install ngrep and run
ngrep -q -t -P "" -W byline -d ng0 SIP
Should show the sip packets in a more friendly format.
On Sat, Sep 18, 2010 at 10:29 PM, packetfilte...@gmail.com <
packetfilte...@gmail.com> wrote:
> Hi
>
> Can someone shed some light on the following (pfSense) PF log entries;
>
>
> 36. 281054 rule 80/0(match): block in on ng0: (tos 0x0, ttl 45, id 51305,
> offset 0, flags [DF], proto UDP (17), length 437) 124.92.251.2.5060
> > 91.84.205.47.5060: SIP, length: 409
>
>
> OPTI\200\242\224LL\223\006\000`\000\000\000p\000\000\000\024\000\000\000=\002\001\000ng0\000\000\000\000\000\000\000\000\000\000\000\
>
> 000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000P\377\377\377\377\377\377\377\377\240\206\001\000\000\000\
> 000\000\306\320\000\000\001\000\000\000E\000\0000\330i@
> \000q\006\201\271\274\201\312\242[T\315,\012\360\001\275e\267\010\177\000\000\000\000{
>
> \242\224Lfv\002\000`\000\000\000t\000\000\000\024\000\000\000=\002\000\000fxp0\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\00
>
> 0\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000h\377\377\377\377\377\377\377\377\240\206\001\000\000\000\000\000\306\320\000\00
> 0\001\000\000\000E\000\0004\342;@
> \000?\006=\314\012\261\301RBf\015S9,\001\273\327\020\370\272\000\000\000\000{\242\224L>\202\002\000`\000\000
>
> \000t\000\000\000\024\000\000\000=\002\000\000fxp0\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\00
>
> 0\000\000\000\000\000\000\000\000h\377\377\377\377\377\377\377\377\240\206\001\000\000\000\000\000\306\320\000\000\001\000\000\000E\000\0004\
> 031q@
> \000?\006\006\227\012\261\301RBf\015S9-\001\273\327\024;\305\000\000\000\000{\242\224L\343\323\003\000`\000\000\000t\000\000\000\024\000
>
> \000\000=\002\000\000fxp0\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000
> 0x0000: 4f50 5449
>
>
>
> Sep 18 16:36:42 pf: From:
> "sipsscuser"<sip:1...@192.168.1.9<sip%3a...@192.168.1.9>>;
> t\000\000\000\000\200\002\301\350\006\226\000\000\002\004\005\254\001\00
>
> 3\003\000\001\001\004\002t\000\000\000\024\000\000\000=\002\000\000fxp0\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\0
>
> 00\000\000\000\000\000\000\000\000\000\000\000\000\000h\377\377\377\377\377\377\377\377\240\206\001\000\000\000\000\000}\025\000\000\001\000\
> 000\000E\000\0004\031\023@
> \000?\006\204\207\012\261\301R\255\302$d5\214\000P\013SL\352\000\000\000\000\200\002\301\350\200\364\000\000\002\00
>
> 4\005\254\001\003\003\000\001\001\004\002\024\000\005\000=\002\000\000fxp0\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\00
>
> 0\000\000\000\000\000\000\000\000\000\000\000\000\000\000m\377\377\377\377\377\377\377\377\240\206\001\000\000\000\000\000}\025\000\000\001\0
> 00\000\000e\000\0004\304\...@\000?\006
> \276\012\261\301R\331\222\260\3515\207\003\343\012\005h\275\000
> Sep 18 16:36:42 pf: Content-Length: 0
> Sep 18 16:36:42 pf: Via: SIP/2.0/UDP 192.168.1.9:5060
> ;branch=z9hG4bK-02932966;rport
> Sep 18 16:36:42 pf: OPTIONS
> sip:1...@91.84.205.44<sip%3a...@91.84.205.44>SIP/2.0
>
>
>
> I've been experiencing a lot of problems when trying to log into online
> banking and Googlemail and sometime see private IP addresses between my ADSL
> router and my ISP's gateway. Does anybody know if these log entries may be
> associated with some malicious activities as they were created whilst I was
> unable to log into Googlemail earlier today.
>
> I don't use VoIP and use a default deny firewall (ie; both in and out)
> policy. However I'm using RST and DEST-UNR which may invite a botnet or
> feeling lucky today script kid.
>
> Resetting the PF state seems to alleviate the problem at least partially
> but even though PF logs that the packet was locked it seems to be causing
> problems. Is it some sort of arp poisoning or UDP injection which is
> stuffing the routing tables.
>
> Can anyone offer any advice.
>
> Thanks
>
> Rhys
