Cisco Cisco FirePOWER Appliance 7115
Version 5.3
Sourcefire 3D System User Guide
898
Using Application Layer Preprocessors
Decoding the Session Initiation Protocol
Chapter 23
7. Optionally, click Configure Rules for Sun RPC Configuration at the top of the page
to display rules associated with individual options.
Click Back to return to the Sun RPC Configuration page.
Click Back to return to the Sun RPC Configuration page.
8. Save your policy, continue editing, discard your changes, revert to the default
configuration settings in the base policy, or exit while leaving your changes in
the system cache. See the
page 722 for more information.
Decoding the Session Initiation Protocol
L
ICENSE
: Protection
The Session Initiation Protocol (SIP) provides call setup, modification, and
teardown of one or more sessions for one or more users of such client
applications as Internet telephony, multimedia conferencing, instant messaging,
online gaming, and file transfer. A method field in each SIP request identifies the
purpose of the request, and a Request-URI specifies where to send the request.
A status code in each SIP response indicates the outcome of the requested
action.
After calls are set up using SIP, the Real-time Transport Protocol (RTP) is
After calls are set up using SIP, the Real-time Transport Protocol (RTP) is
responsible for subsequent audio and video communication; this part of the
session is sometimes referred to as the call channel, the data channel, or the
audio/video data channel. RTP uses the Session Description Protocol (SDP) within
the SIP message body for data-channel parameter negotiation, session
announcement, and session invitation.
The SIP preprocessor is responsible for:
The SIP preprocessor is responsible for:
•
decoding and analyzing SIP 2.0 traffic
•
extracting the SIP header and message body, including SDP data when
present, and passing the extracted data to the rules engine for further
inspection
•
generating events when the following conditions are detected and the
corresponding preprocessor rules are enabled: anomalies and known
vulnerabilities in SIP packets; out-of-order and invalid call sequences
•
optionally ignoring the call channel
The preprocessor identifies the RTP channel based on the port identified in the
SDP message, which is embedded in the SIP message body, but the
preprocessor does not provide RTP protocol inspection.