The behaviour of latested firmware has changed regarding SIP intrusion
the detected intrusions are dropped, but the ip adress of hacker is no more copied in the blocked ip adress list of the firewall

can you tell us more about these security features

thanks
Henri

Your observation is correct. In the latest firmware versions an additional security measure is added to SIP IDS. If the SIP IDS is enabled, the inbound SIP messages are being scanned and dropped if they contain fields having relation to well known VoIP hacking programs. In this case the IP address of the source is not added to the blocked IP list to save space in that table. The SIP packets from non well-known sources are being handled as before with adding IPs to the blocked list if intrusion detected.

Thanks for this highlight
Henri