Mailing List Archive

Anecdotally, anyone that's had reason to manually go through logs for port
5060 SIP for any public facing ipv4 /32 will see the vast amounts of random
"things" out there on the internet trying common extension password combos
to register.

It's been a large amount of background noise on the internet for a very log
time now.



On Wed, Nov 24, 2021 at 5:20 PM Gavin Henry <ghenry@suretec.co.uk> wrote:

> Hi all,
>
> I hope you don't mind the post, but thought this might be of use and
> in the spirit of release early, release often I've done an alpha
> release:
>
> https://github.com/SentryPeer/SentryPeer
>
> There's a presentation too if you'd like to watch/read where I hope to
> go with this:
>
> https://blog.tadsummit.com/2021/11/17/sentrypeer/
>
> Working on the API and web UI next, then the p2p part of it. Feel free
> to submit any feature requests or have a play :-)
>
> Thanks for reading and any feedback is welcome!
>
> --
> Kind Regards,
> Gavin Henry.
>

On Thu, 25 Nov 2021 at 00:53, Eric Kuhnke <eric.kuhnke@gmail.com> wrote:
>
> Anecdotally, anyone that's had reason to manually go through logs for port 5060 SIP for any public facing ipv4 /32 will see the vast amounts of random "things" out there on the internet trying common extension password combos to register.
>
> It's been a large amount of background noise on the internet for a very log time now.

Hi Eric,

Have you done anything with this data before?

Thanks.

Hi Gavin,

I thought to do something similar ;)

As I can see in the code, you count somebody as a bad actor just because
of one UDP packet is received. It is a bad idea, because it is easy to
spoof that packet and make a DoS against some good actor.

Right way: you have to simulate a SIP dialog with this actor, i.e. reply
them something and wait for the reaction. If the reaction will be like
in a normal SIP call processing - congratulations, you found a hacker!
If not, like you sent them a packet they do not expect - it is a DoS and
a spoofed packet.

24.11.21 23:19, Gavin Henry ????:
> Hi all,
>
> I hope you don't mind the post, but thought this might be of use and
> in the spirit of release early, release often I've done an alpha
> release:
>
> https://github.com/SentryPeer/SentryPeer
>
> There's a presentation too if you'd like to watch/read where I hope to
> go with this:
>
> https://blog.tadsummit.com/2021/11/17/sentrypeer/
>
> Working on the API and web UI next, then the p2p part of it. Feel free
> to submit any feature requests or have a play :-)
>
> Thanks for reading and any feedback is welcome!
>

On Fri, 26 Nov 2021, 18:59 Max Tulyev, <maxtul@netassist.ua> wrote:

> Hi Gavin,
>

Hi Max,


> I thought to do something similar ;)
>

What stopped you creating something? Or did you? Interested :)



> As I can see in the code, you count somebody as a bad actor just because
> of one UDP packet is received. It is a bad idea, because it is easy to
> spoof that packet and make a DoS against some good actor.
>

The next stage is to tag these probes as passive, then reply in SIP, like
you say and allow registrations and calls etc then mark them as aggressive.

I'm not actually replying to the packets, so no reflection attacks.


> Right way: you have to simulate a SIP dialog with this actor, i.e. reply
> them something and wait for the reaction. If the reaction will be like
> in a normal SIP call processing - congratulations, you found a hacker!
> If not, like you sent them a packet they do not expect - it is a DoS and
> a spoofed packet.
>

Agreed!

Thank you for reading and your reply.

>

This should help
https://github.com/SentryPeer/SentryPeer/blob/aea3b3762c7df9e4d19901fa2dd82fe93a38f4cf/CHANGELOG.md#unreleased

Hi all,

Come a long way since Nov:

https://github.com/SentryPeer/SentryPeer/releases/tag/v1.4.0

Peer to peer bad_actor replication is now released. Deutsche Telekom
"T-Pot - The All In One Honeypot Platform" included SentryPeer
(https://github.com/telekom-security/tpotce/tree/22.x) and Kali Linux
is coming - https://bugs.kali.org/view.php?id=7523#c15939

Would love to have some testers onboard!

Thanks,
Gavin.

Hi,

I've just released https://sentrypeer.com

About SentryPeerHQ -> https://sentrypeer.com/about
Fully Open Source -> https://github.com/SentryPeer/SentryPeerHQ
Always free -> https://sentrypeer.com/pricing (for those that contribute
data by running an official SentryPeer node or their own honeypot)

Thanks,
Gavin.

On Tue, 29 Mar 2022 at 20:39, Gavin Henry <ghenry@suretec.co.uk> wrote:

> Hi all,
>
> Come a long way since Nov:
>
> https://github.com/SentryPeer/SentryPeer/releases/tag/v1.4.0
>
> Peer to peer bad_actor replication is now released. Deutsche Telekom
> "T-Pot - The All In One Honeypot Platform" included SentryPeer
> (https://github.com/telekom-security/tpotce/tree/22.x) and Kali Linux
> is coming - https://bugs.kali.org/view.php?id=7523#c15939
>
> Would love to have some testers onboard!
>
> Thanks,
> Gavin.
>


--
Kind Regards,

Gavin Henry.
Managing Director.

T +44 (0) 330 44 50 000
D +44 (0) 330 44 55 007
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry@suretec.co.uk

Open Source. Open Solutions(tm).

http://www.suretecsystems.com/

Suretec Systems is a limited company registered in Scotland. Registered
number: SC258005. Registered office: The James Gregory Centre, Campus 2,
Balgownie Road, Aberdeen. AB22 8GU.

Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html

OpenPGP (GPG/PGP) Public Key: 0x8CFBA8E6 - Import from hkp://
pool.subkeys.pgp.net
or http://www.suretecgroup.com/0x8CFBA8E6.gpg