Seeing "retry query scaps" in ATA logs - what is it?

32 views
Skip to first unread message

Tim Horton

unread,
Jan 1, 2021, 11:38:39 PMJan 1
to SCAP Discussion and Development

Hi there.

I have a pair of VOIP ATA devices, and they generate quite a few useless syslog entries such as: 

++++ retry query scaps
+++ need tftp addr..
+++ send scaps discovery query

I've been asking in several different voip and cisco forums (the device is a cisco SPA-112) what the heck are these scaps queries all about and how do I tell these devices to stop doing them.  Then I stumble on this Security Content Automation Protocol (SCAP) stuff and I'm thinking - hey, maybe the ATA's are looking for a scap server or proxy?

Has this SCAP stuff been implimented in consumer devices yet?  Is there a public domain SCAP server that I can install on a linux box that would intercept these SCAP queries coming from my ATA's (if indeed thats what they are)?

Tim Horton

unread,
Jan 3, 2021, 9:06:11 AMJan 3
to SCAP Discussion and Development, Tim Horton
Is it currently a legal requirement for network devices to impliment SCAP in such a way that end users are not able to disable this SCAP functionality?  I ask because if indeed the log messages I'm seeing my voip ATA generate do pertain to SCAP (Security Content Automation Protocol) then I wonder why I do not see any reference to this SCAP in the ATA's configuration interface.

Tim Horton

unread,
Jan 8, 2021, 9:05:57 PMJan 8
to SCAP Discussion and Development, Tim Horton


I got an email reply (I'd rather any replies stay here in public in this thread) that wondered what my device is.  It is a Cisco SPA-112 voip adapter (ATA).  I have it set to send error messages to a syslog server, and I have it set for minimal "verbosity" so not a lot of stuff being reported by the device, except I'm seeing thousands of these 3-line sequences:


++++ retry query scaps
+++ need tftp addr..
+++ send scaps discovery query

I've asked in the Cisco forums what exactly is this "SCAPS" stuff, as well as the DSLReports voip technical forum, and again nobody knows what "SCAPS" is.  It took me a few hours of internet searching to finally figure  out that SCAPS in terms of voip could be "Security Content Automation Protocol".  So I figure what better forum to ask questions about that protocol than here?

It seems to be a legal (if not US Gov't) requirement that SCAPS be built into many types of network devices, including VOIP adapters, but I can see nothing in my device's web configuration interface referring to SCAP let alone an entry box for entering in a SCAPS server host name (I'm guessing that SCAP or SCAPS requires at some point a server that devices contact to get security config info - yes?).

How does the SCAP/SCAPS protocol work?  Am I right that devices do or can look for a "SCAP Server"? 

David Ries

unread,
Jan 8, 2021, 11:09:35 PMJan 8
to Tim Horton, SCAP Discussion and Development
Hi Tim,

The SCAP standard is a general approach to security automation but doesn’t include any specific technology (no servers, running code, etc.). There is no “SCAP server” in the standard.

Personally, I doubt this message has anything to do with our “SCAP”.

It’s possible that your Cisco device or some software you are running is using SCAP for security automation and this log message is related to that, but you would need to ask them about that.

-David

David E. Ries
Co-Founder, Business Development
ri...@jovalcm.com

Joval Continuous Monitoring

Facebook Linkedin


--
To post to this group, send email to scap...@list.nist.gov
To unsubscribe from this group, send email to scap-dev+u...@list.nist.gov
Visit this group at https://list.nist.gov/scap-dev
---
To unsubscribe from this group and stop receiving emails from it, send an email to scap-dev+u...@list.nist.gov.

Tim Horton

unread,
Jan 8, 2021, 11:48:03 PMJan 8
to SCAP Discussion and Development, David Ries, SCAP Discussion and Development, Tim Horton
This document:

"Applicability of the Security Control Automation Protocol (SCAP) to Voice over Internet Protocol (VoIP) Systems" (circa 2010)
http://isalliance.org/publications/8A.%20Applicability%20of%20SCAP%20to%20VoIP%20Systems%20-%20White%20Paper%20Draft%20for%20Review%20V1%20-%20ISA%202010.pdf

Is obviously describing "SCAP" in relation to Voip ATA adapters.

This site:  www.open-scap.org

Is, I assume, dealing with SCAP, the same SCAP as this google group.  In particular, I find this: 

OpenSCAP Daemon http://www.open-scap.org/tools/openscap-daemon/

"The OpenSCAP Daemon is a service that runs in the background. It makes sure your machines and containers are evaluated according to the schedule you specify. Functionality can be divided into two categories — continuously evaluating machines against a specific policy, and one-off evaluation.  Under the hood it uses the NIST-certified oscap tool, but wraps it in an interface which is easier to use."

Now whether that daemon is only performing this SCAP service on and only for a single machine in question, or if that daemon is able to query other devices (or act as a SCAP server?) is not clear to me.

My cursory understanding of SCAP is that when you have various devices on the network, they do not know the extent to which they are updated or patched against known exploits, and perhaps SCAP allows them to pro-actively seek out some authoritative server where they can ascertain their level of patching?  And if they are deficient then at least the server knows it?  And perhaps the server can hand off the appropriate patches to the device?

David Ries

unread,
Jan 9, 2021, 12:46:22 AMJan 9
to Tim Horton, SCAP Discussion and Development
Hi Tim,

I haven’t read that ISA document and am not familiar with that group. 

I am familiar with OpenSCAP. That is a software product that uses SCAP along with many other standards and technologies. Like other products that use SCAP, it may interact with servers, etc. but those capabilities are outside of what SCAP (the standard) deals with. 

There may be an easier approach to helping you rule out our SCAP as a clue to the source of your mysterious log messages. Do you know what your Cisco ATA adapter runs? E.g. does it run Cisco IOS or IOSXE?

-David 

On Jan 8, 2021, at 10:48 PM, Tim Horton <peggyg...@gmail.com> wrote:

This document:
Reply all
Reply to author
Forward
0 new messages