Matched signatures
Each row is one fingerprint marker that fired. Markers are weighted by how distinctive they are; the totals on the right drive the verdict above.
Paste a single SIP request from a packet capture or SBC log and the recognizer matches it against the well-known signatures of SIP scanning, brute-force, TDoS, and legitimate testing tools — SIPVicious, sipsak, sipcli, Mr.SIP, sundayddr, SIPp, pjsua, Asterisk, FreeSWITCH. It scores User-Agent strings plus behavioral markers (Via branch format, Call-ID shape, From-tag length) so a spoofed User-Agent still gets caught.
Everything runs in your browser. The text you paste is never sent to any server — no network requests, no logging.
Each row is one fingerprint marker that fired. Markers are weighted by how distinctive they are; the totals on the right drive the verdict above.
All tools that scored above zero, sorted by total weighted score. Useful for ambiguous traffic — sometimes a fork of SIPVicious will partially match both the classic signature and the modernized one.
| Tool | Family | Score | Markers fired |
|---|
RFC / convention deviations that hint at automated tooling even when no specific fingerprint matches.
Many scanners and dialers leave a default User-Agent — friendly-scanner, sipcli/v, sipsak, Mr.SIP. Blocking on User-Agent alone catches the lazy ones. The recognizer scores User-Agent matches highest (80–100) but never relies on them alone.
Tools generate transaction IDs with characteristic shapes —
SIPVicious classic uses a tiny z9hG4bK-NNNN
branch, a 10-hex-char From tag, and a Call-ID that's a
Unix timestamp followed by a hash. sipsak uses
z9hG4bK. with a dot. Forks that spoof the
User-Agent often forget to update these — so behavioral
markers catch the spoofers.
Sandro Gauci's original SIPVicious bundles svmap (host discovery), svwar (extension enumeration), and svcrack (password guessing). The default friendly-scanner User-Agent is still the highest-volume SIP scan banner on the internet. SIPVicious-PRO is the modern commercial fork — same signature heritage, different defaults.
sipcli ships as a Windows command-line dialer
that's become the go-to for international revenue-share
fraud (IRSF) — bot operator finds an open SIP trunk,
dials premium-rate destinations all night. User-Agent
sipcli/v1.8 or similar; INVITE-only; CSeq
counter increments rapidly across calls.
SIPp, pjsua, Asterisk, FreeSWITCH, and modern carrier SBCs all leave recognizable User-Agents too. The recognizer flags these with an info tone instead of a threat tone — you can still see the signature, but the verdict reads "legitimate SIP testing / signaling stack."
fail2ban regexes against User-Agent: friendly-scanner still block enormous chunks of scan traffic at near-zero cost. Combine with: SBC rate-limit (max INVITEs/sec per source), geo-blocklist, denial of REGISTER from sources outside known dialer ranges, and a real authentication policy (long random passwords, account lockout, SHA-256 digest). The recognizer's Defensive notes section above lists specific rules per tool.
Threat = a known scanner/brute-forcer/TDoS tool; source should be in your blocklist. Caution = dual-use (testing tools that can be repurposed) or partial match; review the markers below. Info = legitimate signaling stack — Asterisk, FreeSWITCH, an SBC. Unknown = nothing distinctive matched; could be a competent attacker, a SIP stack the recognizer doesn't know yet, or just a legitimate UA without a recognizable User-Agent.
Volume II of The VoIP Engineer's Library walks the attack tree this tool detects against — recon, registration brute force, INVITE flood, TDoS, IRSF — and the defenses that hold up: hardened SBC config, fail2ban rule sets, auth policy, and topology choices that minimize attack surface.