2.4.4 Origin Host and Origin Realm Consistency Check (OhOrCstChk)

This countermeasure screens the ingress diameter request message to check if the FQDN string of Origin-Host ends with the Origin-Realm string.

The option is available to provision an exception list of Realms. Any ingress diameter request message with Origin-Realm matching the exception list is exempted from this countermeasure’s screening.

This countermeasure considers the ingress diameter request message as vulnerable if the following condition is true:

  • The Origin-Realm is not configured in the exception list of Realms and the Origin-Host’s FQDN string is not ending with Origin-Realm’s string.

Apart from the mandatory configuration in DSA Mandatory Configuration, configure System_Config_Options Table for configuring exception list of Realms, which are exempted from this countermeasure’s screening.