{"id":11136,"date":"2020-09-04T11:24:22","date_gmt":"2020-09-04T09:24:22","guid":{"rendered":"https:\/\/www.boc.de\/watchguard-info-portal\/?p=11136"},"modified":"2020-09-18T12:59:35","modified_gmt":"2020-09-18T10:59:35","slug":"swyxit-ips-false-positive","status":"publish","type":"post","link":"https:\/\/wordpress.boc.de\/watchguard-info-portal\/2020\/09\/swyxit-ips-false-positive\/","title":{"rendered":"Swyxit! IPS false positive"},"content":{"rendered":"
Setup:<\/h6>\n

SwyxIt!-Softphone greift auf Swyx-TK-Anlage via BOVPN-Tunnel zu.<\/p>\n

Symptom:<\/h6>\n

Swyxit Softphone Client zeigt keinen Status nach Login.<\/p>\n

Beobachtung:<\/h6>\n

auf der Firewall sind folgende Log-Eintr\u00e4ge zu sehen:<\/p>\n

\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
2020-09-07 10:14:<\/span>43 Deny 10.xxx.xxx.xxx 10.xxx.yyy.zzz sip\/udp 5070 5060 [...] IPS detected<\/strong> [...] proc_id=\"firewall\" rc=\"301\" msg_id=\"3000-0150\" \r\nsrc_ip_nat=\"10.xxx.xxx.xxx\" signature_name=\"SIP Digium Asterisk SIP CSeq Heap Buffer Overflow (CVE-2017-937\" \r\n<\/strong>signature_cat=\"Buffer Over Flow\" signature_id=\"1133858\" severity=\"4\"<\/strong> [...]<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n
\n
\n
\n
\n
\n
\n
\n
Scheinbar triggert der Swyx-Client hier beim Verbindungsaufbau zur Swyx-TK-Anlage gelegentlich das IPS.<\/p>\n<\/div>\n
Abhilfe:<\/h6>\n<\/div>\n<\/div>\n<\/div>\n