Scanning MSRP traffic
An MSRP (Message Session Relay Protocol) decoder in the IPS engine scans for IPS signatures against the application data. Malicious payload in the text message can be blocked. A VoIP profile using flow inspection mode must be configured in the firewall policy. An IPS profile must be configured in the firewall policy to inspect the payload.
config voip profile edit <name> set feature-set flow config msrp set status {enable | disable} set log-violations {enable | disable} set max-msg-size <integer> set max-msg-size-action {pass | block | reset | monitor} end next end
status {enable | disable} |
Enable/disable MSRP. |
log-violations {enable | disable} |
Enable/disable logging of MSRP violations. |
max-msg-size <integer> |
Maximum allowable MSRP message size, in bytes (0 - 65535, default = 0). |
max-msg-size-action {pass | block | reset | monitor} |
Action for violating maximum MSRP message size:
|
Examples
In this first example, MSRP messages larger than 10 bytes will be blocked. The client sends an oversized MSRP message to the server. Message Automation & Protocol Simulation (MAPSTM) is used, and a client-server model was configured to use the software to send MSRP traffic from vlan843 (client) to vlan844 (server) with plain text placed in the message field. The software uses the content of the MsrpInputMessage.txt file located in the default folder, where anything in that file will be sent by MSRP. The following text is used:
GL's Message Automation & Protocol Simulation (MAPSTM) is a protocol simulation and conformance test tool that supports a variety of protocols such as SIP, MEGACO, MGCP, SS7, ISDN, GSM, MAP, CAS, LTE, UMTS, SS7 SIGTRAN, ISDN SIGTRAN, SIP I, GSM AoIP, Diameter and others. This message automation tool covers solutions for both protocol simulation and protocol analysis. The application includes various test plans and test cases to support the testing of real-time entities. Along with automation capability, the application gives users the unlimited ability to edit messages and control scenarios (message sequences).
To configure MSRP traffic scanning:
- Configure the VoIP profile:
config voip profile edit msrp_test set feature-set flow config msrp set status enable set log-violations enable set max-msg-size 10 set max-msg-size-action block end next end
- Configure the firewall policy:
config firewall policy edit 1 set name "vdom3" set srcintf "vlan843" set dstintf "vlan844" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set utm-status enable set ssl-ssh-profile "certificate-inspection" set voip-profile "msrp_test" set logtraffic all next end
- Verify the log:
# execute log filter category 4 # execute log display 1 logs found. 1 logs returned. 1: date=2021-06-10 time=17:21:19 eventtime=1623370879840284165 tz="-0700" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom3" severity="info" srcip=192.168.12.212 srccountry="Reserved" dstip=192.168.12.213 srcintf="vlan843" srcintfrole="lan" dstintf="vlan844" dstintfrole="lan" sessionid=27700 action="dropped" proto=6 service="MSRP" policyid=1 attack="MSRP.Max.Message.Size.Exceeded" srcport=20036 dstport=20036 direction="outgoing" attackid=1000000 profile="g-default" ref="http://www.fortinet.com/ids/VID1000000" incidentserialno=189792275 psrcport=0 pdstport=0 msg="msrp_decoder: MSRP.Max.Message.Size.Exceeded, msg_size=270 exceeds config maximum=10"
- In MAPS, verify that the call was terminated:
In this second example, malicious files will be blocked. The client sends an EICAR test sample to the server in an MSRP message. Message Automation & Protocol Simulation (MAPSTM) is used, and a client-server model was configured to use the software to send MSRP traffic from vlan843 (client) to vlan844 (server) with a plain text EICAR file containing a virus in the message field. The following text is used:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
To configure MSRP traffic scanning:
- Configure the VoIP profile:
config voip profile edit msrp_test set feature-set flow config msrp set status enable set log-violations enable set max-msg-size 0 set max-msg-size-action pass end next end
- Configure the IPS profile:
config ips sensor edit "msrp" set extended-log enable config entries edit 1 set rule 7470 29844 set status enable set action block next end next end
- Configure the firewall policy:
config firewall policy edit 1 set name "vdom3" set srcintf "vlan843" set dstintf "vlan844" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set utm-status enable set ssl-ssh-profile "certificate-inspection" set ips-sensor "msrp" set voip-profile "msrp_test" set logtraffic all next end
- Verify the log:
# execute log filter category 4 # execute log display 1 logs found. 1 logs returned. 1: date=2021-09-16 time=11:29:48 eventtime=1631816988947762597 tz="-0700" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom3" severity="info" srcip=192.168.12.212 srccountry="Reserved" dstip=192.168.12.213 srcintf="vlan843" srcintfrole="lan" dstintf="vlan844" dstintfrole="lan" sessionid=41344 action="dropped" proto=6 service="MSRP" policyid=1 attack="Eicar.Virus.Test.File" srcport=20069 dstport=20069 direction="outgoing" attackid=29844 profile="msrp" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=123731970 psrcport=0 pdstport=0 msg="file_transfer: Eicar.Virus.Test.File,"