OpenBSD as SIP trap
Jump to navigation
Jump to search
Below is a small python script that allows you to host a VOIP RBL on your own system.
#!/usr/bin/python # Created by: anexit @ 9/17/2019:1047 import binascii import sys import time import struct import socket import random import thread import unicodedata import logging from logging.handlers import TimedRotatingFileHandler from twisted.internet.protocol import Protocol, Factory, DatagramProtocol from twisted.internet import reactor #You need to specify your interface and name id. interface = '1.1.1.1' myid = 'sip' lastSIPPER = '' def logprint(x): now = time.time() t = time.strftime("%Y-%m-%d %H:%M:%S") + ("%1.4f" % (now - int(now)))[1:] + ": " logger.info(t + x) def logprint2(x): try: logger.info(x) except TypeError: pass class uFakeSIP(DatagramProtocol): def datagramReceived(self, data, (host, port)): global lastSIPPER global gi logprint('The attacking host at %s (%d/UDP) is trying to initiate a SIP connection...' % (host, port)) if(lastSIPPER != host): lastSIPPER = host #If you want to log SIP Data #logprint('SIP Data from: %s (%d/UDP):\n%s' % (host, port, data)) random.seed() logger = logging.getLogger('Rotating Log') logger.setLevel(logging.INFO) handler = TimedRotatingFileHandler('anexitsip.log', when='midnight', interval=1) logger.addHandler(handler) logprint('Starting up...') reactor.listenUDP(5060, uFakeSIP(), interface = interface) reactor.run() logprint('Shutting down...')
It will create a log file called anexitsip.log which will show you something like the following;
2019-09-17 13:27:47.1120: The attacking host at 80.211.251.174 (5075/UDP) is trying to initiate a SIP connection... 2019-09-17 13:34:20.1345: The attacking host at 77.247.110.99 (5088/UDP) is trying to initiate a SIP connection... 2019-09-17 13:43:12.0315: The attacking host at 77.247.108.218 (5076/UDP) is trying to initiate a SIP connection... 2019-09-17 13:52:26.3259: The attacking host at 183.2.202.41 (5071/UDP) is trying to initiate a SIP connection... 2019-09-17 14:05:31.0667: The attacking host at 77.247.108.204 (5356/UDP) is trying to initiate a SIP connection... 2019-09-17 14:34:48.1639: The attacking host at 77.247.110.214 (5062/UDP) is trying to initiate a SIP connection...
Since I use OpenBSD all I needed was the twisted python package (pkg_add py-twisted) From there you can parse the file and load it into PF.
Something like
grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" anexitsip.log | sort -u
should do the trick!