Help trace source of error: unknown URI param list excedeed

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Help trace source of error: unknown URI param list excedeed

Adam Raszynski
Hi

Recently I have discovered increasing amount of the following errors in my logs:

Feb 13 09:36:59 node1 /usr/sbin/opensips[10458]: ERROR:core:parse_uri: unknown URI param list exceeded

I see this error is repeated many thousands of times in my log

Questions:
- What does this error mean?
- How to add source IP address of SIP request that caused error to log? Or how to add full SIP request body causing that error to log?
- Is it a sign of any type of DOS attack?

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Help trace source of error: unknown URI param list excedeed

shaheryarkh
When reporting issues please make sure to add opensips version you are using including operating system details. This helps in diagnosing problem better.

Anyways here are the answers for your question,

1. This error means an invalid SIP packet is received which opensips was unable to parse.
2. Yes you can inspect the packet in detail and do appropriate actions, have a look at below URL to learn more


3. Yes, these could be symptom of possible DOS / DDOS attack OR may be some valid user / trunk has really buggy device which creating bad SIP packets. Take appropriate measures.

Thank you.


On Wed, Feb 13, 2013 at 11:05 PM, Adam Raszynski <[hidden email]> wrote:
Hi

Recently I have discovered increasing amount of the following errors in my logs:

Feb 13 09:36:59 node1 /usr/sbin/opensips[10458]: ERROR:core:parse_uri: unknown URI param list exceeded

I see this error is repeated many thousands of times in my log

Questions:
- What does this error mean?
- How to add source IP address of SIP request that caused error to log? Or how to add full SIP request body causing that error to log?
- Is it a sign of any type of DOS attack?

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users




--
Muhammad Shahzad
-----------------------------------
CISCO Rich Media Communication Specialist (CRMCS)
CISCO Certified Network Associate (CCNA)
Cell: +49 176 99 83 10 85
MSN: [hidden email]
Email: [hidden email]

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Help trace source of error: unknown URI param list excedeed

Ovidiu Sas
In reply to this post by Adam Raszynski
It seems that you are having more then 5 unknown URI params.
One thing that you can do is to recompile with an increased number of
URI_MAX_U_PARAMS.
See parser/msg_parser.h and increase the URI_MAX_U_PARAMS from 5 to 10.
#define URI_MAX_U_PARAMS 10

If you enable debug logs, you should be able to see the URI that is
causing issues.
you can temporarily increase the debug log and the restore it via fifo:
opensipsctl fifo debug 9
opensipsctl fifo debug 3

Regards,
Ovidiu Sas

On Wed, Feb 13, 2013 at 5:05 PM, Adam Raszynski <[hidden email]> wrote:

> Hi
>
> Recently I have discovered increasing amount of the following errors in my
> logs:
>
> Feb 13 09:36:59 node1 /usr/sbin/opensips[10458]: ERROR:core:parse_uri:
> unknown URI param list exceeded
>
> I see this error is repeated many thousands of times in my log
>
> Questions:
> - What does this error mean?
> - How to add source IP address of SIP request that caused error to log? Or
> how to add full SIP request body causing that error to log?
> - Is it a sign of any type of DOS attack?

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Help trace source of error: unknown URI param list excedeed

Bogdan-Andrei Iancu-2
Hi Ovidiu,

It might be wiser to have a default value of 10 to avoid such issues in
the future. What do you think ?

Regards,

Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com


On 02/14/2013 01:08 AM, Ovidiu Sas wrote:

> It seems that you are having more then 5 unknown URI params.
> One thing that you can do is to recompile with an increased number of
> URI_MAX_U_PARAMS.
> See parser/msg_parser.h and increase the URI_MAX_U_PARAMS from 5 to 10.
> #define URI_MAX_U_PARAMS 10
>
> If you enable debug logs, you should be able to see the URI that is
> causing issues.
> you can temporarily increase the debug log and the restore it via fifo:
> opensipsctl fifo debug 9
> opensipsctl fifo debug 3
>
> Regards,
> Ovidiu Sas
>
> On Wed, Feb 13, 2013 at 5:05 PM, Adam Raszynski<[hidden email]>  wrote:
>> Hi
>>
>> Recently I have discovered increasing amount of the following errors in my
>> logs:
>>
>> Feb 13 09:36:59 node1 /usr/sbin/opensips[10458]: ERROR:core:parse_uri:
>> unknown URI param list exceeded
>>
>> I see this error is repeated many thousands of times in my log
>>
>> Questions:
>> - What does this error mean?
>> - How to add source IP address of SIP request that caused error to log? Or
>> how to add full SIP request body causing that error to log?
>> - Is it a sign of any type of DOS attack?
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Help trace source of error: unknown URI param list excedeed

Ovidiu Sas
Hello Bogdan,

Bumping the default value from 5 to 10 shouldn't be a problem,
although I've never seen URIs with more than 5 unknown params.  Before
bumping the default value, we should investigate to see if those
unknown params are really 'unknown'.  Maybe some of those params
aren't really unknown and should be parsed.

@Adam
Did you had a chance to enable debug logs and collect such a URI?
All you need is to do is to enable the debug logs for a short period
of time and check syslogs.

-ovidiu

On Thu, Feb 14, 2013 at 3:33 AM, Bogdan-Andrei Iancu
<[hidden email]> wrote:

> Hi Ovidiu,
>
> It might be wiser to have a default value of 10 to avoid such issues in the
> future. What do you think ?
>
> Regards,
>
> Bogdan-Andrei Iancu
> OpenSIPS Founder and Developer
> http://www.opensips-solutions.com
>
>
>
> On 02/14/2013 01:08 AM, Ovidiu Sas wrote:
>>
>> It seems that you are having more then 5 unknown URI params.
>> One thing that you can do is to recompile with an increased number of
>> URI_MAX_U_PARAMS.
>> See parser/msg_parser.h and increase the URI_MAX_U_PARAMS from 5 to 10.
>> #define URI_MAX_U_PARAMS 10
>>
>> If you enable debug logs, you should be able to see the URI that is
>> causing issues.
>> you can temporarily increase the debug log and the restore it via fifo:
>> opensipsctl fifo debug 9
>> opensipsctl fifo debug 3
>>
>> Regards,
>> Ovidiu Sas
>>
>> On Wed, Feb 13, 2013 at 5:05 PM, Adam Raszynski<[hidden email]>
>> wrote:
>>>
>>> Hi
>>>
>>> Recently I have discovered increasing amount of the following errors in
>>> my
>>> logs:
>>>
>>> Feb 13 09:36:59 node1 /usr/sbin/opensips[10458]: ERROR:core:parse_uri:
>>> unknown URI param list exceeded
>>>
>>> I see this error is repeated many thousands of times in my log
>>>
>>> Questions:
>>> - What does this error mean?
>>> - How to add source IP address of SIP request that caused error to log?
>>> Or
>>> how to add full SIP request body causing that error to log?
>>> - Is it a sign of any type of DOS attack?

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Help trace source of error: unknown URI param list excedeed

Bogdan-Andrei Iancu-2
Hi Ovidiu,

Indeed, investigating a bit around would make sense :)

Let;s see if Adam has some info for us.

Regards,

Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com


On 02/14/2013 04:24 PM, Ovidiu Sas wrote:

> Hello Bogdan,
>
> Bumping the default value from 5 to 10 shouldn't be a problem,
> although I've never seen URIs with more than 5 unknown params.  Before
> bumping the default value, we should investigate to see if those
> unknown params are really 'unknown'.  Maybe some of those params
> aren't really unknown and should be parsed.
>
> @Adam
> Did you had a chance to enable debug logs and collect such a URI?
> All you need is to do is to enable the debug logs for a short period
> of time and check syslogs.
>
> -ovidiu
>
> On Thu, Feb 14, 2013 at 3:33 AM, Bogdan-Andrei Iancu
> <[hidden email]>  wrote:
>> Hi Ovidiu,
>>
>> It might be wiser to have a default value of 10 to avoid such issues in the
>> future. What do you think ?
>>
>> Regards,
>>
>> Bogdan-Andrei Iancu
>> OpenSIPS Founder and Developer
>> http://www.opensips-solutions.com
>>
>>
>>
>> On 02/14/2013 01:08 AM, Ovidiu Sas wrote:
>>> It seems that you are having more then 5 unknown URI params.
>>> One thing that you can do is to recompile with an increased number of
>>> URI_MAX_U_PARAMS.
>>> See parser/msg_parser.h and increase the URI_MAX_U_PARAMS from 5 to 10.
>>> #define URI_MAX_U_PARAMS 10
>>>
>>> If you enable debug logs, you should be able to see the URI that is
>>> causing issues.
>>> you can temporarily increase the debug log and the restore it via fifo:
>>> opensipsctl fifo debug 9
>>> opensipsctl fifo debug 3
>>>
>>> Regards,
>>> Ovidiu Sas
>>>
>>> On Wed, Feb 13, 2013 at 5:05 PM, Adam Raszynski<[hidden email]>
>>> wrote:
>>>> Hi
>>>>
>>>> Recently I have discovered increasing amount of the following errors in
>>>> my
>>>> logs:
>>>>
>>>> Feb 13 09:36:59 node1 /usr/sbin/opensips[10458]: ERROR:core:parse_uri:
>>>> unknown URI param list exceeded
>>>>
>>>> I see this error is repeated many thousands of times in my log
>>>>
>>>> Questions:
>>>> - What does this error mean?
>>>> - How to add source IP address of SIP request that caused error to log?
>>>> Or
>>>> how to add full SIP request body causing that error to log?
>>>> - Is it a sign of any type of DOS attack?

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Help trace source of error: unknown URI param list excedeed

Adam Raszynski
As suggested I enabled error logging via error_route to put in log full SIP message bodies

Unfortunetly it doesn't seem to work with this type of error:
ERROR:core:parse_uri: unknown URI param list excedeed

For other parse errors I see message dumps, but not for this

So for some reason I'm unable to catch this errors using error_route

Any hints?


2013/2/15 Bogdan-Andrei Iancu <[hidden email]>
Hi Ovidiu,

Indeed, investigating a bit around would make sense :)

Let;s see if Adam has some info for us.


Regards,

Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com


On 02/14/2013 04:24 PM, Ovidiu Sas wrote:
Hello Bogdan,

Bumping the default value from 5 to 10 shouldn't be a problem,
although I've never seen URIs with more than 5 unknown params.  Before
bumping the default value, we should investigate to see if those
unknown params are really 'unknown'.  Maybe some of those params
aren't really unknown and should be parsed.

@Adam
Did you had a chance to enable debug logs and collect such a URI?
All you need is to do is to enable the debug logs for a short period
of time and check syslogs.

-ovidiu

On Thu, Feb 14, 2013 at 3:33 AM, Bogdan-Andrei Iancu
<[hidden email]>  wrote:
Hi Ovidiu,

It might be wiser to have a default value of 10 to avoid such issues in the
future. What do you think ?

Regards,

Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com



On 02/14/2013 01:08 AM, Ovidiu Sas wrote:
It seems that you are having more then 5 unknown URI params.
One thing that you can do is to recompile with an increased number of
URI_MAX_U_PARAMS.
See parser/msg_parser.h and increase the URI_MAX_U_PARAMS from 5 to 10.
#define URI_MAX_U_PARAMS 10

If you enable debug logs, you should be able to see the URI that is
causing issues.
you can temporarily increase the debug log and the restore it via fifo:
opensipsctl fifo debug 9
opensipsctl fifo debug 3

Regards,
Ovidiu Sas

On Wed, Feb 13, 2013 at 5:05 PM, Adam Raszynski<[hidden email]>
wrote:
Hi

Recently I have discovered increasing amount of the following errors in
my
logs:

Feb 13 09:36:59 node1 /usr/sbin/opensips[10458]: ERROR:core:parse_uri:
unknown URI param list exceeded

I see this error is repeated many thousands of times in my log

Questions:
- What does this error mean?
- How to add source IP address of SIP request that caused error to log?
Or
how to add full SIP request body causing that error to log?
- Is it a sign of any type of DOS attack?


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Help trace source of error: unknown URI param list excedeed

Bogdan-Andrei Iancu-2
Hi Adam,

It does not jump into error_route as currently this capture only "sip parsing" errors, and it your case it is not a parsing error, but rather an internal error.

So,
1) were you able to get the actual URI so see all the params ?
2) managed to extend the size of the array of unknown params as Ovidiu suggested ?

Regards,
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com

On 02/20/2013 12:12 PM, Adam Raszynski wrote:
As suggested I enabled error logging via error_route to put in log full SIP message bodies

Unfortunetly it doesn't seem to work with this type of error:
ERROR:core:parse_uri: unknown URI param list excedeed

For other parse errors I see message dumps, but not for this

So for some reason I'm unable to catch this errors using error_route

Any hints?


2013/2/15 Bogdan-Andrei Iancu <[hidden email]>
Hi Ovidiu,

Indeed, investigating a bit around would make sense :)

Let;s see if Adam has some info for us.


Regards,

Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com


On 02/14/2013 04:24 PM, Ovidiu Sas wrote:
Hello Bogdan,

Bumping the default value from 5 to 10 shouldn't be a problem,
although I've never seen URIs with more than 5 unknown params.  Before
bumping the default value, we should investigate to see if those
unknown params are really 'unknown'.  Maybe some of those params
aren't really unknown and should be parsed.

@Adam
Did you had a chance to enable debug logs and collect such a URI?
All you need is to do is to enable the debug logs for a short period
of time and check syslogs.

-ovidiu

On Thu, Feb 14, 2013 at 3:33 AM, Bogdan-Andrei Iancu
<[hidden email]>  wrote:
Hi Ovidiu,

It might be wiser to have a default value of 10 to avoid such issues in the
future. What do you think ?

Regards,

Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com



On 02/14/2013 01:08 AM, Ovidiu Sas wrote:
It seems that you are having more then 5 unknown URI params.
One thing that you can do is to recompile with an increased number of
URI_MAX_U_PARAMS.
See parser/msg_parser.h and increase the URI_MAX_U_PARAMS from 5 to 10.
#define URI_MAX_U_PARAMS 10

If you enable debug logs, you should be able to see the URI that is
causing issues.
you can temporarily increase the debug log and the restore it via fifo:
opensipsctl fifo debug 9
opensipsctl fifo debug 3

Regards,
Ovidiu Sas

On Wed, Feb 13, 2013 at 5:05 PM, Adam Raszynski<[hidden email]>
wrote:
Hi

Recently I have discovered increasing amount of the following errors in
my
logs:

Feb 13 09:36:59 node1 /usr/sbin/opensips[10458]: ERROR:core:parse_uri:
unknown URI param list exceeded

I see this error is repeated many thousands of times in my log

Questions:
- What does this error mean?
- How to add source IP address of SIP request that caused error to log?
Or
how to add full SIP request body causing that error to log?
- Is it a sign of any type of DOS attack?

_______________________________________________ Users mailing list [hidden email] http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Help trace source of error: unknown URI param list excedeed

Ovidiu Sas
In reply to this post by Adam Raszynski
Nobody suggested to investigate this via error_route.
The suggestion was to increase the opensips logging verbosity.
Once you do that, you should be able to catch the bad URI.

Regards,
Ovidiu Sas

On Wed, Feb 20, 2013 at 5:12 AM, Adam Raszynski <[hidden email]> wrote:

> As suggested I enabled error logging via error_route to put in log full SIP
> message bodies
>
> Unfortunetly it doesn't seem to work with this type of error:
> ERROR:core:parse_uri: unknown URI param list excedeed
>
> For other parse errors I see message dumps, but not for this
>
> So for some reason I'm unable to catch this errors using error_route
>
> Any hints?
>
>
> 2013/2/15 Bogdan-Andrei Iancu <[hidden email]>
>>
>> Hi Ovidiu,
>>
>> Indeed, investigating a bit around would make sense :)
>>
>> Let;s see if Adam has some info for us.
>>
>>
>> Regards,
>>
>> Bogdan-Andrei Iancu
>> OpenSIPS Founder and Developer
>> http://www.opensips-solutions.com
>>
>>
>> On 02/14/2013 04:24 PM, Ovidiu Sas wrote:
>>>
>>> Hello Bogdan,
>>>
>>> Bumping the default value from 5 to 10 shouldn't be a problem,
>>> although I've never seen URIs with more than 5 unknown params.  Before
>>> bumping the default value, we should investigate to see if those
>>> unknown params are really 'unknown'.  Maybe some of those params
>>> aren't really unknown and should be parsed.
>>>
>>> @Adam
>>> Did you had a chance to enable debug logs and collect such a URI?
>>> All you need is to do is to enable the debug logs for a short period
>>> of time and check syslogs.
>>>
>>> -ovidiu
>>>
>>> On Thu, Feb 14, 2013 at 3:33 AM, Bogdan-Andrei Iancu
>>> <[hidden email]>  wrote:
>>>>
>>>> Hi Ovidiu,
>>>>
>>>> It might be wiser to have a default value of 10 to avoid such issues in
>>>> the
>>>> future. What do you think ?
>>>>
>>>> Regards,
>>>>
>>>> Bogdan-Andrei Iancu
>>>> OpenSIPS Founder and Developer
>>>> http://www.opensips-solutions.com
>>>>
>>>>
>>>>
>>>> On 02/14/2013 01:08 AM, Ovidiu Sas wrote:
>>>>>
>>>>> It seems that you are having more then 5 unknown URI params.
>>>>> One thing that you can do is to recompile with an increased number of
>>>>> URI_MAX_U_PARAMS.
>>>>> See parser/msg_parser.h and increase the URI_MAX_U_PARAMS from 5 to 10.
>>>>> #define URI_MAX_U_PARAMS 10
>>>>>
>>>>> If you enable debug logs, you should be able to see the URI that is
>>>>> causing issues.
>>>>> you can temporarily increase the debug log and the restore it via fifo:
>>>>> opensipsctl fifo debug 9
>>>>> opensipsctl fifo debug 3
>>>>>
>>>>> Regards,
>>>>> Ovidiu Sas
>>>>>
>>>>> On Wed, Feb 13, 2013 at 5:05 PM, Adam Raszynski<[hidden email]>
>>>>> wrote:
>>>>>>
>>>>>> Hi
>>>>>>
>>>>>> Recently I have discovered increasing amount of the following errors
>>>>>> in
>>>>>> my
>>>>>> logs:
>>>>>>
>>>>>> Feb 13 09:36:59 node1 /usr/sbin/opensips[10458]: ERROR:core:parse_uri:
>>>>>> unknown URI param list exceeded
>>>>>>
>>>>>> I see this error is repeated many thousands of times in my log
>>>>>>
>>>>>> Questions:
>>>>>> - What does this error mean?
>>>>>> - How to add source IP address of SIP request that caused error to
>>>>>> log?
>>>>>> Or
>>>>>> how to add full SIP request body causing that error to log?
>>>>>> - Is it a sign of any type of DOS attack?

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users