Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Odd log messages - Need a pair of eyes

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      MikeX
      last edited by

      For a 10 minute span my firewall logged 200,000+ log entries that consisted of the following. 10.0.8.2 is the primary pfnode 'real IP'.

      X.X.X.40 is an internal DNS resolver which has a public IP, but is only set to answer recursive queries from internal/known networks. There are also firewall rules in place to block any traffic sourced from outside our networks.

      facility
local0
level
Info [6.0]
message
pf: From: "yn2mb7"<sip:yn2mb7@x.x.3p3\0xcbr\0x00\0x00\0x00\0x00\0xe40\0x0e\0x00\0x00\0x00\0x00\0x00\0x00\0x01\0x00\0x00\0xe6\0x01\0x00\0x00 \0x00\0x00\0x00\0x00\0x00\0x00\0x00="\0x02\0x01\0x00lagg0_vlan400\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00<br">\0x00\0x00\0x00\0x00\0x00\0x00\0x00w\0xff\0xff\0xff\0xff\0xff\0xff\0xff\0xff\0xa0\0x86\0x01\0x00\0x00\0x00\0x00\0x00&\0x95\0x00\0x00\0x01\0x00\0x00
\0x00E\0x00\0x01\0xa6\0xa1\0x9a@\0x005\0x11\0x1e\0xad\0xbc\0x8a~\0x0c&A#(\0x15v\0x13\0xc4\0x01\0x92/KREGISTER sip:yn9oir@X.X.X.40 SIP/2.0
source
10.0.8.2
full_message
<134>Jan 6 17:50:57 pf: From: "yn2mb7"<sip:yn2mb7@x.x.3p3\0xcbr\0x00\0x00\0x00\0x00\0xe40\0x0e\0x00\0x00\0x00\0x00\0x00\0x00\0x01\0x00\0x00\0xe6\0x01\0x00\0x00 \0x00\0x00\0x00\0x00\0x00\0x00\0x00="\0x02\0x01\0x00lagg0_vlan400\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\<br">0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00w\0xff\0xff\0xff\0xff\0xff\0xff\0xff\0xff\0xa0\0x86\0x01\0x00\0x00\0x00\0x00
\0x00&\0x95\0x00\0x00\0x01\0x00\0x00\0x00E\0x00\0x01\0xa6\0xa1\0x9a@\0x005\0x11\0x1e\0xad\0xbc\0x8a~\0x0c&A#(\0x15v\0x13\0
xc4\0x01\0x92/KREGISTER sip:yn9oir@X.X.X.40 SIP/2.0</sip:yn2mb7@x.x.3p3\0xcbr\0x00\0x00\0x00\0x00\0xe40\0x0e\0x00\0x00\0x00\0x00\0x00\0x00\0x01\0x00\0x00\0xe6\0x01\0x00\0x00></sip:yn2mb7@x.x.3p3\0xcbr\0x00\0x00\0x00\0x00\0xe40\0x0e\0x00\0x00\0x00\0x00\0x00\0x00\0x01\0x00\0x00\0xe6\0x01\0x00\0x00>

      facility
local0
level
Info [6.0]
message
pf: From: "yfxkhm"<sip:yfxkhm@x.x.3p3\0xcbr\0x00\0x00\0x00\0x00\0xb6\0xf2\0x0c\0x00\0x00\0x00\0x00\0x00\0x00\0x01\0x00\0x00\0xe6\0x01\0x00\0x00 \0x00\0x00\0x00\0x00\0x00\0x00\0x00="\0x02\0x01\0x00lagg0_vlan400\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\<br">0x00\0x00\0x00\0x00\0x00\0x00\0x00w\0xff\0xff\0xff\0xff\0xff\0xff\0xff\0xff\0xa0\0x86\0x01\0x00\0x00\0x00\0x00\0x00&\0x95\0x00\0x00\0x01\0x00\0x00\
0x00E\0x00\0x01\0xa6\0x88\0x8b@\0x005\0x117\0xbc\0xbc\0x8a~\0x0c&A#(\0x15v\0x13\0xc4\0x01\0x92\0xd0\0x80REGISTER sip:yio4r1@X.X.X.40 SIP/2.0
source
10.0.8.2
full_message
<134>Jan 6 17:50:57 pf: From: "yfxkhm"<sip:yfxkhm@x.x.3p3\0xcbr\0x00\0x00\0x00\0x00\0xb6\0xf2\0x0c\0x00\0x00\0x00\0x00\0x00\0x00\0x01\0x00\0x00\0xe6\0x01\0x00\0x00 \0x00\0x00\0x00\0x00\0x00\0x00\0x00="\0x02\0x01\0x00lagg0_vlan400\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00<br">\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00w\0xff\0xff\0xff\0xff\0xff\0xff\0xff\0xff\0xa0\0x86\0x01\0x00\0x00\0x00\0x00\0x00&
\0x95\0x00\0x00\0x01\0x00\0x00\0x00E\0x00\0x01\0xa6\0x88\0x8b@\0x005\0x117\0xbc\0xbc\0x8a~\0x0c&A#(\0x15v\0x13\0xc4\0x01\0x92\0xd0\0x80REGISTER sip:yio4r1@X.X.X.40 SIP/2.0</sip:yfxkhm@x.x.3p3\0xcbr\0x00\0x00\0x00\0x00\0xb6\0xf2\0x0c\0x00\0x00\0x00\0x00\0x00\0x00\0x01\0x00\0x00\0xe6\0x01\0x00\0x00></sip:yfxkhm@x.x.3p3\0xcbr\0x00\0x00\0x00\0x00\0xb6\0xf2\0x0c\0x00\0x00\0x00\0x00\0x00\0x00\0x01\0x00\0x00\0xe6\0x01\0x00\0x00>
      1 Reply Last reply Reply Quote 0
      • M Offline
        MikeX
        last edited by

        Also.. Many more like this:

        pf: REGISTER sip:yamoley who?@X.X.X.40 SIP/2.0
        1 Reply Last reply Reply Quote 0
        • jimpJ Offline
          jimp Rebel Alliance Developer Netgate
          last edited by

          Someone was trying to run a SIP attack against you.

          The pf log parser gets enough data that can be parsed through tcpdump that the actual body of the packets was getting decoded.

          If you have a SIP server, you might want to make sure it's adequately protected in terms of rules, passwords, access, etc.

          If you don't have a SIP server, this may have been a random scan/attack that just happened to hit you. It's very common for such things to be seen sweeping the Internet looking for SIP servers to exploit. When they find an open one they'll burst a ton of pay calls through it. We've heard of people getting 5 and 6 digit dollar amount bills from improperly protected SIP services.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.