Fortinet black logo

Administration Guide

Scanning MSRP traffic

Scanning MSRP traffic

An MSRP (Message Session Relay Protocol) decoder in the IPS engine scans for IPS signatures against the application data. Malicious payload in the text message can be blocked. A VoIP profile using flow inspection mode must be configured in the firewall policy. An IPS profile must be configured in the firewall policy to inspect the payload.

config voip profile
    edit <name>
        set feature-set flow
        config msrp
            set status {enable | disable}
            set log-violations {enable | disable}
            set max-msg-size <integer>
            set max-msg-size-action {pass | block | reset | monitor}
        end
    next
end

status {enable | disable}

Enable/disable MSRP.

log-violations {enable | disable}

Enable/disable logging of MSRP violations.

max-msg-size <integer>

Maximum allowable MSRP message size, in bytes (0 - 65535, default = 0).

max-msg-size-action {pass | block | reset | monitor}

Action for violating maximum MSRP message size:

  • pass: pass or allow matching traffic (default)
  • block: block or drop matching traffic
  • reset: reset sessions for matching traffic
  • monitor: pass and log matching traffic

Examples

In this first example, MSRP messages larger than 10 bytes will be blocked. The client sends an oversized MSRP message to the server. Message Automation & Protocol Simulation (MAPSTM) is used, and a client-server model was configured to use the software to send MSRP traffic from vlan843 (client) to vlan844 (server) with plain text placed in the message field. The software uses the content of the MsrpInputMessage.txt file located in the default folder, where anything in that file will be sent by MSRP. The following text is used:

GL's Message Automation & Protocol Simulation (MAPSTM) is a protocol simulation and conformance test tool that supports a variety of protocols such as SIP, MEGACO, MGCP, SS7, ISDN, GSM, MAP, CAS, LTE, UMTS, SS7 SIGTRAN, ISDN SIGTRAN, SIP I, GSM AoIP, Diameter and others. This message automation tool covers solutions for both protocol simulation and protocol analysis. The application includes various test plans and test cases to support the testing of real-time entities. Along with automation capability, the application gives users the unlimited ability to edit messages and control scenarios (message sequences).

To configure MSRP traffic scanning:
  1. Configure the VoIP profile:
    config voip profile
        edit msrp_test
            set feature-set flow
            config msrp
                set status enable
                set log-violations enable
                set max-msg-size 10
                set max-msg-size-action block
            end
        next
    end
  2. Configure the firewall policy:
    config firewall policy
        edit 1
            set name "vdom3"
            set srcintf "vlan843"
            set dstintf "vlan844"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set ssl-ssh-profile "certificate-inspection"
            set voip-profile "msrp_test"
            set logtraffic all
        next
    end
  3. Verify the log:
    # execute log filter category 4
    # execute log display 
    1 logs found.
    1 logs returned.
    
    1: date=2021-06-10 time=17:21:19 eventtime=1623370879840284165 tz="-0700" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom3" severity="info" srcip=192.168.12.212 srccountry="Reserved" dstip=192.168.12.213 srcintf="vlan843" srcintfrole="lan" dstintf="vlan844" dstintfrole="lan" sessionid=27700 action="dropped" proto=6 service="MSRP" policyid=1 attack="MSRP.Max.Message.Size.Exceeded" srcport=20036 dstport=20036 direction="outgoing" attackid=1000000 profile="g-default" ref="http://www.fortinet.com/ids/VID1000000" incidentserialno=189792275 psrcport=0 pdstport=0 msg="msrp_decoder: MSRP.Max.Message.Size.Exceeded, msg_size=270 exceeds config maximum=10"
  4. In MAPS, verify that the call was terminated:

In this second example, malicious files will be blocked. The client sends an EICAR test sample to the server in an MSRP message. Message Automation & Protocol Simulation (MAPSTM) is used, and a client-server model was configured to use the software to send MSRP traffic from vlan843 (client) to vlan844 (server) with a plain text EICAR file containing a virus in the message field. The following text is used:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

To configure MSRP traffic scanning:
  1. Configure the VoIP profile:
    config voip profile
        edit msrp_test
            set feature-set flow
            config msrp
                set status enable
                set log-violations enable
                set max-msg-size 0
                set max-msg-size-action pass
            end
        next
    end
  2. Configure the IPS profile:
    config ips sensor
        edit "msrp"
            set extended-log enable
            config entries
                edit 1
                    set rule 7470 29844
                    set status enable
                    set action block
                next
            end
        next
    end
  3. Configure the firewall policy:
    config firewall policy
        edit 1
            set name "vdom3"
            set srcintf "vlan843"
            set dstintf "vlan844"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set ssl-ssh-profile "certificate-inspection"
            set ips-sensor "msrp"
            set voip-profile "msrp_test"
            set logtraffic all
        next
    end
  4. Verify the log:
    # execute log filter category 4
    # execute log display 
    1 logs found.
    1 logs returned.
    
    1: date=2021-09-16 time=11:29:48 eventtime=1631816988947762597 tz="-0700" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom3" severity="info" srcip=192.168.12.212 srccountry="Reserved" dstip=192.168.12.213 srcintf="vlan843" srcintfrole="lan" dstintf="vlan844" dstintfrole="lan" sessionid=41344 action="dropped" proto=6 service="MSRP" policyid=1 attack="Eicar.Virus.Test.File" srcport=20069 dstport=20069 direction="outgoing" attackid=29844 profile="msrp" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=123731970 psrcport=0 pdstport=0 msg="file_transfer: Eicar.Virus.Test.File,"

Scanning MSRP traffic

An MSRP (Message Session Relay Protocol) decoder in the IPS engine scans for IPS signatures against the application data. Malicious payload in the text message can be blocked. A VoIP profile using flow inspection mode must be configured in the firewall policy. An IPS profile must be configured in the firewall policy to inspect the payload.

config voip profile
    edit <name>
        set feature-set flow
        config msrp
            set status {enable | disable}
            set log-violations {enable | disable}
            set max-msg-size <integer>
            set max-msg-size-action {pass | block | reset | monitor}
        end
    next
end

status {enable | disable}

Enable/disable MSRP.

log-violations {enable | disable}

Enable/disable logging of MSRP violations.

max-msg-size <integer>

Maximum allowable MSRP message size, in bytes (0 - 65535, default = 0).

max-msg-size-action {pass | block | reset | monitor}

Action for violating maximum MSRP message size:

  • pass: pass or allow matching traffic (default)
  • block: block or drop matching traffic
  • reset: reset sessions for matching traffic
  • monitor: pass and log matching traffic

Examples

In this first example, MSRP messages larger than 10 bytes will be blocked. The client sends an oversized MSRP message to the server. Message Automation & Protocol Simulation (MAPSTM) is used, and a client-server model was configured to use the software to send MSRP traffic from vlan843 (client) to vlan844 (server) with plain text placed in the message field. The software uses the content of the MsrpInputMessage.txt file located in the default folder, where anything in that file will be sent by MSRP. The following text is used:

GL's Message Automation & Protocol Simulation (MAPSTM) is a protocol simulation and conformance test tool that supports a variety of protocols such as SIP, MEGACO, MGCP, SS7, ISDN, GSM, MAP, CAS, LTE, UMTS, SS7 SIGTRAN, ISDN SIGTRAN, SIP I, GSM AoIP, Diameter and others. This message automation tool covers solutions for both protocol simulation and protocol analysis. The application includes various test plans and test cases to support the testing of real-time entities. Along with automation capability, the application gives users the unlimited ability to edit messages and control scenarios (message sequences).

To configure MSRP traffic scanning:
  1. Configure the VoIP profile:
    config voip profile
        edit msrp_test
            set feature-set flow
            config msrp
                set status enable
                set log-violations enable
                set max-msg-size 10
                set max-msg-size-action block
            end
        next
    end
  2. Configure the firewall policy:
    config firewall policy
        edit 1
            set name "vdom3"
            set srcintf "vlan843"
            set dstintf "vlan844"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set ssl-ssh-profile "certificate-inspection"
            set voip-profile "msrp_test"
            set logtraffic all
        next
    end
  3. Verify the log:
    # execute log filter category 4
    # execute log display 
    1 logs found.
    1 logs returned.
    
    1: date=2021-06-10 time=17:21:19 eventtime=1623370879840284165 tz="-0700" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom3" severity="info" srcip=192.168.12.212 srccountry="Reserved" dstip=192.168.12.213 srcintf="vlan843" srcintfrole="lan" dstintf="vlan844" dstintfrole="lan" sessionid=27700 action="dropped" proto=6 service="MSRP" policyid=1 attack="MSRP.Max.Message.Size.Exceeded" srcport=20036 dstport=20036 direction="outgoing" attackid=1000000 profile="g-default" ref="http://www.fortinet.com/ids/VID1000000" incidentserialno=189792275 psrcport=0 pdstport=0 msg="msrp_decoder: MSRP.Max.Message.Size.Exceeded, msg_size=270 exceeds config maximum=10"
  4. In MAPS, verify that the call was terminated:

In this second example, malicious files will be blocked. The client sends an EICAR test sample to the server in an MSRP message. Message Automation & Protocol Simulation (MAPSTM) is used, and a client-server model was configured to use the software to send MSRP traffic from vlan843 (client) to vlan844 (server) with a plain text EICAR file containing a virus in the message field. The following text is used:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

To configure MSRP traffic scanning:
  1. Configure the VoIP profile:
    config voip profile
        edit msrp_test
            set feature-set flow
            config msrp
                set status enable
                set log-violations enable
                set max-msg-size 0
                set max-msg-size-action pass
            end
        next
    end
  2. Configure the IPS profile:
    config ips sensor
        edit "msrp"
            set extended-log enable
            config entries
                edit 1
                    set rule 7470 29844
                    set status enable
                    set action block
                next
            end
        next
    end
  3. Configure the firewall policy:
    config firewall policy
        edit 1
            set name "vdom3"
            set srcintf "vlan843"
            set dstintf "vlan844"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set ssl-ssh-profile "certificate-inspection"
            set ips-sensor "msrp"
            set voip-profile "msrp_test"
            set logtraffic all
        next
    end
  4. Verify the log:
    # execute log filter category 4
    # execute log display 
    1 logs found.
    1 logs returned.
    
    1: date=2021-09-16 time=11:29:48 eventtime=1631816988947762597 tz="-0700" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom3" severity="info" srcip=192.168.12.212 srccountry="Reserved" dstip=192.168.12.213 srcintf="vlan843" srcintfrole="lan" dstintf="vlan844" dstintfrole="lan" sessionid=41344 action="dropped" proto=6 service="MSRP" policyid=1 attack="Eicar.Virus.Test.File" srcport=20069 dstport=20069 direction="outgoing" attackid=29844 profile="msrp" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=123731970 psrcport=0 pdstport=0 msg="file_transfer: Eicar.Virus.Test.File,"