SIP activity where the Call-ID follows a token@IP format, a pattern commonly generated by automated scanners and SIP tooling rather than standard client implementations, indicating non-human or enumeration-driven behavior.

Identifies SIP scanning or probing activity where an attacker sends INVITE requests directly to a target IP address using randomly generated Call-ID tokens. This pattern is commonly associated with VoIP reconnaissance, SIP endpoint discovery, and automated dialer or PBX attack tooling attempting to enumerate reachable SIP services.

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.