SIPPROXY - SIP Proxy

Method description

This method uses the knowledge of single SIP URIs to detect the SIP proxy servers (IP addresses used for SIP communication from distinct SIP URIs). The detection method allows you to set up the training period (ClosedSeason parameter). No events are generated during the training period by this detection method. The second option is the time period used for storing the inactive devices in the classifier (TimeToDeath parameter). If a new proxy server appears in the monitored network after this time period, the event is generated.

If the filter is assigned, only the devices outside the range of these IP addresses are detected.

This method consists of the following submethod:

• General: Reports possible Man-in-the-middle attacks affecting the devices used for VoIP.

Method configuration

It is recommended to apply this method for all IP addresses of SIP devices in the monitored network segment. The right place for traffic monitoring is the Internet connection line. This detection method also requires a SIP data feed with specific flow fields (see the Data Feeds page for more information).

Method parameters

• ClosedSeason: Number of days intended for training the classifier on the monitored network. No events are reported during this time.

• TimeToDeath: Number of days, for which the inactive SIP gateway (or proxy) is stored in the classifier.

Assigned filter

The method processes all SIP traffic. If both the source and destination IP addresses are in the filter, then the communication is excluded from detection. The remaining flows are processed.

Interpretation of results

The device indicated as the SIP proxy (the event source) transmits the SIP traffic for callers with distinct SIP URIs. This device can be used to wiretap the forwarded communication (the Man-in-the-middle attack) or steal login credentials.