.
  2. Upload the SPL plug-in to a SBC.
  3. Add the SPL plug-in to the SBC configuration.
  4. Execute the SPL plug-in on the SBC.
  5. Synchronize the plug-in accross HA pairs.

Uploading the Plug-in

Upload the plug-in either from the Web GUI or SFTP to the SBC’s /code/spl directory using any CLI or GUI-based SFTP application. The SBC’s SFTP server may be reached from the system’s wancom or eth0 management physical interface.

Adding the Plug-in to Your Configuration

The plug-in must be configured in the spl-config configuration element. If multiple plug-ins are configured on the SBC, the plug-ins are executed in the order of configuration.
  1. In Superuser mode, type configure terminal and press <Enter>. 
    ACMEPACKET# configure terminal
  2. Type system and press <Enter> to access the system-level configuration elements. 
    ACMEPACKET(configure)# system
ACMEPACKET(system)#
  3. Type spl-config and press <Enter>. 
    ACMEPACKET(system)# spl-config
ACMEPACKET(spl-config)#
  4. To start editing the spl-config, type select and press <Enter>. 
    ACMEPACKET(spl-config)# select
  5. Type plugins and press <Enter>. The system prompt changes to let you know that you can begin configuring individual parameters. 
    ACMESYSTEM(spl-config)# plugins
ACMESYSTEM(spl-plugins)#
  6. Type name, a <space>, and the name of the SPL plug-in file. 
    ACMESYSTEM(spl-plugins)#name sipShield.1.9.spl
  7. Type done to save your work.
  8. Type exit.
  9. Type done.

Messages Dropped Counter

The sipShield plug-in comes with a counter to track the number of SIP attack messages dropped. The counter is enabled automatically when using the block-attack-tools spl option.

Show Counter

  1. Type spl show sip attacks all and press <Enter> to access the number of attacks detected.

Reset Counter

  1. Type spl reset sip attacks and press <Enter> to reset the sipShield counters.

Executing SPL Files

To execute an SPL file:
  1. Perform a save-config and activate-config after exiting the configuration menu.

Note:

Oracle recommends that scripts are only refreshed during planned maintenance windows.

If an SPL file exists in the /code/spl directory, but is not configured in the spl-files parameter, it will be ignored when the ACLI User Interface is booting.

Synchronizing SPL Files Across HA Pairs

When running in an HA configuration, both the active and the standby systems must have the same version of the SPL plug-in installed. To facilitate configuring the standby system, execute the synchronize spl command (with no arguments) to copy all files in the /code/spl directory from the active system to the same directory on the standby, overwriting any existing files with the same name.

By adding the specific filename as an argument to the synchronize spl command, only the specified scripts are copied between the systems. For example: 
ACMEPACKET#synchronize spl /code/spl/sipShield.1.9.spl
Waiting for request to finish
Request to 'SYNCHRONIZE' has Finished,
Synchronization Complete

Note:

For the synchronize spl command to work properly, you must include the full path of the plugin.
The synchronize spl command can only be executed from the active system in a HA pair. There is no means to synchronize SPL files automatically during a save and activate of the SBC.
To synchronize all SPL Plug-ins to the configuration:
  1. In Superuser mode, type synchronize spl and press <Enter>. 
    ACMEPACKET# synchronize spl

Configuring the Plug-in Options

The SPL options must be configured on either the sip-interface or the ingress realm-config. There is no global option for this plug-in.

Note:

When the plug-in is enabled on both the sip-interface and realm-config, the sip-interface takes precedence.
  1. In Superuser mode, type configure terminal and press <Enter>. 
    ACMEPACKET# configure terminal
  2. Access either the sip-interface or the realm-config object. Type session-router and press <Enter>.
    1. To access the sip-interface type session-router and press <Enter>.
    2. Type sip-interface and press <Enter>. 
    ACMEPACKET(configure)# session-router
ACMEPACKET(session-router)# sip-interface
ACMEPACKET(sip-interface)#
    1. To access the realm-config type media-manager and press <Enter>.
    2. Type realm-config and press <Enter>. 
      ACMEPACKET(configure)# media-manager
ACMEPACKET(media-manager)# realm-config
ACMEPACKET(realm-config)#
  3. Select the sip-interface or realm-config to which you want to apply this feature to.
  4. Enter one of the following options to enable the plug-in:
    • Type spl-options +block-attack-tools and press <Enter>. 
      ACMESYSTEM(sip-interface)# spl-options +block-attack-tools
    • Type spl-options +whitelist=”regex” and press <Enter>. 
      ACMESYSTEM(sip-interface)# spl-options +whitelist=”Linphone|Vendorname release 2\.2\.3”

      Note:

      When whitelist is enabled, you do not need to enable block-attack-tools.
  5. Type done to save your work.
  6. Save and activate your changes.

Maintenance and Troubleshooting

This section provides information about how to troubleshoot and collect information about your SPL plug-in. You must save and activate your configuration changes to display SPL show command output.

show SPL

The acli show spl command displays:

  • The version of the SPL engine
  • The filenames and version of the SPL plug-ins currently loaded on the SBC
  • The signature state of each plug-in
  • The system tasks that each loaded plug-in interacts with, enclosed in brackets. 
ACMEPACKET# show spl
SPL Version: C3.1.10

[sipd] File: sipShield.1.9.spl (plugin) version: 1.9 timestamp: release signature: signed and valid

ACMEPACKET# show spl sipd

SPL Version: C3.1.10

[sipd] File: sipShield.1.9.spl (plugin), version: 1.9, timestamp: release, signature: signed and valid

SPL Signature State

All SPL Plug-ins must be signed by Oracle for authenticity.

show running-config spl-config

The ACLI show run spl displays SPL specific configuration information on the system. 
spl-config
spl-options
plug-ins
name sipShield.1.1.spl
last-modified-by admin@10.0.221.127
last-modified-date 2013-03-01 08:36:29

show directory /code/spl

The ACLI show directory /code/spl command displays SPL plug-ins stored in the /code/spl directory. 
ACMEPACKET# show directory /code/spl
Listing Directory /code/spl:
drwxrwxrwx 1 0 0 4096 Aug 13 10:07 ./
drwxrwxrwx 1 0 0 4096 Aug 19 22:25 ../
-rwxrwxrwx 1 0 0 3163 Aug 13 10:07 sipShield.1.1.spl

show spl-options

The ACLI show spl-options command displays SPL-specific options registered by a plug-in. 
ACMEPACKET# show spl-options
1. block-attack-tools: Directs the sip-interface or realm to drop common SIP attacks [config,sipShield.1.3.spl,sipShield.1.4.spl]
2. whitelist: Directs the sip-interface or realm to drop user agents that do not match the whitelist regex value [config,sipShield.1.4.spl]

Deleting SPL Plug-ins

Deleting files from /code/spl must be performed via FTP/SFTP; there is no means to delete files from the ACLI.

SPL Log Types

SPL log messages can often be found in the log file for the system task to which the SPL applies when that task is set to DEBUG level. You can find the output specific to SPL by the identifying prefix [SPL].

sysmand.log

sysmand.log:11:[sipShield] Scanner or attack field detected! Src IP: 192.168.69.44, User-Agent: friendly-scanner, received on 192.168.69.57:5060 realm: access
sysmand.log:23:[sipShield] Scanner or attack field detected! Src IP: 192.168.69.44, User-Agent: friendly-scanner, received on 192.168.69.57:5060 realm: access

log.sipd

Jun 11 11:48:47.223 [SIP] (1) INVITE 1 parse_via: reply=192.168.69.44:5060 from-Realm=access
Jun 11 11:48:47.223 [SIP] (1)   from-SA=192.168.69.44
Jun 11 11:48:47.223 [SIP] (1)   gwcon=<none>
Jun 11 11:48:47.223 [SPC] (1) Executing 1 callbacks at CL_SIP_MSG_RECV
Jun 11 11:48:47.223 [SPC] (1) Executing SPL callback from file: sipShield.1.9.spl
Jun 11 11:48:47.223 [SPL] (1) SIP <false> regex <nil>  Realm <false> regex <nil>
Jun 11 11:48:47.223 [SPL] (1) ** sipShield data **
Jun 11 11:48:47.223 [SPL] (1) Agent: User-Agent: friendly-scanner
Jun 11 11:48:47.223 [SPL] (1) From: From: "sipvicious"<sip:100@1.1.1.1>;tag=34323432343230323133633401363536393938313331
Jun 11 11:48:47.223 [SPL] (1) Subject: <nil>
Jun 11 11:48:47.223 [WARNING] (1) [sipShield] Scanner or attack field detected! Src IP: 192.168.69.44, User-Agent: friendly-scanner, received on 192.168.69.57:5060 realm: access
Previous
Previous
Go To Table Of Contents
Contents