Cisco Cisco Firepower Management Center 2000
25-50
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Decoding the Session Initiation Protocol
Step 7
Save your policy, continue editing, discard your changes, revert to the default configuration settings in
the base policy, or exit while leaving your changes in the system cache. See the
the base policy, or exit while leaving your changes in the system cache. See the
table for more information.
Enabling Additional SIP Preprocessor Rules
License:
Protection
The SIP preprocessor rules in the following table are not associated with specific configuration options.
As with other SIP preprocessor rules, you must enable these rules if you want them to generate events.
See
As with other SIP preprocessor rules, you must enable these rules if you want them to generate events.
See
for information on enabling rules.
Table 25-8
Additional SIP Preprocessor Rules
Preprocessor Rule
GID:SID
GID:SID
Description
140:1
Generates an event when the preprocessor is monitoring the maximum number of
SIP sessions allowed by the system.
SIP sessions allowed by the system.
140:2
Generates an event when the required Request_URI field is empty in a SIP
request.
request.
140:4
Generates an event when the Call-ID header field is empty in a SIP request or
response.
response.
140:6
Generates an event when the value for the sequence number in the SIP request or
response CSeq field is not a 32-bit unsigned integer less than 231.
response CSeq field is not a 32-bit unsigned integer less than 231.
140:8
Generates an event an event when the From header field is empty in a SIP request
or response.
or response.
140:10
Generates an event when the To header field is empty in a SIP request or response.
140:12
Generates an event when the Via header field is empty in a SIP request or response
140:14
Generates an event when the required Contact header field is empty in a SIP
request or response.
request or response.
140:17
Generates an event when a single SIP request or response packet in UDP traffic
contains multiple messages. Note that older SIP versions supported multiple
messages, but SIP 2.0 supports only one message per packet.
contains multiple messages. Note that older SIP versions supported multiple
messages, but SIP 2.0 supports only one message per packet.
140:18
Generates an event when the actual length of the message body in a SIP request
or response in UDP traffic does not match the value specified in the
Content-Length header field in a SIP request or response.
or response in UDP traffic does not match the value specified in the
Content-Length header field in a SIP request or response.
140:19
Generates an event when the preprocessor does not recognize a method name in
the CSeq field of a SIP response.
the CSeq field of a SIP response.
140:20
Generates an event when the SIP server does not challenge an authenticated invite
message. Note that this occurs in the case of the InviteReplay billing attack.
message. Note that this occurs in the case of the InviteReplay billing attack.
140:21
Generates an event when session information changes before the call is set up.
Note that this occurs in the case of the FakeBusy billing attack.
Note that this occurs in the case of the FakeBusy billing attack.
140:22
Generates an event when the response status code is not a three-digit number.
140:23
Generates an event when the Content-Type header field does not specify a content
type and the message body contains data.
type and the message body contains data.