[Bro-Dev] [JIRA] (BIT-1458) Lots of binpac exceptions in SIP

Gary Faulkner (JIRA) jira at bro-tracker.atlassian.net
Wed Aug 19 11:52:00 PDT 2015

    [ https://bro-tracker.atlassian.net/browse/BIT-1458?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21704#comment-21704 ] 

Gary Faulkner commented on BIT-1458:

PCAP of SIP scanning activity that seems to be triggering these is attached.

> Lots of binpac exceptions in SIP
> --------------------------------
>                 Key: BIT-1458
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1458
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: BinPAC
>    Affects Versions: 2.4
>         Environment: Linux 3.19, Ubuntu 14.04 LTS, Asterisk for VOIP, plain SIP plus RDP no encryption
>            Reporter: Michal Purzynski
>         Attachments: badsip-19AUG2015_anon.pcapng
> There's quite a bit of binpac exception in dpd.log on office sensors, that can see SIP traffic. The log message is always the same (I think).
> 1439957552.911869	ChGboH2ZriUae63ufg	5089	5060	udp	SIP	Binpac exception: binpac exception: string mismatch at /home/mpurzynski/src/bro/bro-2.4-pfring/src/analyzer/protocol/sip/sip-protocol.pac:70: \x0aexpected pattern: ":"\x0aactual data: " 496704993 2096249773 IN IP4\x0d\x0as=sipcli\x0d\x0ac=IN IP4\x0d\x0at=0 0\x0d\x0am=audio 5097 RTP/AVP 18 0 8 101\x0d\x0aa=fmtp:101 0-15\x0d\x0aa=rtpmap:18 G729/8000\x0d\x0aa=rtpmap:0 PCMU/8000\x0d\x0aa=rtpmap:8 PCMA/8000\x0d\x0aa=rtpmap:101 telephone-event/8000\x0d\x0aa=ptime:20\x0d\x0aa=sendrecv\x0d\x0a"
> What kind of data do you want me to attach, to help debugging the issue?

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list