Hi
Can someone shed some light on the following (pfSense) PF log entries;
36. 281054 rule 80/0(match): block in on ng0: (tos 0x0, ttl 45, id
51305, offset 0, flags [DF], proto UDP (17), length 437) 124.92.251.2.5060
> 91.84.205.47.5060: SIP, length: 409
OPTI\200\242\224LL\223\006\000`\000\000\000p\000\000\000\024\000\000\000=\002\001\000ng0\000\000\000\000\000\000\000\000\000\000\000\
000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000P\377\377\377\377\377\377\377\377\240\206\001\000\000\000\
000\000\306\320\000\000\001\000\000\000e\000\0000\3...@\000q\006\201\271\274\201\312\242[t\315,\012\360\001\275e\267\010\177\000\000\000\000{
\242\224Lfv\002\000`\000\000\000t\000\000\000\024\000\000\000=\002\000\000fxp0\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\00
0\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000h\377\377\377\377\377\377\377\377\240\206\001\000\000\000\000\000\306\320\000\00
0\001\000\000\000E\000\0004\342;@\000?\006=\314\012\261\301RBf\015S9,\001\273\327\020\370\272\000\000\000\000{\242\224L>\202\002\000`\000\000
\000t\000\000\000\024\000\000\000=\002\000\000fxp0\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\00
0\000\000\000\000\000\000\000\000h\377\377\377\377\377\377\377\377\240\206\001\000\000\000\000\000\306\320\000\000\001\000\000\000E\000\0004\
0...@\000?\006\006\227\012\261\301rbf\015s9-\001\273\327\024;\305\000\000\000\000{\242\224L\343\323\003\000`\000\000\000t\000\000\000\024\000
\000\000=\002\000\000fxp0\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000
0x0000: 4f50 5449
Sep 18 16:36:42 pf: From: "sipsscuser"<sip:1...@192.168.1.9>;
t\000\000\000\000\200\002\301\350\006\226\000\000\002\004\005\254\001\00
3\003\000\001\001\004\002t\000\000\000\024\000\000\000=\002\000\000fxp0\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\0
00\000\000\000\000\000\000\000\000\000\000\000\000\000h\377\377\377\377\377\377\377\377\240\206\001\000\000\000\000\000}\025\000\000\001\000\
000\000e\000\0004\031\...@\000?\006\204\207\012\261\301r\255\302$d5\214\000p\013sl\352\000\000\000\000\200\002\301\350\200\364\000\000\002\00
4\005\254\001\003\003\000\001\001\004\002\024\000\005\000=\002\000\000fxp0\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\00
0\000\000\000\000\000\000\000\000\000\000\000\000\000\000m\377\377\377\377\377\377\377\377\240\206\001\000\000\000\000\000}\025\000\000\001\0
00\000\000e\000\0004\304\...@\000?\006
\276\012\261\301R\331\222\260\3515\207\003\343\012\005h\275\000
Sep 18 16:36:42 pf: Content-Length: 0
Sep 18 16:36:42 pf: Via: SIP/2.0/UDP
192.168.1.9:5060;branch=z9hG4bK-02932966;rport
Sep 18 16:36:42 pf: OPTIONS sip:1...@91.84.205.44 SIP/2.0
I've been experiencing a lot of problems when trying to log into online
banking and Googlemail and sometime see private IP addresses between my
ADSL router and my ISP's gateway. Does anybody know if these log entries
may be associated with some malicious activities as they were created
whilst I was unable to log into Googlemail earlier today.
I don't use VoIP and use a default deny firewall (ie; both in and out)
policy. However I'm using RST and DEST-UNR which may invite a botnet or
feeling lucky today script kid.
Resetting the PF state seems to alleviate the problem at least partially
but even though PF logs that the packet was locked it seems to be
causing problems. Is it some sort of arp poisoning or UDP injection
which is stuffing the routing tables.
Can anyone offer any advice.
Thanks
Rhys