The brief overview is we have someone attempting to, I assume
compromise, phones in our VOIP system from an IP originating in the
Russian Federation. I have attempted to block their IP, the /24 range of
IPs, ports used and i'm still seeing packets on...
It is both incoming and outgoing, I'm more concerned with the incoming
as the outgoing are just unauthorized registration responses, so once
that is dealt with the outgoing will stop. In regards to match-vip I
looked it up and none of my rules had it...
I was looking at the expectation sessions and found this one, which is
referencing the internal phone that they keep communicating with. In it
I noticed it was referring to traffic shapers, specifically the shaper
for our VOIP provider. Assuming that...
I think I already have rules set up like that, if I'm understanding
correctly. I made a couple because I was trying to test out how I needed
to create it, I realize in theory they should be redundant. I have run
rule set for inbound traffic, WAN1 -> ...
First off I discovered that I can just use diag debug flow filter addr
46.17.42.136 rather than daddr and saddr, along with neglecting the line
"diag debug disable". Second I was lucky enough to catch a fair amount
of traffic today which will hopeful...
Well, its back, or something similar at least, they use a different sip
agent and its from a different IP block although from the same host
baxet.ru. They are still attempting to register a phone within our
network, same one as before oddly enough, a...
