From d8dab117d607b73c5b992bbf335ebb99c10dd65e Mon Sep 17 00:00:00 2001 From: lazedo Date: Wed, 27 Feb 2019 18:17:17 +0000 Subject: [PATCH] move sanity to own cfg file --- kamailio/default.cfg | 39 +++------------------------- kamailio/sanity.cfg | 62 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 65 insertions(+), 36 deletions(-) create mode 100644 kamailio/sanity.cfg diff --git a/kamailio/default.cfg b/kamailio/default.cfg index 5e7cd3b..ab64e90 100644 --- a/kamailio/default.cfg +++ b/kamailio/default.cfg @@ -148,12 +148,6 @@ modparam("maxfwd", "max_limit", 50) ######## SIP utilities [requires sl] ######## loadmodule "siputils.so" -######## SIP message formatting sanity checks [requires sl] ######## -loadmodule "sanity.so" -modparam("sanity", "default_checks", 1511) -modparam("sanity", "uri_checks", 7) -modparam("sanity", "autodrop", 0) - ######## Text operations module ######## loadmodule "textops.so" loadmodule "textopsx.so" @@ -243,6 +237,9 @@ modparam("kazoo", "amqp_connection", "MY_AMQP_DENARY_URL") ###### kazoo bindings ###### include_file "kazoo-bindings.cfg" +## sanity ## +include_file "sanity.cfg" + ####### Role Configurations ########## #!ifdef AUTHORIZATION_ROLE include_file "authorization-role.cfg" @@ -403,36 +400,6 @@ route[CHECK_RETRANS] } } -route[SANITY_CHECK] -{ - ## CVE-2018-14767 - if($(hdr(To)[1]) != $null) { - xlog("second To header not null - dropping message"); - drop; - } - - if (!sanity_check()) { - xlog("L_WARN", "$ci|end|message from $si:$sp is insane ($var(insane))\n"); - drop; - } - - if (!mf_process_maxfwd_header("10")) { - xlog("L_WARN", "$ci|end|too much hops, not enough barley from $si:$sp\n"); - send_reply("483", "Too Many Hops"); - exit; - } - - if ($ua == "friendly-scanner" || - $ua == "sundayddr" || - $ua == "pplsip" || - $ua =~ "NiceGuy" || - $ua =~ "PortSIP" || - $ua =~ "sipcli" ) { - xlog("L_WARN", "$ci|end|dropping message with user-agent $ua from $si:$sp\n"); - drop; - } -} - route[CLASSIFY_SOURCE] { #!ifdef DISPATCHER_ROLE diff --git a/kamailio/sanity.cfg b/kamailio/sanity.cfg new file mode 100644 index 0000000..287b0ec --- /dev/null +++ b/kamailio/sanity.cfg @@ -0,0 +1,62 @@ + +#!trydef SANITY_CHECK_USE_PORT 1 +#!trydef SANITY_DROPS_REQUEST 1 +#!trydef SANITY_DEFAULT_CHECK 17895 +#!trydef SANITY_URI_CHECKS 7 + +#!substdef "!SANITY_SUBST_CACHE_PERIOD!$def(SANITY_CACHE_PERIOD)!g" + +######## SIP message formatting sanity checks [requires sl] ######## +loadmodule "sanity.so" +modparam("sanity", "default_checks", SANITY_DEFAULT_CHECK) +modparam("sanity", "uri_checks", SANITY_URI_CHECKS) +modparam("sanity", "autodrop", 0) +modparam("sanity", "noreply", 1) + +modparam("debugger", "mod_level", "sanity=-3") + +kazoo.sanity_check_use_port = SANITY_CHECK_USE_PORT descr "should we keep track of ip and port for sanity failures" +kazoo.sanity_drops_request = SANITY_DROPS_REQUEST descr "should we drop the request or send error on sanity failure" + +route[SANITY_CHECK] +{ + ## CVE-2018-14767 + if($(hdr(To)[1]) != $null) { + xlog("second To header not null - dropping message"); + drop; + } + + $var(sanity_key) = ""; + if($sel(cfg_get.kazoo.sanity_check_use_port) == 1) { + $var(sanity_key) = $_s("$si::$sp"); + } else { + $var(sanity_key) = $_s("$si"); + } + + if (!sanity_check()) { + if($sel(cfg_get.kazoo.sanity_drops_request) == 1) { + xlog("L_WARN", "$ci|end|dropping insane message from $si:$sp\n"); + drop; + } else { + xlog("L_WARN", "$ci|end|insane message from $si:$sp\n"); + send_reply("400", "Bad Request"); + exit; + } + } + + if (!mf_process_maxfwd_header("10")) { + xlog("L_WARN", "$ci|end|too much hops, not enough barley from $si:$sp\n"); + send_reply("483", "Too Many Hops"); + exit; + } + + if ($ua == "friendly-scanner" || + $ua == "sundayddr" || + $ua == "pplsip" || + $ua =~ "NiceGuy" || + $ua =~ "PortSIP" || + $ua =~ "sipcli" ) { + xlog("L_WARN", "$ci|end|dropping message with user-agent $ua from $si:$sp\n"); + drop; + } +}