From 383645c2c2228b9b794dd0af87e75f67468a49f9 Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Wed, 13 Sep 2023 09:35:35 +0200 Subject: [PATCH 01/10] detect/sip: add stub file for headers keywords A stub file has been added to implement the sticky buffers for SIP headers. Ticket #6374 --- src/Makefile.am | 1 + src/detect-sip-headers-stub.h | 136 ++++++++++++++++++++++++++++++++++ 2 files changed, 137 insertions(+) create mode 100644 src/detect-sip-headers-stub.h diff --git a/src/Makefile.am b/src/Makefile.am index 641b4c02dda9..da8fb90b19bd 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -288,6 +288,7 @@ noinst_HEADERS = \ detect-rpc.h \ detect-sameip.h \ detect-sid.h \ + detect-sip-headers-stub.h \ detect-sip-method.h \ detect-sip-protocol.h \ detect-sip-request-line.h \ diff --git a/src/detect-sip-headers-stub.h b/src/detect-sip-headers-stub.h new file mode 100644 index 000000000000..df452cdd80bf --- /dev/null +++ b/src/detect-sip-headers-stub.h @@ -0,0 +1,136 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \author Giuseppe Longo + * + * Stub for per SIP header detection keyword. + */ + +#include "suricata-common.h" +#include "flow.h" + +#include "detect.h" +#include "detect-parse.h" +#include "detect-engine.h" +#include "detect-engine-mpm.h" +#include "detect-engine-prefilter.h" + +#include "util-debug.h" +#include "rust.h" + +static int g_buffer_id = 0; + +#ifdef KEYWORD_TOSERVER +static InspectionBuffer *GetRequestData(DetectEngineThreadCtx *det_ctx, + const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv, + const int list_id) +{ + SCEnter(); + + InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); + if (buffer->inspect == NULL) { + uint32_t b_len = 0; + const uint8_t *b = NULL; + + if (rs_sip_tx_get_header_value(txv, STREAM_TOSERVER, HEADER_NAME, &b, &b_len) != 1) + return NULL; + if (b == NULL || b_len == 0) + return NULL; + + InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); + InspectionBufferApplyTransforms(buffer, transforms); + } + + return buffer; +} + +#endif +#ifdef KEYWORD_TOCLIENT +static InspectionBuffer *GetResponseData(DetectEngineThreadCtx *det_ctx, + const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv, + const int list_id) +{ + SCEnter(); + + InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); + if (buffer->inspect == NULL) { + uint32_t b_len = 0; + const uint8_t *b = NULL; + + if (rs_sip_tx_get_header_value(txv, STREAM_TOCLIENT, HEADER_NAME, &b, &b_len) != 1) + return NULL; + if (b == NULL || b_len == 0) + return NULL; + + InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); + InspectionBufferApplyTransforms(buffer, transforms); + } + + return buffer; +} +#endif + +/** + * \brief this function setup the http.header keyword used in the rule + * + * \param de_ctx Pointer to the Detection Engine Context + * \param s Pointer to the Signature to which the current keyword belongs + * \param str Should hold an empty string always + * + * \retval 0 On success + */ +static int DetectSipHeadersSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str) +{ + if (DetectBufferSetActiveList(de_ctx, s, g_buffer_id) < 0) + return -1; + + if (DetectSignatureSetAppProto(s, ALPROTO_SIP) < 0) + return -1; + + return 0; +} + +static void DetectSipHeadersRegisterStub(void) +{ + sigmatch_table[KEYWORD_ID].name = KEYWORD_NAME; + sigmatch_table[KEYWORD_ID].desc = KEYWORD_NAME " sticky buffer for the " BUFFER_DESC; + sigmatch_table[KEYWORD_ID].url = "/rules/" KEYWORD_DOC; + sigmatch_table[KEYWORD_ID].Setup = DetectSipHeadersSetupSticky; + sigmatch_table[KEYWORD_ID].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; + +#ifdef KEYWORD_TOSERVER + DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, + GetRequestData, ALPROTO_SIP, 1); +#endif +#ifdef KEYWORD_TOCLIENT + DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister, + GetResponseData, ALPROTO_SIP, 1); +#endif +#ifdef KEYWORD_TOSERVER + DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_SIP, SIG_FLAG_TOSERVER, 0, + DetectEngineInspectBufferGeneric, GetRequestData); +#endif +#ifdef KEYWORD_TOCLIENT + DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_SIP, SIG_FLAG_TOCLIENT, 0, + DetectEngineInspectBufferGeneric, GetResponseData); +#endif + + DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC); + + g_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME); +} From a1ee06c3600f5f8add03b0c028f618d236889085 Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Fri, 15 Sep 2023 09:23:54 +0200 Subject: [PATCH 02/10] rust/sip: store response headers To match on response SIP headers, those headers must be stored. Ticket #6374 --- rust/src/sip/parser.rs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rust/src/sip/parser.rs b/rust/src/sip/parser.rs index 996201e42b44..8f7e1f545895 100644 --- a/rust/src/sip/parser.rs +++ b/rust/src/sip/parser.rs @@ -50,6 +50,7 @@ pub struct Response { pub version: String, pub code: String, pub reason: String, + pub headers: HashMap, pub response_line_len: u16, pub headers_len: u16, @@ -130,7 +131,7 @@ pub fn sip_parse_response(oi: &[u8]) -> IResult<&[u8], Response> { let (i, reason) = parse_reason(i)?; let (hi, _) = crlf(i)?; let response_line_len = oi.len() - hi.len(); - let (phi, _headers) = parse_headers(hi)?; + let (phi, headers) = parse_headers(hi)?; let headers_len = hi.len() - phi.len(); let (bi, _) = crlf(phi)?; let body_offset = oi.len() - bi.len(); @@ -140,6 +141,7 @@ pub fn sip_parse_response(oi: &[u8]) -> IResult<&[u8], Response> { version, code: code.into(), reason: reason.into(), + headers, response_line_len: response_line_len as u16, headers_len: headers_len as u16, From e3c4c88425db9a08233787425bdbabefae84f662 Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Fri, 15 Sep 2023 09:24:25 +0200 Subject: [PATCH 03/10] rust/sip: match on headers map Ticket #6374 --- rust/src/sip/detect.rs | 43 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/rust/src/sip/detect.rs b/rust/src/sip/detect.rs index 91df4fb29932..ff3bf1e325e3 100644 --- a/rust/src/sip/detect.rs +++ b/rust/src/sip/detect.rs @@ -20,6 +20,7 @@ use crate::core::Direction; use crate::sip::sip::SIPTransaction; use std::ptr; +use std::ffi::CStr; #[no_mangle] pub unsafe extern "C" fn rs_sip_tx_get_method( @@ -165,3 +166,45 @@ pub unsafe extern "C" fn rs_sip_tx_get_response_line( return 0; } + +#[no_mangle] +pub unsafe extern "C" fn rs_sip_tx_get_header_value( + tx: &mut SIPTransaction, + direction: u8, + strname: *const std::os::raw::c_char, + buffer: *mut *const u8, + buffer_len: *mut u32, +) -> u8 { + let hname: &CStr = CStr::from_ptr(strname); + if let Ok(s) = hname.to_str() { + match direction.into() { + Direction::ToServer => { + if let Some(ref r) = tx.request { + if let Some(v) = r.headers.get(s) { + if !v.is_empty() { + *buffer = v.as_ptr(); + *buffer_len = v.len() as u32; + return 1; + } + } + } + } + Direction::ToClient => { + if let Some(ref r) = tx.response { + if let Some(v) = r.headers.get(s) { + if !v.is_empty() { + *buffer = v.as_ptr(); + *buffer_len = v.len() as u32; + return 1; + } + } + } + } + } + } + + *buffer = ptr::null(); + *buffer_len = 0; + + return 0; +} From eb8883a297d84c89dba494f258c2f65feeb3085b Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Fri, 15 Sep 2023 09:26:23 +0200 Subject: [PATCH 04/10] detect/sip: add sip.from sticky buffer Ticket #6374 --- src/Makefile.am | 2 ++ src/detect-engine-register.h | 1 + src/detect-sip-from.c | 39 ++++++++++++++++++++++++++++++++++++ src/detect-sip-from.h | 23 +++++++++++++++++++++ 4 files changed, 65 insertions(+) create mode 100644 src/detect-sip-from.c create mode 100644 src/detect-sip-from.h diff --git a/src/Makefile.am b/src/Makefile.am index da8fb90b19bd..7b91bb728d34 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -289,6 +289,7 @@ noinst_HEADERS = \ detect-sameip.h \ detect-sid.h \ detect-sip-headers-stub.h \ + detect-sip-from.h \ detect-sip-method.h \ detect-sip-protocol.h \ detect-sip-request-line.h \ @@ -900,6 +901,7 @@ libsuricata_c_a_SOURCES = \ detect-rpc.c \ detect-sameip.c \ detect-sid.c \ + detect-sip-from.c \ detect-sip-method.c \ detect-sip-protocol.c \ detect-sip-request-line.c \ diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h index f4f2742470e3..21e441e9beeb 100644 --- a/src/detect-engine-register.h +++ b/src/detect-engine-register.h @@ -275,6 +275,7 @@ enum DetectKeywordId { DETECT_AL_SIP_STAT_MSG, DETECT_AL_SIP_REQUEST_LINE, DETECT_AL_SIP_RESPONSE_LINE, + DETECT_AL_SIP_HEADER_FROM, DETECT_AL_RFB_SECRESULT, DETECT_AL_RFB_SECTYPE, DETECT_AL_RFB_NAME, diff --git a/src/detect-sip-from.c b/src/detect-sip-from.c new file mode 100644 index 000000000000..7a22bca9b37f --- /dev/null +++ b/src/detect-sip-from.c @@ -0,0 +1,39 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \author Giuseppe Longo + * + * Implements the sip.from sticky buffer + */ + +#define KEYWORD_NAME "sip.from" +#define KEYWORD_DOC "sip-keywords.html#sip-from" +#define BUFFER_NAME "sip.from" +#define BUFFER_DESC "sip from header" +#define HEADER_NAME "From" +#define KEYWORD_ID DETECT_AL_SIP_HEADER_FROM +#define KEYWORD_TOSERVER 1 +#define KEYWORD_TOCLIENT 1 + +#include "detect-sip-headers-stub.h" +#include "detect-sip-from.h" + +void RegisterSipHeadersFrom(void) +{ + DetectSipHeadersRegisterStub(); +} diff --git a/src/detect-sip-from.h b/src/detect-sip-from.h new file mode 100644 index 000000000000..223d83575c8f --- /dev/null +++ b/src/detect-sip-from.h @@ -0,0 +1,23 @@ +/* Copyright (C) 2023 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +#ifndef __DETECT_SIP_FROM_H__ +#define __DETECT_SIP_FROM_H__ + +void RegisterSipHeadersFrom(void); + +#endif /* __DETECT_SIP_FROM_H__ */ From 9288988c8729f79e1d69e3a280dcaf2a809212d9 Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Sat, 13 Apr 2024 16:44:47 +0200 Subject: [PATCH 05/10] detect/sip: add sip.to sticky buffer Ticket #6374 --- src/Makefile.am | 2 ++ src/detect-engine-register.h | 1 + src/detect-sip-to.c | 39 ++++++++++++++++++++++++++++++++++++ src/detect-sip-to.h | 23 +++++++++++++++++++++ 4 files changed, 65 insertions(+) create mode 100644 src/detect-sip-to.c create mode 100644 src/detect-sip-to.h diff --git a/src/Makefile.am b/src/Makefile.am index 7b91bb728d34..26d0f0495834 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -296,6 +296,7 @@ noinst_HEADERS = \ detect-sip-response-line.h \ detect-sip-stat-code.h \ detect-sip-stat-msg.h \ + detect-sip-to.h \ detect-sip-uri.h \ detect-smb-ntlmssp.h \ detect-smb-share.h \ @@ -908,6 +909,7 @@ libsuricata_c_a_SOURCES = \ detect-sip-response-line.c \ detect-sip-stat-code.c \ detect-sip-stat-msg.c \ + detect-sip-to.c \ detect-sip-uri.c \ detect-smb-ntlmssp.c \ detect-smb-share.c \ diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h index 21e441e9beeb..5b519d83b927 100644 --- a/src/detect-engine-register.h +++ b/src/detect-engine-register.h @@ -276,6 +276,7 @@ enum DetectKeywordId { DETECT_AL_SIP_REQUEST_LINE, DETECT_AL_SIP_RESPONSE_LINE, DETECT_AL_SIP_HEADER_FROM, + DETECT_AL_SIP_HEADER_TO, DETECT_AL_RFB_SECRESULT, DETECT_AL_RFB_SECTYPE, DETECT_AL_RFB_NAME, diff --git a/src/detect-sip-to.c b/src/detect-sip-to.c new file mode 100644 index 000000000000..73fe74ab4757 --- /dev/null +++ b/src/detect-sip-to.c @@ -0,0 +1,39 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \author Giuseppe Longo + * + * Implements the sip.to sticky buffer + */ + +#define KEYWORD_NAME "sip.to" +#define KEYWORD_DOC "sip-keywords.html#sip-to" +#define BUFFER_NAME "sip.to" +#define BUFFER_DESC "sip to header" +#define HEADER_NAME "To" +#define KEYWORD_ID DETECT_AL_SIP_HEADER_TO +#define KEYWORD_TOSERVER 1 +#define KEYWORD_TOCLIENT 1 + +#include "detect-sip-headers-stub.h" +#include "detect-sip-to.h" + +void RegisterSipHeadersTo(void) +{ + DetectSipHeadersRegisterStub(); +} diff --git a/src/detect-sip-to.h b/src/detect-sip-to.h new file mode 100644 index 000000000000..5fa93d08d1d9 --- /dev/null +++ b/src/detect-sip-to.h @@ -0,0 +1,23 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +#ifndef __DETECT_SIP_TO_H__ +#define __DETECT_SIP_TO_H__ + +void RegisterSipHeadersTo(void); + +#endif /* __DETECT_SIP_TO_H__ */ From 7972845e79281250b066b1ef0b1b69b19491fa2f Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Sat, 13 Apr 2024 16:57:50 +0200 Subject: [PATCH 06/10] detect/sip: add sip.via sticky buffer Ticket #6374 --- src/Makefile.am | 2 ++ src/detect-engine-register.h | 1 + src/detect-sip-via.c | 39 ++++++++++++++++++++++++++++++++++++ src/detect-sip-via.h | 23 +++++++++++++++++++++ 4 files changed, 65 insertions(+) create mode 100644 src/detect-sip-via.c create mode 100644 src/detect-sip-via.h diff --git a/src/Makefile.am b/src/Makefile.am index 26d0f0495834..d58256113572 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -298,6 +298,7 @@ noinst_HEADERS = \ detect-sip-stat-msg.h \ detect-sip-to.h \ detect-sip-uri.h \ + detect-sip-via.h \ detect-smb-ntlmssp.h \ detect-smb-share.h \ detect-smb-version.h \ @@ -911,6 +912,7 @@ libsuricata_c_a_SOURCES = \ detect-sip-stat-msg.c \ detect-sip-to.c \ detect-sip-uri.c \ + detect-sip-via.c \ detect-smb-ntlmssp.c \ detect-smb-share.c \ detect-smb-version.c \ diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h index 5b519d83b927..7d7294a2d417 100644 --- a/src/detect-engine-register.h +++ b/src/detect-engine-register.h @@ -277,6 +277,7 @@ enum DetectKeywordId { DETECT_AL_SIP_RESPONSE_LINE, DETECT_AL_SIP_HEADER_FROM, DETECT_AL_SIP_HEADER_TO, + DETECT_AL_SIP_HEADER_VIA, DETECT_AL_RFB_SECRESULT, DETECT_AL_RFB_SECTYPE, DETECT_AL_RFB_NAME, diff --git a/src/detect-sip-via.c b/src/detect-sip-via.c new file mode 100644 index 000000000000..687c7a20d641 --- /dev/null +++ b/src/detect-sip-via.c @@ -0,0 +1,39 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \author Giuseppe Longo + * + * Implements the sip.via sticky buffer + */ + +#define KEYWORD_NAME "sip.via" +#define KEYWORD_DOC "sip-keywords.html#sip-via" +#define BUFFER_NAME "sip.via" +#define BUFFER_DESC "sip via header" +#define HEADER_NAME "Via" +#define KEYWORD_ID DETECT_AL_SIP_HEADER_VIA +#define KEYWORD_TOSERVER 1 +#define KEYWORD_TOCLIENT 1 + +#include "detect-sip-headers-stub.h" +#include "detect-sip-via.h" + +void RegisterSipHeadersVia(void) +{ + DetectSipHeadersRegisterStub(); +} diff --git a/src/detect-sip-via.h b/src/detect-sip-via.h new file mode 100644 index 000000000000..dd070b51d9a1 --- /dev/null +++ b/src/detect-sip-via.h @@ -0,0 +1,23 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +#ifndef __DETECT_SIP_VIA_H__ +#define __DETECT_SIP_VIA_H__ + +void RegisterSipHeadersVia(void); + +#endif /* __DETECT_SIP_VIA_H__ */ From 417253562a41063af3bcb9f308af9961794cf1d6 Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Sat, 13 Apr 2024 17:07:25 +0200 Subject: [PATCH 07/10] detect/sip: add sip.user_agent sticky buffer Ticket #6374 --- src/Makefile.am | 2 ++ src/detect-engine-register.h | 1 + src/detect-sip-ua.c | 39 ++++++++++++++++++++++++++++++++++++ src/detect-sip-ua.h | 23 +++++++++++++++++++++ 4 files changed, 65 insertions(+) create mode 100644 src/detect-sip-ua.c create mode 100644 src/detect-sip-ua.h diff --git a/src/Makefile.am b/src/Makefile.am index d58256113572..7f967a268b62 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -297,6 +297,7 @@ noinst_HEADERS = \ detect-sip-stat-code.h \ detect-sip-stat-msg.h \ detect-sip-to.h \ + detect-sip-ua.h \ detect-sip-uri.h \ detect-sip-via.h \ detect-smb-ntlmssp.h \ @@ -911,6 +912,7 @@ libsuricata_c_a_SOURCES = \ detect-sip-stat-code.c \ detect-sip-stat-msg.c \ detect-sip-to.c \ + detect-sip-ua.c \ detect-sip-uri.c \ detect-sip-via.c \ detect-smb-ntlmssp.c \ diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h index 7d7294a2d417..5c0b4a3c0485 100644 --- a/src/detect-engine-register.h +++ b/src/detect-engine-register.h @@ -278,6 +278,7 @@ enum DetectKeywordId { DETECT_AL_SIP_HEADER_FROM, DETECT_AL_SIP_HEADER_TO, DETECT_AL_SIP_HEADER_VIA, + DETECT_AL_SIP_HEADER_UA, DETECT_AL_RFB_SECRESULT, DETECT_AL_RFB_SECTYPE, DETECT_AL_RFB_NAME, diff --git a/src/detect-sip-ua.c b/src/detect-sip-ua.c new file mode 100644 index 000000000000..efc21c98db21 --- /dev/null +++ b/src/detect-sip-ua.c @@ -0,0 +1,39 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \author Giuseppe Longo + * + * Implements the sip.user_agent sticky buffer + */ + +#define KEYWORD_NAME "sip.user_agent" +#define KEYWORD_DOC "sip-keywords.html#sip-user-agent" +#define BUFFER_NAME "sip.user_agent" +#define BUFFER_DESC "sip user agent header" +#define HEADER_NAME "User-Agent" +#define KEYWORD_ID DETECT_AL_SIP_HEADER_UA +#define KEYWORD_TOSERVER 1 +#define KEYWORD_TOCLIENT 1 + +#include "detect-sip-headers-stub.h" +#include "detect-sip-ua.h" + +void RegisterSipHeadersUa(void) +{ + DetectSipHeadersRegisterStub(); +} diff --git a/src/detect-sip-ua.h b/src/detect-sip-ua.h new file mode 100644 index 000000000000..daaf8abf107a --- /dev/null +++ b/src/detect-sip-ua.h @@ -0,0 +1,23 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +#ifndef __DETECT_SIP_UA_H__ +#define __DETECT_SIP_UA_H__ + +void RegisterSipHeadersUa(void); + +#endif /* __DETECT_SIP_UA_H__ */ From 249aaaa6809073a00f1a3753e320b5355479cb30 Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Sat, 13 Apr 2024 17:20:16 +0200 Subject: [PATCH 08/10] detect/sip: add sip.content_type sticky buffer Ticket #6374 --- src/Makefile.am | 2 ++ src/detect-engine-register.h | 1 + src/detect-sip-content-type.c | 39 +++++++++++++++++++++++++++++++++++ src/detect-sip-content-type.h | 23 +++++++++++++++++++++ 4 files changed, 65 insertions(+) create mode 100644 src/detect-sip-content-type.c create mode 100644 src/detect-sip-content-type.h diff --git a/src/Makefile.am b/src/Makefile.am index 7f967a268b62..5766af1eecbe 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -288,6 +288,7 @@ noinst_HEADERS = \ detect-rpc.h \ detect-sameip.h \ detect-sid.h \ + detect-sip-content-type.h \ detect-sip-headers-stub.h \ detect-sip-from.h \ detect-sip-method.h \ @@ -904,6 +905,7 @@ libsuricata_c_a_SOURCES = \ detect-rpc.c \ detect-sameip.c \ detect-sid.c \ + detect-sip-content-type.c \ detect-sip-from.c \ detect-sip-method.c \ detect-sip-protocol.c \ diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h index 5c0b4a3c0485..7fe32c1d5e41 100644 --- a/src/detect-engine-register.h +++ b/src/detect-engine-register.h @@ -279,6 +279,7 @@ enum DetectKeywordId { DETECT_AL_SIP_HEADER_TO, DETECT_AL_SIP_HEADER_VIA, DETECT_AL_SIP_HEADER_UA, + DETECT_AL_SIP_HEADER_CONTENT_TYPE, DETECT_AL_RFB_SECRESULT, DETECT_AL_RFB_SECTYPE, DETECT_AL_RFB_NAME, diff --git a/src/detect-sip-content-type.c b/src/detect-sip-content-type.c new file mode 100644 index 000000000000..2ab720c93f51 --- /dev/null +++ b/src/detect-sip-content-type.c @@ -0,0 +1,39 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \author Giuseppe Longo + * + * Implements the sip.content_type sticky buffer + */ + +#define KEYWORD_NAME "sip.content_type" +#define KEYWORD_DOC "sip-keywords.html#sip-content-type" +#define BUFFER_NAME "sip.content_type" +#define BUFFER_DESC "sip content-type header" +#define HEADER_NAME "Content-Type" +#define KEYWORD_ID DETECT_AL_SIP_HEADER_CONTENT_TYPE +#define KEYWORD_TOSERVER 1 +#define KEYWORD_TOCLIENT 1 + +#include "detect-sip-headers-stub.h" +#include "detect-sip-content-type.h" + +void RegisterSipHeadersContentType(void) +{ + DetectSipHeadersRegisterStub(); +} diff --git a/src/detect-sip-content-type.h b/src/detect-sip-content-type.h new file mode 100644 index 000000000000..27477a09ab6c --- /dev/null +++ b/src/detect-sip-content-type.h @@ -0,0 +1,23 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +#ifndef __DETECT_SIP_CONTENT_TYPE_H__ +#define __DETECT_SIP_CONTENT_TYPE_H__ + +void RegisterSipHeadersContentType(void); + +#endif /* __DETECT_SIP_CONTENT_TYPE_H__ */ From d2d53738a8b05746b959c14452d6f3a5684b1cb6 Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Sat, 13 Apr 2024 17:29:31 +0200 Subject: [PATCH 09/10] detect/sip: add sip.content_length sticky buffer Ticket #6374 --- src/Makefile.am | 2 ++ src/detect-engine-register.h | 1 + src/detect-sip-content-length.c | 41 +++++++++++++++++++++++++++++++++ src/detect-sip-content-length.h | 23 ++++++++++++++++++ 4 files changed, 67 insertions(+) create mode 100644 src/detect-sip-content-length.c create mode 100644 src/detect-sip-content-length.h diff --git a/src/Makefile.am b/src/Makefile.am index 5766af1eecbe..d98438fe9733 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -288,6 +288,7 @@ noinst_HEADERS = \ detect-rpc.h \ detect-sameip.h \ detect-sid.h \ + detect-sip-content-length.h \ detect-sip-content-type.h \ detect-sip-headers-stub.h \ detect-sip-from.h \ @@ -905,6 +906,7 @@ libsuricata_c_a_SOURCES = \ detect-rpc.c \ detect-sameip.c \ detect-sid.c \ + detect-sip-content-length.c \ detect-sip-content-type.c \ detect-sip-from.c \ detect-sip-method.c \ diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h index 7fe32c1d5e41..9fb12cd3245a 100644 --- a/src/detect-engine-register.h +++ b/src/detect-engine-register.h @@ -280,6 +280,7 @@ enum DetectKeywordId { DETECT_AL_SIP_HEADER_VIA, DETECT_AL_SIP_HEADER_UA, DETECT_AL_SIP_HEADER_CONTENT_TYPE, + DETECT_AL_SIP_HEADER_CONTENT_LENGTH, DETECT_AL_RFB_SECRESULT, DETECT_AL_RFB_SECTYPE, DETECT_AL_RFB_NAME, diff --git a/src/detect-sip-content-length.c b/src/detect-sip-content-length.c new file mode 100644 index 000000000000..ebc5657d2fe3 --- /dev/null +++ b/src/detect-sip-content-length.c @@ -0,0 +1,41 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Giuseppe Longo + * + * Implements the sip.content_length sticky buffer + */ + +#define KEYWORD_NAME "sip.content_length" +#define KEYWORD_DOC "sip-keywords.html#sip-content-length" +#define BUFFER_NAME "sip.content_length" +#define BUFFER_DESC "sip content-length header" +#define HEADER_NAME "Content-Length" +#define KEYWORD_ID DETECT_AL_SIP_HEADER_CONTENT_LENGTH +#define KEYWORD_TOSERVER 1 +#define KEYWORD_TOCLIENT 1 + +#include "detect-sip-headers-stub.h" +#include "detect-sip-content-length.h" + +void RegisterSipHeadersContentLength(void) +{ + DetectSipHeadersRegisterStub(); +} diff --git a/src/detect-sip-content-length.h b/src/detect-sip-content-length.h new file mode 100644 index 000000000000..c5261d556e06 --- /dev/null +++ b/src/detect-sip-content-length.h @@ -0,0 +1,23 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +#ifndef __DETECT_SIP_CONTENT_LENGTH_H__ +#define __DETECT_SIP_CONTENT_LENGTH_H__ + +void RegisterSipHeadersContentLength(void); + +#endif /* __DETECT_SIP_CONTENT_LENGTH_H__ */ From 300f5b9d43490f87a7a1913644ef4705be58d099 Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Fri, 15 Sep 2023 09:27:37 +0200 Subject: [PATCH 10/10] detect/sip: register headers sticky buffers Ticket #6374 --- src/Makefile.am | 2 ++ src/detect-engine-register.c | 2 ++ src/detect-sip-headers.c | 38 ++++++++++++++++++++++++++++++++++++ src/detect-sip-headers.h | 23 ++++++++++++++++++++++ 4 files changed, 65 insertions(+) create mode 100644 src/detect-sip-headers.c create mode 100644 src/detect-sip-headers.h diff --git a/src/Makefile.am b/src/Makefile.am index d98438fe9733..3bdb6c0c7673 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -290,6 +290,7 @@ noinst_HEADERS = \ detect-sid.h \ detect-sip-content-length.h \ detect-sip-content-type.h \ + detect-sip-headers.h \ detect-sip-headers-stub.h \ detect-sip-from.h \ detect-sip-method.h \ @@ -908,6 +909,7 @@ libsuricata_c_a_SOURCES = \ detect-sid.c \ detect-sip-content-length.c \ detect-sip-content-type.c \ + detect-sip-headers.c \ detect-sip-from.c \ detect-sip-method.c \ detect-sip-protocol.c \ diff --git a/src/detect-engine-register.c b/src/detect-engine-register.c index 95f2f164125a..863a33f3462e 100644 --- a/src/detect-engine-register.c +++ b/src/detect-engine-register.c @@ -206,6 +206,7 @@ #include "detect-sip-stat-msg.h" #include "detect-sip-request-line.h" #include "detect-sip-response-line.h" +#include "detect-sip-headers.h" #include "detect-rfb-secresult.h" #include "detect-rfb-sectype.h" #include "detect-rfb-name.h" @@ -673,6 +674,7 @@ void SigTableSetup(void) DetectSipStatMsgRegister(); DetectSipRequestLineRegister(); DetectSipResponseLineRegister(); + DetectSipHeadersRegister(); DetectRfbSecresultRegister(); DetectRfbSectypeRegister(); DetectRfbNameRegister(); diff --git a/src/detect-sip-headers.c b/src/detect-sip-headers.c new file mode 100644 index 000000000000..ea00fde0cf28 --- /dev/null +++ b/src/detect-sip-headers.c @@ -0,0 +1,38 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \author Giuseppe Longo + */ + +#include "detect-sip-headers.h" +#include "detect-sip-from.h" +#include "detect-sip-to.h" +#include "detect-sip-via.h" +#include "detect-sip-ua.h" +#include "detect-sip-content-type.h" +#include "detect-sip-content-length.h" + +void DetectSipHeadersRegister(void) +{ + RegisterSipHeadersFrom(); + RegisterSipHeadersTo(); + RegisterSipHeadersVia(); + RegisterSipHeadersUa(); + RegisterSipHeadersContentType(); + RegisterSipHeadersContentLength(); +} diff --git a/src/detect-sip-headers.h b/src/detect-sip-headers.h new file mode 100644 index 000000000000..37bbd3af1f18 --- /dev/null +++ b/src/detect-sip-headers.h @@ -0,0 +1,23 @@ +/* Copyright (C) 2023 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +#ifndef __DETECT_SIP_HEADERS_H__ +#define __DETECT_SIP_HEADERS_H__ + +void DetectSipHeadersRegister(void); + +#endif /* __DETECT_SIP_HEADERS_H__ */