From f73c43dd4da58d5e792f6574df97aab1d68f1e47 Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Wed, 13 Sep 2023 09:35:35 +0200 Subject: [PATCH 01/12] detect/sip: add stub file for headers keywords A stub file has been added to implement the sticky buffers for SIP headers. Ticket #6374 --- src/Makefile.am | 1 + src/detect-sip-headers-stub.h | 140 ++++++++++++++++++++++++++++++++++ 2 files changed, 141 insertions(+) create mode 100644 src/detect-sip-headers-stub.h diff --git a/src/Makefile.am b/src/Makefile.am index 5b83d60cfd42..aa05f6845190 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -281,6 +281,7 @@ noinst_HEADERS = \ detect-rpc.h \ detect-sameip.h \ detect-sid.h \ + detect-sip-headers-stub.h \ detect-sip-method.h \ detect-sip-protocol.h \ detect-sip-request-line.h \ diff --git a/src/detect-sip-headers-stub.h b/src/detect-sip-headers-stub.h new file mode 100644 index 000000000000..375724ad5a9a --- /dev/null +++ b/src/detect-sip-headers-stub.h @@ -0,0 +1,140 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \author Giuseppe Longo + * + * Stub for per SIP header detection keyword. + */ + +#include "suricata-common.h" +#include "flow.h" + +#include "detect.h" +#include "detect-parse.h" +#include "detect-engine.h" +#include "detect-engine-mpm.h" +#include "detect-engine-prefilter.h" +#include "detect-engine-content-inspection.h" + +#include "rust.h" + +static int g_buffer_id = 0; + +#ifdef KEYWORD_TOSERVER +static InspectionBuffer *GetRequestData(DetectEngineThreadCtx *det_ctx, + const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv, + const int list_id, uint32_t local_id) +{ + SCEnter(); + + InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, list_id, local_id); + if (buffer->inspect == NULL) { + uint32_t b_len = 0; + const uint8_t *b = NULL; + + if (rs_sip_tx_get_header_value(txv, local_id, STREAM_TOSERVER, HEADER_NAME, &b, &b_len) != + 1) { + InspectionBufferSetupMultiEmpty(buffer); + return NULL; + } + if (b == NULL || b_len == 0) { + InspectionBufferSetupMultiEmpty(buffer); + return NULL; + } + + InspectionBufferSetupMulti(buffer, transforms, b, b_len); + buffer->flags = DETECT_CI_FLAGS_SINGLE; + } + + return buffer; +} + +#endif +#ifdef KEYWORD_TOCLIENT +static InspectionBuffer *GetResponseData(DetectEngineThreadCtx *det_ctx, + const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv, + const int list_id, uint32_t local_id) +{ + SCEnter(); + + InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, list_id, local_id); + if (buffer->inspect == NULL) { + uint32_t b_len = 0; + const uint8_t *b = NULL; + + if (rs_sip_tx_get_header_value(txv, local_id, STREAM_TOCLIENT, HEADER_NAME, &b, &b_len) != + 1) { + InspectionBufferSetupMultiEmpty(buffer); + return NULL; + } + if (b == NULL || b_len == 0) { + InspectionBufferSetupMultiEmpty(buffer); + return NULL; + } + + InspectionBufferSetupMulti(buffer, transforms, b, b_len); + buffer->flags = DETECT_CI_FLAGS_SINGLE; + } + + return buffer; +} +#endif + +/** + * \brief this function setup the http.header keyword used in the rule + * + * \param de_ctx Pointer to the Detection Engine Context + * \param s Pointer to the Signature to which the current keyword belongs + * \param str Should hold an empty string always + * + * \retval 0 On success + */ +static int DetectSipHeadersSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str) +{ + if (DetectBufferSetActiveList(de_ctx, s, g_buffer_id) < 0) + return -1; + + if (DetectSignatureSetAppProto(s, ALPROTO_SIP) < 0) + return -1; + + return 0; +} + +static void DetectSipHeadersRegisterStub(void) +{ + sigmatch_table[KEYWORD_ID].name = KEYWORD_NAME; + sigmatch_table[KEYWORD_ID].desc = KEYWORD_NAME " sticky buffer for the " BUFFER_DESC; + sigmatch_table[KEYWORD_ID].url = "/rules/" KEYWORD_DOC; + sigmatch_table[KEYWORD_ID].Setup = DetectSipHeadersSetupSticky; + sigmatch_table[KEYWORD_ID].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; + +#ifdef KEYWORD_TOSERVER + DetectAppLayerMultiRegister( + BUFFER_NAME, ALPROTO_SIP, SIG_FLAG_TOSERVER, 0, GetRequestData, 2, 1); +#endif +#ifdef KEYWORD_TOCLIENT + DetectAppLayerMultiRegister( + BUFFER_NAME, ALPROTO_SIP, SIG_FLAG_TOCLIENT, 0, GetResponseData, 2, 1); +#endif + + DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC); + + DetectBufferTypeSupportsMultiInstance(BUFFER_NAME); + + g_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME); +} From ab8e054f863f2b4d0c995a13c86dfb24d8861ca5 Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Wed, 19 Jun 2024 14:26:50 +0200 Subject: [PATCH 02/12] rust/sip: store multiple header values According to RFC 3261, a single header can be repeated one or more times, and its name can also be specified using the 'compact form.' This patch updates the hashmap used for storing headers to accommodate multiple values instead of just one. Additionally, if a header name is defined in the compact form, it is expanded into its long form (i.e., the standard name). This conversion simplifies the logic for matching a given header and ensures 1:1 parity with keywords. Ticket #6374 --- rust/src/sip/parser.rs | 35 +++++++++++++++++++++++++++-------- 1 file changed, 27 insertions(+), 8 deletions(-) diff --git a/rust/src/sip/parser.rs b/rust/src/sip/parser.rs index a7314f163914..edaeefc857b7 100644 --- a/rust/src/sip/parser.rs +++ b/rust/src/sip/parser.rs @@ -21,7 +21,7 @@ use crate::sdp::parser::{sdp_parse_message, SdpMessage}; use nom7::bytes::streaming::{tag, take, take_while, take_while1}; use nom7::character::streaming::{char, crlf}; use nom7::character::{is_alphabetic, is_alphanumeric, is_digit, is_space}; -use nom7::combinator::{map_res, opt}; +use nom7::combinator::{map, map_res, opt}; use nom7::sequence::delimited; use nom7::{Err, IResult, Needed}; use std; @@ -38,7 +38,7 @@ pub struct Request { pub method: String, pub path: String, pub version: String, - pub headers: HashMap, + pub headers: HashMap>, pub request_line_len: u16, pub headers_len: u16, @@ -97,6 +97,22 @@ fn is_header_value(b: u8) -> bool { is_alphanumeric(b) || is_token_char(b) || b"\"#$&(),/;:<=>?@[]{}()^|~\\\t\n\r ".contains(&b) } +fn expand_header_name(h: &str) -> &str { + match h { + "i" => "Call-ID", + "m" => "Contact", + "e" => "Content-Encoding", + "l" => "Content-Length", + "c" => "Content-Type", + "f" => "From", + "s" => "Subject", + "k" => "Supported", + "t" => "To", + "v" => "Via", + _ => h, + } +} + pub fn sip_parse_request(oi: &[u8]) -> IResult<&[u8], Request> { let (i, method) = parse_method(oi)?; let (i, _) = char(' ')(i)?; @@ -199,7 +215,7 @@ fn hcolon(i: &[u8]) -> IResult<&[u8], char> { } fn message_header(i: &[u8]) -> IResult<&[u8], Header> { - let (i, n) = header_name(i)?; + let (i, n) = map(header_name, expand_header_name)(i)?; let (i, _) = hcolon(i)?; let (i, v) = header_value(i)?; let (i, _) = crlf(i)?; @@ -217,8 +233,8 @@ pub fn sip_take_line(i: &[u8]) -> IResult<&[u8], Option> { Ok((i, Some(line.into()))) } -pub fn parse_headers(mut input: &[u8]) -> IResult<&[u8], HashMap> { - let mut headers_map: HashMap = HashMap::new(); +pub fn parse_headers(mut input: &[u8]) -> IResult<&[u8], HashMap>> { + let mut headers_map: HashMap> = HashMap::new(); loop { match crlf(input) as IResult<&[u8], _> { Ok((_, _)) => { @@ -229,7 +245,10 @@ pub fn parse_headers(mut input: &[u8]) -> IResult<&[u8], HashMap Err(Err::Incomplete(e)) => return Err(Err::Incomplete(e)), }; let (rest, header) = message_header(input)?; - headers_map.insert(header.name, header.value); + headers_map + .entry(header.name) + .or_default() + .push(header.value); input = rest; } @@ -292,7 +311,7 @@ mod tests { assert_eq!(req.method, "REGISTER"); assert_eq!(req.path, "sip:sip.cybercity.dk"); assert_eq!(req.version, "SIP/2.0"); - assert_eq!(req.headers["Content-Length"], "0"); + assert_eq!(req.headers["Content-Length"].first().unwrap(), "0"); } #[test] @@ -308,7 +327,7 @@ mod tests { assert_eq!(req.method, "REGISTER"); assert_eq!(req.path, "sip:sip.cybercity.dk"); assert_eq!(req.version, "SIP/2.0"); - assert_eq!(req.headers["Content-Length"], "4"); + assert_eq!(req.headers["Content-Length"].first().unwrap(), "4"); assert_eq!(body, "ABCD".as_bytes()); } From 8a0fa3513f7aec069c76e79af46ac0ed5a7bd21e Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Fri, 15 Sep 2023 09:23:54 +0200 Subject: [PATCH 03/12] rust/sip: store response headers To match on response SIP headers, those headers must be stored. Ticket #6374 --- rust/src/sip/parser.rs | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rust/src/sip/parser.rs b/rust/src/sip/parser.rs index edaeefc857b7..037ecd292ada 100644 --- a/rust/src/sip/parser.rs +++ b/rust/src/sip/parser.rs @@ -52,7 +52,7 @@ pub struct Response { pub version: String, pub code: String, pub reason: String, - + pub headers: HashMap>, pub response_line_len: u16, pub headers_len: u16, pub body_offset: u16, @@ -151,7 +151,7 @@ pub fn sip_parse_response(oi: &[u8]) -> IResult<&[u8], Response> { let (i, reason) = parse_reason(i)?; let (hi, _) = crlf(i)?; let response_line_len = oi.len() - hi.len(); - let (phi, _headers) = parse_headers(hi)?; + let (phi, headers) = parse_headers(hi)?; let headers_len = hi.len() - phi.len(); let (bi, _) = crlf(phi)?; let body_offset = oi.len() - bi.len(); @@ -162,6 +162,7 @@ pub fn sip_parse_response(oi: &[u8]) -> IResult<&[u8], Response> { version, code: code.into(), reason: reason.into(), + headers, response_line_len: response_line_len as u16, headers_len: headers_len as u16, From 65236a24a0f81aa58b66439bf81e0d2e24c5d3aa Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Fri, 15 Sep 2023 09:24:25 +0200 Subject: [PATCH 04/12] rust/sip: match on headers map Ticket #6374 --- rust/src/sip/detect.rs | 32 +++++++++++++++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/rust/src/sip/detect.rs b/rust/src/sip/detect.rs index 91df4fb29932..ecca62285414 100644 --- a/rust/src/sip/detect.rs +++ b/rust/src/sip/detect.rs @@ -1,4 +1,4 @@ -/* Copyright (C) 2019 Open Information Security Foundation +/* Copyright (C) 2024 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free @@ -19,6 +19,7 @@ use crate::core::Direction; use crate::sip::sip::SIPTransaction; +use std::ffi::CStr; use std::ptr; #[no_mangle] @@ -165,3 +166,32 @@ pub unsafe extern "C" fn rs_sip_tx_get_response_line( return 0; } + +#[no_mangle] +pub unsafe extern "C" fn rs_sip_tx_get_header_value( + tx: &mut SIPTransaction, i: u32, direction: u8, strname: *const std::os::raw::c_char, + buffer: *mut *const u8, buffer_len: *mut u32, +) -> u8 { + let hname: &CStr = CStr::from_ptr(strname); + if let Ok(s) = hname.to_str() { + let headers = match direction.into() { + Direction::ToServer => tx.request.as_ref().map(|r| &r.headers), + Direction::ToClient => tx.response.as_ref().map(|r| &r.headers), + }; + if let Some(headers) = headers { + if let Some(header_vals) = headers.get(s) { + if (i as usize) < header_vals.len() { + let value = &header_vals[i as usize]; + *buffer = value.as_ptr(); + *buffer_len = value.len() as u32; + return 1; + } + } + } + } + + *buffer = ptr::null(); + *buffer_len = 0; + + return 0; +} From b56eec512bd947608f03e84286b75dad409ade98 Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Fri, 15 Sep 2023 09:26:23 +0200 Subject: [PATCH 05/12] detect/sip: add sip.from sticky buffer Ticket #6374 --- src/Makefile.am | 2 ++ src/detect-engine-register.h | 1 + src/detect-sip-from.c | 39 ++++++++++++++++++++++++++++++++++++ src/detect-sip-from.h | 28 ++++++++++++++++++++++++++ 4 files changed, 70 insertions(+) create mode 100644 src/detect-sip-from.c create mode 100644 src/detect-sip-from.h diff --git a/src/Makefile.am b/src/Makefile.am index aa05f6845190..01bb201b4c17 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -282,6 +282,7 @@ noinst_HEADERS = \ detect-sameip.h \ detect-sid.h \ detect-sip-headers-stub.h \ + detect-sip-from.h \ detect-sip-method.h \ detect-sip-protocol.h \ detect-sip-request-line.h \ @@ -881,6 +882,7 @@ libsuricata_c_a_SOURCES = \ detect-rpc.c \ detect-sameip.c \ detect-sid.c \ + detect-sip-from.c \ detect-sip-method.c \ detect-sip-protocol.c \ detect-sip-request-line.c \ diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h index 71af4c3a1659..a4aad390ea72 100644 --- a/src/detect-engine-register.h +++ b/src/detect-engine-register.h @@ -275,6 +275,7 @@ enum DetectKeywordId { DETECT_AL_SIP_STAT_MSG, DETECT_AL_SIP_REQUEST_LINE, DETECT_AL_SIP_RESPONSE_LINE, + DETECT_AL_SIP_HEADER_FROM, DETECT_AL_RFB_SECRESULT, DETECT_AL_RFB_SECTYPE, DETECT_AL_RFB_NAME, diff --git a/src/detect-sip-from.c b/src/detect-sip-from.c new file mode 100644 index 000000000000..7a22bca9b37f --- /dev/null +++ b/src/detect-sip-from.c @@ -0,0 +1,39 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \author Giuseppe Longo + * + * Implements the sip.from sticky buffer + */ + +#define KEYWORD_NAME "sip.from" +#define KEYWORD_DOC "sip-keywords.html#sip-from" +#define BUFFER_NAME "sip.from" +#define BUFFER_DESC "sip from header" +#define HEADER_NAME "From" +#define KEYWORD_ID DETECT_AL_SIP_HEADER_FROM +#define KEYWORD_TOSERVER 1 +#define KEYWORD_TOCLIENT 1 + +#include "detect-sip-headers-stub.h" +#include "detect-sip-from.h" + +void RegisterSipHeadersFrom(void) +{ + DetectSipHeadersRegisterStub(); +} diff --git a/src/detect-sip-from.h b/src/detect-sip-from.h new file mode 100644 index 000000000000..faa22cb1d1f1 --- /dev/null +++ b/src/detect-sip-from.h @@ -0,0 +1,28 @@ +/* Copyright (C) 2023 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \author Giuseppe Longo + * + */ + +#ifndef SURICATA_DETECT_SIP_FROM_H +#define SURICATA_DETECT_SIP_FROM_H + +void RegisterSipHeadersFrom(void); + +#endif /* SURICATA_DETECT_SIP_FROM_H */ From 00ef079c7fdd4f2e78a1952a8bc21b10a5f73dd7 Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Sat, 13 Apr 2024 16:44:47 +0200 Subject: [PATCH 06/12] detect/sip: add sip.to sticky buffer Ticket #6374 --- src/Makefile.am | 2 ++ src/detect-engine-register.h | 1 + src/detect-sip-to.c | 39 ++++++++++++++++++++++++++++++++++++ src/detect-sip-to.h | 28 ++++++++++++++++++++++++++ 4 files changed, 70 insertions(+) create mode 100644 src/detect-sip-to.c create mode 100644 src/detect-sip-to.h diff --git a/src/Makefile.am b/src/Makefile.am index 01bb201b4c17..a6e0f68c5a68 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -289,6 +289,7 @@ noinst_HEADERS = \ detect-sip-response-line.h \ detect-sip-stat-code.h \ detect-sip-stat-msg.h \ + detect-sip-to.h \ detect-sip-uri.h \ detect-smb-ntlmssp.h \ detect-smb-share.h \ @@ -889,6 +890,7 @@ libsuricata_c_a_SOURCES = \ detect-sip-response-line.c \ detect-sip-stat-code.c \ detect-sip-stat-msg.c \ + detect-sip-to.c \ detect-sip-uri.c \ detect-smb-ntlmssp.c \ detect-smb-share.c \ diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h index a4aad390ea72..b4d63fb4acdf 100644 --- a/src/detect-engine-register.h +++ b/src/detect-engine-register.h @@ -276,6 +276,7 @@ enum DetectKeywordId { DETECT_AL_SIP_REQUEST_LINE, DETECT_AL_SIP_RESPONSE_LINE, DETECT_AL_SIP_HEADER_FROM, + DETECT_AL_SIP_HEADER_TO, DETECT_AL_RFB_SECRESULT, DETECT_AL_RFB_SECTYPE, DETECT_AL_RFB_NAME, diff --git a/src/detect-sip-to.c b/src/detect-sip-to.c new file mode 100644 index 000000000000..73fe74ab4757 --- /dev/null +++ b/src/detect-sip-to.c @@ -0,0 +1,39 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \author Giuseppe Longo + * + * Implements the sip.to sticky buffer + */ + +#define KEYWORD_NAME "sip.to" +#define KEYWORD_DOC "sip-keywords.html#sip-to" +#define BUFFER_NAME "sip.to" +#define BUFFER_DESC "sip to header" +#define HEADER_NAME "To" +#define KEYWORD_ID DETECT_AL_SIP_HEADER_TO +#define KEYWORD_TOSERVER 1 +#define KEYWORD_TOCLIENT 1 + +#include "detect-sip-headers-stub.h" +#include "detect-sip-to.h" + +void RegisterSipHeadersTo(void) +{ + DetectSipHeadersRegisterStub(); +} diff --git a/src/detect-sip-to.h b/src/detect-sip-to.h new file mode 100644 index 000000000000..f4eabcaa76ba --- /dev/null +++ b/src/detect-sip-to.h @@ -0,0 +1,28 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \author Giuseppe Longo + * + */ + +#ifndef SURICATA_DETECT_SIP_TO_H +#define SURICATA_DETECT_SIP_TO_H + +void RegisterSipHeadersTo(void); + +#endif /* SURICATA_DETECT_SIP_TO_H */ From a16ec14170c2c40a21d9f859f595b9bfda2a9f31 Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Sat, 13 Apr 2024 16:57:50 +0200 Subject: [PATCH 07/12] detect/sip: add sip.via sticky buffer Ticket #6374 --- src/Makefile.am | 2 ++ src/detect-engine-register.h | 1 + src/detect-sip-via.c | 39 ++++++++++++++++++++++++++++++++++++ src/detect-sip-via.h | 28 ++++++++++++++++++++++++++ 4 files changed, 70 insertions(+) create mode 100644 src/detect-sip-via.c create mode 100644 src/detect-sip-via.h diff --git a/src/Makefile.am b/src/Makefile.am index a6e0f68c5a68..74f0776d437d 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -291,6 +291,7 @@ noinst_HEADERS = \ detect-sip-stat-msg.h \ detect-sip-to.h \ detect-sip-uri.h \ + detect-sip-via.h \ detect-smb-ntlmssp.h \ detect-smb-share.h \ detect-smb-version.h \ @@ -892,6 +893,7 @@ libsuricata_c_a_SOURCES = \ detect-sip-stat-msg.c \ detect-sip-to.c \ detect-sip-uri.c \ + detect-sip-via.c \ detect-smb-ntlmssp.c \ detect-smb-share.c \ detect-smb-version.c \ diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h index b4d63fb4acdf..3db033b94c34 100644 --- a/src/detect-engine-register.h +++ b/src/detect-engine-register.h @@ -277,6 +277,7 @@ enum DetectKeywordId { DETECT_AL_SIP_RESPONSE_LINE, DETECT_AL_SIP_HEADER_FROM, DETECT_AL_SIP_HEADER_TO, + DETECT_AL_SIP_HEADER_VIA, DETECT_AL_RFB_SECRESULT, DETECT_AL_RFB_SECTYPE, DETECT_AL_RFB_NAME, diff --git a/src/detect-sip-via.c b/src/detect-sip-via.c new file mode 100644 index 000000000000..687c7a20d641 --- /dev/null +++ b/src/detect-sip-via.c @@ -0,0 +1,39 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \author Giuseppe Longo + * + * Implements the sip.via sticky buffer + */ + +#define KEYWORD_NAME "sip.via" +#define KEYWORD_DOC "sip-keywords.html#sip-via" +#define BUFFER_NAME "sip.via" +#define BUFFER_DESC "sip via header" +#define HEADER_NAME "Via" +#define KEYWORD_ID DETECT_AL_SIP_HEADER_VIA +#define KEYWORD_TOSERVER 1 +#define KEYWORD_TOCLIENT 1 + +#include "detect-sip-headers-stub.h" +#include "detect-sip-via.h" + +void RegisterSipHeadersVia(void) +{ + DetectSipHeadersRegisterStub(); +} diff --git a/src/detect-sip-via.h b/src/detect-sip-via.h new file mode 100644 index 000000000000..2e43bfe23435 --- /dev/null +++ b/src/detect-sip-via.h @@ -0,0 +1,28 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \author Giuseppe Longo + * + */ + +#ifndef SURICATA_DETECT_SIP_VIA_H +#define SURICATA_DETECT_SIP_VIA_H + +void RegisterSipHeadersVia(void); + +#endif /* SURICATA_DETECT_SIP_VIA_H */ From 4d96d0cbef3b92bad811eb8479c58c10ed029753 Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Sat, 13 Apr 2024 17:07:25 +0200 Subject: [PATCH 08/12] detect/sip: add sip.user_agent sticky buffer Ticket #6374 --- src/Makefile.am | 2 ++ src/detect-engine-register.h | 1 + src/detect-sip-ua.c | 39 ++++++++++++++++++++++++++++++++++++ src/detect-sip-ua.h | 28 ++++++++++++++++++++++++++ 4 files changed, 70 insertions(+) create mode 100644 src/detect-sip-ua.c create mode 100644 src/detect-sip-ua.h diff --git a/src/Makefile.am b/src/Makefile.am index 74f0776d437d..73d49d70c62a 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -290,6 +290,7 @@ noinst_HEADERS = \ detect-sip-stat-code.h \ detect-sip-stat-msg.h \ detect-sip-to.h \ + detect-sip-ua.h \ detect-sip-uri.h \ detect-sip-via.h \ detect-smb-ntlmssp.h \ @@ -892,6 +893,7 @@ libsuricata_c_a_SOURCES = \ detect-sip-stat-code.c \ detect-sip-stat-msg.c \ detect-sip-to.c \ + detect-sip-ua.c \ detect-sip-uri.c \ detect-sip-via.c \ detect-smb-ntlmssp.c \ diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h index 3db033b94c34..b5d7e0ebcef8 100644 --- a/src/detect-engine-register.h +++ b/src/detect-engine-register.h @@ -278,6 +278,7 @@ enum DetectKeywordId { DETECT_AL_SIP_HEADER_FROM, DETECT_AL_SIP_HEADER_TO, DETECT_AL_SIP_HEADER_VIA, + DETECT_AL_SIP_HEADER_UA, DETECT_AL_RFB_SECRESULT, DETECT_AL_RFB_SECTYPE, DETECT_AL_RFB_NAME, diff --git a/src/detect-sip-ua.c b/src/detect-sip-ua.c new file mode 100644 index 000000000000..efc21c98db21 --- /dev/null +++ b/src/detect-sip-ua.c @@ -0,0 +1,39 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \author Giuseppe Longo + * + * Implements the sip.user_agent sticky buffer + */ + +#define KEYWORD_NAME "sip.user_agent" +#define KEYWORD_DOC "sip-keywords.html#sip-user-agent" +#define BUFFER_NAME "sip.user_agent" +#define BUFFER_DESC "sip user agent header" +#define HEADER_NAME "User-Agent" +#define KEYWORD_ID DETECT_AL_SIP_HEADER_UA +#define KEYWORD_TOSERVER 1 +#define KEYWORD_TOCLIENT 1 + +#include "detect-sip-headers-stub.h" +#include "detect-sip-ua.h" + +void RegisterSipHeadersUa(void) +{ + DetectSipHeadersRegisterStub(); +} diff --git a/src/detect-sip-ua.h b/src/detect-sip-ua.h new file mode 100644 index 000000000000..9435531590d5 --- /dev/null +++ b/src/detect-sip-ua.h @@ -0,0 +1,28 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \author Giuseppe Longo + * + */ + +#ifndef SURICATA_DETECT_SIP_UA_H +#define SURICATA_DETECT_SIP_UA_H + +void RegisterSipHeadersUa(void); + +#endif /* SURICATA_DETECT_SIP_UA_H */ From 025dcaa2891dd2bf2eff972e1b6de9dccf6ef4e8 Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Sat, 13 Apr 2024 17:20:16 +0200 Subject: [PATCH 09/12] detect/sip: add sip.content_type sticky buffer Ticket #6374 --- src/Makefile.am | 2 ++ src/detect-engine-register.h | 1 + src/detect-sip-content-type.c | 39 +++++++++++++++++++++++++++++++++++ src/detect-sip-content-type.h | 29 ++++++++++++++++++++++++++ 4 files changed, 71 insertions(+) create mode 100644 src/detect-sip-content-type.c create mode 100644 src/detect-sip-content-type.h diff --git a/src/Makefile.am b/src/Makefile.am index 73d49d70c62a..5cc72c55698d 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -281,6 +281,7 @@ noinst_HEADERS = \ detect-rpc.h \ detect-sameip.h \ detect-sid.h \ + detect-sip-content-type.h \ detect-sip-headers-stub.h \ detect-sip-from.h \ detect-sip-method.h \ @@ -885,6 +886,7 @@ libsuricata_c_a_SOURCES = \ detect-rpc.c \ detect-sameip.c \ detect-sid.c \ + detect-sip-content-type.c \ detect-sip-from.c \ detect-sip-method.c \ detect-sip-protocol.c \ diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h index b5d7e0ebcef8..8ed477e681db 100644 --- a/src/detect-engine-register.h +++ b/src/detect-engine-register.h @@ -279,6 +279,7 @@ enum DetectKeywordId { DETECT_AL_SIP_HEADER_TO, DETECT_AL_SIP_HEADER_VIA, DETECT_AL_SIP_HEADER_UA, + DETECT_AL_SIP_HEADER_CONTENT_TYPE, DETECT_AL_RFB_SECRESULT, DETECT_AL_RFB_SECTYPE, DETECT_AL_RFB_NAME, diff --git a/src/detect-sip-content-type.c b/src/detect-sip-content-type.c new file mode 100644 index 000000000000..2ab720c93f51 --- /dev/null +++ b/src/detect-sip-content-type.c @@ -0,0 +1,39 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \author Giuseppe Longo + * + * Implements the sip.content_type sticky buffer + */ + +#define KEYWORD_NAME "sip.content_type" +#define KEYWORD_DOC "sip-keywords.html#sip-content-type" +#define BUFFER_NAME "sip.content_type" +#define BUFFER_DESC "sip content-type header" +#define HEADER_NAME "Content-Type" +#define KEYWORD_ID DETECT_AL_SIP_HEADER_CONTENT_TYPE +#define KEYWORD_TOSERVER 1 +#define KEYWORD_TOCLIENT 1 + +#include "detect-sip-headers-stub.h" +#include "detect-sip-content-type.h" + +void RegisterSipHeadersContentType(void) +{ + DetectSipHeadersRegisterStub(); +} diff --git a/src/detect-sip-content-type.h b/src/detect-sip-content-type.h new file mode 100644 index 000000000000..28f20191c5a3 --- /dev/null +++ b/src/detect-sip-content-type.h @@ -0,0 +1,29 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * + * \author Giuseppe Longo + * + */ + +#ifndef SURICATA_DETECT_SIP_CONTENT_TYPE_H +#define SURICATA_DETECT_SIP_CONTENT_TYPE_H + +void RegisterSipHeadersContentType(void); + +#endif /* SURICATA_DETECT_SIP_CONTENT_TYPE_H */ From a7923d961288fbdc4d320a0088779af884558ef7 Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Sat, 13 Apr 2024 17:29:31 +0200 Subject: [PATCH 10/12] detect/sip: add sip.content_length sticky buffer Ticket #6374 --- src/Makefile.am | 2 ++ src/detect-engine-register.h | 1 + src/detect-sip-content-length.c | 41 +++++++++++++++++++++++++++++++++ src/detect-sip-content-length.h | 28 ++++++++++++++++++++++ 4 files changed, 72 insertions(+) create mode 100644 src/detect-sip-content-length.c create mode 100644 src/detect-sip-content-length.h diff --git a/src/Makefile.am b/src/Makefile.am index 5cc72c55698d..0ae52443a8b2 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -281,6 +281,7 @@ noinst_HEADERS = \ detect-rpc.h \ detect-sameip.h \ detect-sid.h \ + detect-sip-content-length.h \ detect-sip-content-type.h \ detect-sip-headers-stub.h \ detect-sip-from.h \ @@ -886,6 +887,7 @@ libsuricata_c_a_SOURCES = \ detect-rpc.c \ detect-sameip.c \ detect-sid.c \ + detect-sip-content-length.c \ detect-sip-content-type.c \ detect-sip-from.c \ detect-sip-method.c \ diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h index 8ed477e681db..7748f2d86928 100644 --- a/src/detect-engine-register.h +++ b/src/detect-engine-register.h @@ -280,6 +280,7 @@ enum DetectKeywordId { DETECT_AL_SIP_HEADER_VIA, DETECT_AL_SIP_HEADER_UA, DETECT_AL_SIP_HEADER_CONTENT_TYPE, + DETECT_AL_SIP_HEADER_CONTENT_LENGTH, DETECT_AL_RFB_SECRESULT, DETECT_AL_RFB_SECTYPE, DETECT_AL_RFB_NAME, diff --git a/src/detect-sip-content-length.c b/src/detect-sip-content-length.c new file mode 100644 index 000000000000..ebc5657d2fe3 --- /dev/null +++ b/src/detect-sip-content-length.c @@ -0,0 +1,41 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Giuseppe Longo + * + * Implements the sip.content_length sticky buffer + */ + +#define KEYWORD_NAME "sip.content_length" +#define KEYWORD_DOC "sip-keywords.html#sip-content-length" +#define BUFFER_NAME "sip.content_length" +#define BUFFER_DESC "sip content-length header" +#define HEADER_NAME "Content-Length" +#define KEYWORD_ID DETECT_AL_SIP_HEADER_CONTENT_LENGTH +#define KEYWORD_TOSERVER 1 +#define KEYWORD_TOCLIENT 1 + +#include "detect-sip-headers-stub.h" +#include "detect-sip-content-length.h" + +void RegisterSipHeadersContentLength(void) +{ + DetectSipHeadersRegisterStub(); +} diff --git a/src/detect-sip-content-length.h b/src/detect-sip-content-length.h new file mode 100644 index 000000000000..1674320c49f6 --- /dev/null +++ b/src/detect-sip-content-length.h @@ -0,0 +1,28 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \author Giuseppe Longo + * + */ + +#ifndef SURICATA_DETECT_SIP_CONTENT_LENGTH_H +#define SURICATA_DETECT_SIP_CONTENT_LENGTH_H + +void RegisterSipHeadersContentLength(void); + +#endif /* SURICATA_DETECT_SIP_CONTENT_LENGTH_H */ From 93682047dabb8f94f08959905db9b063e5290c6e Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Fri, 15 Sep 2023 09:27:37 +0200 Subject: [PATCH 11/12] detect/sip: register headers sticky buffers Ticket #6374 --- src/Makefile.am | 2 ++ src/detect-engine-register.c | 2 ++ src/detect-sip-headers.c | 38 ++++++++++++++++++++++++++++++++++++ src/detect-sip-headers.h | 23 ++++++++++++++++++++++ 4 files changed, 65 insertions(+) create mode 100644 src/detect-sip-headers.c create mode 100644 src/detect-sip-headers.h diff --git a/src/Makefile.am b/src/Makefile.am index 0ae52443a8b2..b62c92b99377 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -283,6 +283,7 @@ noinst_HEADERS = \ detect-sid.h \ detect-sip-content-length.h \ detect-sip-content-type.h \ + detect-sip-headers.h \ detect-sip-headers-stub.h \ detect-sip-from.h \ detect-sip-method.h \ @@ -889,6 +890,7 @@ libsuricata_c_a_SOURCES = \ detect-sid.c \ detect-sip-content-length.c \ detect-sip-content-type.c \ + detect-sip-headers.c \ detect-sip-from.c \ detect-sip-method.c \ detect-sip-protocol.c \ diff --git a/src/detect-engine-register.c b/src/detect-engine-register.c index 5d4438485811..818c7399f32f 100644 --- a/src/detect-engine-register.c +++ b/src/detect-engine-register.c @@ -207,6 +207,7 @@ #include "detect-sip-stat-msg.h" #include "detect-sip-request-line.h" #include "detect-sip-response-line.h" +#include "detect-sip-headers.h" #include "detect-rfb-secresult.h" #include "detect-rfb-sectype.h" #include "detect-rfb-name.h" @@ -686,6 +687,7 @@ void SigTableSetup(void) DetectSipStatMsgRegister(); DetectSipRequestLineRegister(); DetectSipResponseLineRegister(); + DetectSipHeadersRegister(); DetectRfbSecresultRegister(); DetectRfbSectypeRegister(); DetectRfbNameRegister(); diff --git a/src/detect-sip-headers.c b/src/detect-sip-headers.c new file mode 100644 index 000000000000..ea00fde0cf28 --- /dev/null +++ b/src/detect-sip-headers.c @@ -0,0 +1,38 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \author Giuseppe Longo + */ + +#include "detect-sip-headers.h" +#include "detect-sip-from.h" +#include "detect-sip-to.h" +#include "detect-sip-via.h" +#include "detect-sip-ua.h" +#include "detect-sip-content-type.h" +#include "detect-sip-content-length.h" + +void DetectSipHeadersRegister(void) +{ + RegisterSipHeadersFrom(); + RegisterSipHeadersTo(); + RegisterSipHeadersVia(); + RegisterSipHeadersUa(); + RegisterSipHeadersContentType(); + RegisterSipHeadersContentLength(); +} diff --git a/src/detect-sip-headers.h b/src/detect-sip-headers.h new file mode 100644 index 000000000000..37bbd3af1f18 --- /dev/null +++ b/src/detect-sip-headers.h @@ -0,0 +1,23 @@ +/* Copyright (C) 2023 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +#ifndef __DETECT_SIP_HEADERS_H__ +#define __DETECT_SIP_HEADERS_H__ + +void DetectSipHeadersRegister(void); + +#endif /* __DETECT_SIP_HEADERS_H__ */ From 5334c3f0409fab8ae9adde85c33c51557890cf95 Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Thu, 18 Apr 2024 15:31:55 +0200 Subject: [PATCH 12/12] doc: add new sip keywords --- doc/userguide/rules/sip-keywords.rst | 132 +++++++++++++++++++++++++++ doc/userguide/upgrade.rst | 6 ++ 2 files changed, 138 insertions(+) diff --git a/doc/userguide/rules/sip-keywords.rst b/doc/userguide/rules/sip-keywords.rst index be3662b1a5b0..64a67c20d144 100644 --- a/doc/userguide/rules/sip-keywords.rst +++ b/doc/userguide/rules/sip-keywords.rst @@ -13,6 +13,12 @@ sip.stat_code Response sip.stat_msg Response sip.response_line Response sip.protocol Both +sip.from Both +sip.to Both +sip.via Both +sip.user_agent Both +sip.content_type Both +sip.content_length Both ============================== ================== sip.method @@ -177,3 +183,129 @@ Example :: sip.protocol; content:"SIP/2.0" + +sip.from +-------- + +This keyword matches on the From field that can be present in SIP headers. + +Syntax +~~~~~~ + +:: + + sip.from; content: + +Where is the value of the From header. + +Example +~~~~~~~ + +:: + + sip.from; content:"user" + +sip.to +------ + +This keyword matches on the To field that can be present in SIP headers. + +Syntax +~~~~~~ + +:: + + sip.to; content: + +Where is the value of the To header. + +Example +~~~~~~~ + +:: + + sip.to; content:"user" + +sip.via +-------- + +This keyword matches on the Via field that can be present in SIP headers. + +Syntax +~~~~~~ + +:: + + sip.via; content: + +Where is the value of the Via header. + +Example +~~~~~~~ + +:: + + sip.via; content:"SIP/2.0/UDP" + +sip.user_agent +-------------- + +This keyword matches on the User-Agent field that can be present in SIP headers. + +Syntax +~~~~~~ + +:: + + sip.user_agent; content: + +Where is the value of the User-Agent header. + +Example +~~~~~~~ + +:: + + sip.user_agent; content:"Asterisk" + +sip.content_type +---------------- + +This keyword matches on the Content-Type field that can be present in SIP headers. + +Syntax +~~~~~~ + +:: + + sip.content_type; content: + +Where is the value of the Content-Type header. + +Example +~~~~~~~ + +:: + + sip.content_type; content:"application/sdp" + +sip.content_length +------------------ + +This keyword matches on the Content-Length field that can be present in SIP headers. + +Syntax +~~~~~~ + +:: + + sip.content_length; content: + +Where is the value of the Content-Length header. + +Example +~~~~~~~ + +:: + + sip.content_length; content:"200" diff --git a/doc/userguide/upgrade.rst b/doc/userguide/upgrade.rst index 4de3971c94c3..e48edfb6d285 100644 --- a/doc/userguide/upgrade.rst +++ b/doc/userguide/upgrade.rst @@ -60,6 +60,12 @@ Major changes - It is possible to see an increase of alerts, for the same rule-sets, if you use many stream/payload rules, due to Suricata triggering TCP stream reassembly earlier. +- The following sticky buffers for matching SIP headers have been implemented: + - sip.via + - sip.from + - sip.to + - sip.content_type + - sip.content_length Upgrading 6.0 to 7.0 --------------------