2.4.4 Origin Host and Origin Realm Consistency Check (OhOrCstChk)
This countermeasure screens the ingress diameter request message to check if the FQDN string of Origin-Host ends with the Origin-Realm string.
The option is available to provision an exception list of Realms. Any ingress diameter request message with Origin-Realm matching the exception list is exempted from this countermeasure’s screening.
This countermeasure considers the ingress diameter request message as vulnerable if the following condition is true:
- The Origin-Realm is not configured in the exception list of Realms and the Origin-Host’s FQDN string is not ending with Origin-Realm’s string.
Apart from the mandatory configuration in DSA Mandatory Configuration, configure System_Config_Options Table for configuring exception list of Realms, which are exempted from this countermeasure’s screening.