[prelude-cvslog] r10078 - prelude-lml/trunk/plugins/pcre/ruleset
noreply at prelude-ids.org
noreply at prelude-ids.org
Mon Dec 3 12:20:33 CET 2007
Author: toady
Date: 2007-12-03 12:20:31 +0100 (Mon, 03 Dec 2007)
New Revision: 10078
Modified:
prelude-lml/trunk/plugins/pcre/ruleset/asterisk.rules
Log:
(ruleset): new ruleset for asterisk
Modified: prelude-lml/trunk/plugins/pcre/ruleset/asterisk.rules
===================================================================
--- prelude-lml/trunk/plugins/pcre/ruleset/asterisk.rules 2007-11-29 15:09:59 UTC (rev 10077)
+++ prelude-lml/trunk/plugins/pcre/ruleset/asterisk.rules 2007-12-03 11:20:31 UTC (rev 10078)
@@ -38,3 +38,22 @@
target(0).user.user_id(0).type=original-user; \
target(0).user.user_id(0).name=$1; \
last;
+
+#Dec 3 10:32:10 NOTICE[23701] chan_sip.c: Invalid to address: '' from 192.168.33.180 (missing sip:) trying to use anyway...
+regex=chan_sip.c: ([[:print:]]+): '(\S*)' from (\S+) \(([[:print:]]+)\) trying to use anyway...; \
+ classification.text=$1; \
+ id=6001; \
+ revision=1; \
+ analyzer(0).name=Asterisk; \
+ analyzer(0).manufacturer=Digium; \
+ analyzer(0).class=Private Branch Exchange; \
+ assessment.impact.severity=low; \
+ assessment.impact.completion=succeeded; \
+ assessment.impact.type=recon; \
+ assessment.impact.description=The SIP message is invalid: '$4'. This is probably due to a crafted SIP message; \
+ source(0).node.address(0).address=$3; \
+ target(0).service.name=sip; \
+ target(0).user.user_id(0).type=original-user; \
+ target(0).user.user_id(0).name=$2; \
+ last;
+
More information about the Prelude-cvslog
mailing list