Powered by Zoomin Software. For more details please contactZoomin

Flowmon ADS User Guide

Table of Contents

SIPSCAN - SIP Scans

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: April 5, 2026
  • 1 minute read
    • Flowmon Products
    • Flowmon Anomaly Detection System
    • Documentation

Method description

This detection method detects devices that are scanning the SIP stations in the monitored network segment. The typical purpose of this attack is to find available VoIP services that can be used for malicious outbound phone calls. It is possible to set the minimum number of accesses with relevant SIP flags (Register, Options, Invite), using the Threshold parameter.

This method consists of the following submethods:

  • Register: Reports scanning of the devices used for VoIP. The detection uses the Register messages of the SIP protocol.

  • Options: Reports scanning of the devices used for VoIP. The detection uses the Options messages of the SIP protocol.

  • Invite: Reports scanning of the devices used for VoIP. The detection uses the Invite messages of the SIP protocol.

Method configuration

It is recommended to apply this method for all IP addresses of SIP devices in the monitored network segment. The right place for traffic monitoring is the Internet connection line. This detection method must be activated in combination with the Data feed which has the SIP processing activated.

Method parameters

  • Threshold: Threshold of the minimal number of accesses.

Assigned filter

The filter is used for the restriction of destination IP addresses.

Interpretation of results

The scanning attacker is trying to detect SIP PBXs and gateways (horizontal, especially Register and Options scans; the information can be misused, for example, for eavesdropping) or active SIP addresses (vertical, especially Invite scans; the information can be misused for telephone SPAM).

TitleResults for “How to create a CRG?”Also Available inAlert