Odd log messages - Need a pair of eyes
-
For a 10 minute span my firewall logged 200,000+ log entries that consisted of the following. 10.0.8.2 is the primary pfnode 'real IP'.
X.X.X.40 is an internal DNS resolver which has a public IP, but is only set to answer recursive queries from internal/known networks. There are also firewall rules in place to block any traffic sourced from outside our networks.
facility local0 level Info [6.0] message pf: From: "yn2mb7"<sip:yn2mb7@x.x.3p3\0xcbr\0x00\0x00\0x00\0x00\0xe40\0x0e\0x00\0x00\0x00\0x00\0x00\0x00\0x01\0x00\0x00\0xe6\0x01\0x00\0x00 \0x00\0x00\0x00\0x00\0x00\0x00\0x00="\0x02\0x01\0x00lagg0_vlan400\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00<br">\0x00\0x00\0x00\0x00\0x00\0x00\0x00w\0xff\0xff\0xff\0xff\0xff\0xff\0xff\0xff\0xa0\0x86\0x01\0x00\0x00\0x00\0x00\0x00&\0x95\0x00\0x00\0x01\0x00\0x00 \0x00E\0x00\0x01\0xa6\0xa1\0x9a@\0x005\0x11\0x1e\0xad\0xbc\0x8a~\0x0c&A#(\0x15v\0x13\0xc4\0x01\0x92/KREGISTER sip:yn9oir@X.X.X.40 SIP/2.0 source 10.0.8.2 full_message <134>Jan 6 17:50:57 pf: From: "yn2mb7"<sip:yn2mb7@x.x.3p3\0xcbr\0x00\0x00\0x00\0x00\0xe40\0x0e\0x00\0x00\0x00\0x00\0x00\0x00\0x01\0x00\0x00\0xe6\0x01\0x00\0x00 \0x00\0x00\0x00\0x00\0x00\0x00\0x00="\0x02\0x01\0x00lagg0_vlan400\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\<br">0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00w\0xff\0xff\0xff\0xff\0xff\0xff\0xff\0xff\0xa0\0x86\0x01\0x00\0x00\0x00\0x00 \0x00&\0x95\0x00\0x00\0x01\0x00\0x00\0x00E\0x00\0x01\0xa6\0xa1\0x9a@\0x005\0x11\0x1e\0xad\0xbc\0x8a~\0x0c&A#(\0x15v\0x13\0 xc4\0x01\0x92/KREGISTER sip:yn9oir@X.X.X.40 SIP/2.0</sip:yn2mb7@x.x.3p3\0xcbr\0x00\0x00\0x00\0x00\0xe40\0x0e\0x00\0x00\0x00\0x00\0x00\0x00\0x01\0x00\0x00\0xe6\0x01\0x00\0x00></sip:yn2mb7@x.x.3p3\0xcbr\0x00\0x00\0x00\0x00\0xe40\0x0e\0x00\0x00\0x00\0x00\0x00\0x00\0x01\0x00\0x00\0xe6\0x01\0x00\0x00>
facility local0 level Info [6.0] message pf: From: "yfxkhm"<sip:yfxkhm@x.x.3p3\0xcbr\0x00\0x00\0x00\0x00\0xb6\0xf2\0x0c\0x00\0x00\0x00\0x00\0x00\0x00\0x01\0x00\0x00\0xe6\0x01\0x00\0x00 \0x00\0x00\0x00\0x00\0x00\0x00\0x00="\0x02\0x01\0x00lagg0_vlan400\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\<br">0x00\0x00\0x00\0x00\0x00\0x00\0x00w\0xff\0xff\0xff\0xff\0xff\0xff\0xff\0xff\0xa0\0x86\0x01\0x00\0x00\0x00\0x00\0x00&\0x95\0x00\0x00\0x01\0x00\0x00\ 0x00E\0x00\0x01\0xa6\0x88\0x8b@\0x005\0x117\0xbc\0xbc\0x8a~\0x0c&A#(\0x15v\0x13\0xc4\0x01\0x92\0xd0\0x80REGISTER sip:yio4r1@X.X.X.40 SIP/2.0 source 10.0.8.2 full_message <134>Jan 6 17:50:57 pf: From: "yfxkhm"<sip:yfxkhm@x.x.3p3\0xcbr\0x00\0x00\0x00\0x00\0xb6\0xf2\0x0c\0x00\0x00\0x00\0x00\0x00\0x00\0x01\0x00\0x00\0xe6\0x01\0x00\0x00 \0x00\0x00\0x00\0x00\0x00\0x00\0x00="\0x02\0x01\0x00lagg0_vlan400\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00<br">\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00w\0xff\0xff\0xff\0xff\0xff\0xff\0xff\0xff\0xa0\0x86\0x01\0x00\0x00\0x00\0x00\0x00& \0x95\0x00\0x00\0x01\0x00\0x00\0x00E\0x00\0x01\0xa6\0x88\0x8b@\0x005\0x117\0xbc\0xbc\0x8a~\0x0c&A#(\0x15v\0x13\0xc4\0x01\0x92\0xd0\0x80REGISTER sip:yio4r1@X.X.X.40 SIP/2.0</sip:yfxkhm@x.x.3p3\0xcbr\0x00\0x00\0x00\0x00\0xb6\0xf2\0x0c\0x00\0x00\0x00\0x00\0x00\0x00\0x01\0x00\0x00\0xe6\0x01\0x00\0x00></sip:yfxkhm@x.x.3p3\0xcbr\0x00\0x00\0x00\0x00\0xb6\0xf2\0x0c\0x00\0x00\0x00\0x00\0x00\0x00\0x01\0x00\0x00\0xe6\0x01\0x00\0x00>
-
Also.. Many more like this:
pf: REGISTER sip:yamoley who?@X.X.X.40 SIP/2.0
-
Someone was trying to run a SIP attack against you.
The pf log parser gets enough data that can be parsed through tcpdump that the actual body of the packets was getting decoded.
If you have a SIP server, you might want to make sure it's adequately protected in terms of rules, passwords, access, etc.
If you don't have a SIP server, this may have been a random scan/attack that just happened to hit you. It's very common for such things to be seen sweeping the Internet looking for SIP servers to exploit. When they find an open one they'll burst a ton of pay calls through it. We've heard of people getting 5 and 6 digit dollar amount bills from improperly protected SIP services.