Configuring SIP Message Policy Rules

The Message Policies table lets you configure up to 20 SIP Message Policy rules. SIP Message Policy rules are used to block (blacklist) unwanted incoming SIP messages or permit (whitelist) receipt of desired SIP messages. You can configure legal and illegal characteristics of SIP messages. This feature is helpful against VoIP fuzzing (also known as robustness testing), which sends different types of packets to its "victims" for finding bugs and vulnerabilities. For example, the attacker might try sending a SIP message containing either an oversized parameter or too many occurrences of a parameter.

You can also enable the Message Policy to protect the device against incoming SIP messages with malicious signature patterns, which identify specific scanning tools used by attackers to search for SIP servers in a network. To configure Malicious Signatures, see Configuring Malicious Signatures.

Each Message Policy rule can be configured with the following:

Maximum message length
Maximum header length
Maximum message body length
Maximum number of headers
Maximum number of bodies
Option to send 400 "Bad Request" response if message request is rejected
Blacklist and whitelist for defined methods (e.g., INVITE)
Blacklist and whitelist for defined bodies
Malicious Signatures

The Message Policies table provides a default Message Policy called "Malicious Signature DB Protection" (Index 0), which is based only on Malicious Signatures and discards SIP messages identified with any of the signature patterns configured in the Malicious Signature table.

To apply a SIP Message Policy rule to calls, you need to assign it to the SIP Interface associated with the relevant IP Group (see Configuring SIP Interfaces).

The following procedure describes how to configure Message Policy rules through the Web interface. You can also configure it through ini file [MessagePolicy] or CLI (configure voip > message message-policy).

To configure SIP Message Policy rules:
1. Open the Message Policies table (Setup menu > Signaling & Media tab > Message Manipulation folder > Message Policies).
2. Click New; the following dialog box appears:

3. Configure a Message Policy rule according to the parameters described in the table below.
4. Click Apply.

Message Policies Table Parameter Descriptions

Parameter

Description
General

'Index'

[MessagePolicy_Index]

Defines an index number for the new table row.

Note: Each row must be configured with a unique index.

'Name'

name

[MessagePolicy_Name]

Defines a descriptive name, which is used when associating the row in other tables.

The valid value is a string of up to 40 characters.

Note:

Each row must be configured with a unique name.
The parameter value cannot contain a forward slash (/).

Limits

 

'Max Message Length'

max-message-length

[MessagePolicy_MaxMessageLength]

Defines the maximum SIP message length.

The valid value is up to 32,768 characters. The default is 32,768.

'Max Header Length'

max-header-length

[MessagePolicy_MaxHeaderLength]

Defines the maximum SIP header length.

The valid value is up to 512 characters. The default is 512.

'Max Body Length'

max-body-length

[MessagePolicy_MaxBodyLength]

Defines the maximum SIP message body length. This is the value of the Content-Length header.

The valid value is up to 1,024 characters. The default is 1,024.

'Max Num Headers'

max-num-headers

[MessagePolicy_MaxNumHeaders]

Defines the maximum number of SIP headers.

The valid value is any number up to 32. The default is 32.

Note: The device supports up to 20 SIP Record-Route headers that can be received in a SIP INVITE request or a 200 OK response. If it receives more than this, it responds with a SIP 513 'Message Too Large' response.

'Max Num Bodies'

max-num-bodies

[MessagePolicy_MaxNumBodies]

Defines the maximum number of bodies (e.g., SDP) in the SIP message.

The valid value is any number up to 8. The default is 8.

Policies

 

'Send Rejection'

send-rejection

[MessagePolicy_SendRejection]

Defines whether the device sends a SIP response if it rejects a message request due to the Message Policy. The default response code is SIP 400 "Bad Request". To configure a different response code, use the MessagePolicyRejectResponseType parameter.

[0] Policy Reject = (Default) The device discards the message and sends a SIP response to reject the request.
[1] Policy Drop = The device discards the message without sending any response.

SIP Method Blacklist-Whitelist Policy

'Method List'

method-list

[MessagePolicy_MethodList]

Defines SIP methods (e.g., INVITE\BYE) to blacklist or whitelist.

Multiple methods are separated by a backslash (\). The method values are case-insensitive.

'Method List Type'

method-list-type

[MessagePolicy_MethodListType]

Defines the policy (blacklist or whitelist) for the SIP methods specified in the 'Method List' parameter (above).

[0] Policy Blacklist = The specified methods are rejected.
[1] Policy Whitelist = (Default) Only the specified methods are allowed; the others are rejected.

SIP Body Blacklist-Whitelist Policy

'Body List'

body-list

[MessagePolicy_BodyList]

Defines the SIP body type (i.e., value of the Content-Type header) to blacklist or whitelist. For example, application/sdp.

The values of the parameter are case-sensitive.

'Body List Type'

body-list-type

[MessagePolicy_BodyListType]

Defines the policy (blacklist or whitelist) for the SIP body specified in the 'Body List' parameter (above).

[0] Policy Blacklist =The specified SIP body is rejected.
[1] Policy Whitelist = (Default) Only the specified SIP body is allowed; the others are rejected.

Malicious Signature

'Malicious Signature Database'

signature-db-enable

[MessagePolicy_UseMaliciousSignatureDB]

Enables the use of the Malicious Signature database (signature-based detection).

[0] Disable (default)
[1] Enable

To configure Malicious Signatures, see Configuring Malicious Signatures.

Note: The parameter is applicable only to the SBC application.