detect/sip: add sticky buffers to match headers

rust/src/sip/detect.rs

@@ -20,6 +20,7 @@
 use crate::core::Direction;
 use crate::sip::sip::SIPTransaction;
 use std::ptr;
+use std::ffi::CStr;
 
 #[no_mangle]
 pub unsafe extern "C" fn rs_sip_tx_get_method(
@@ -165,3 +166,45 @@ pub unsafe extern "C" fn rs_sip_tx_get_response_line(
 
     return 0;
 }
+
+#[no_mangle]
+pub unsafe extern "C" fn rs_sip_tx_get_header_value(
+    tx: &mut SIPTransaction,
+    direction: u8,
+    strname: *const std::os::raw::c_char,
+    buffer: *mut *const u8,
+    buffer_len: *mut u32,
+) -> u8 {
+    let hname: &CStr = CStr::from_ptr(strname);
+    if let Ok(s) = hname.to_str() {
+        match direction.into() {
+            Direction::ToServer => {
+                if let Some(ref r) = tx.request {
+                    if let Some(v) = r.headers.get(s) {
+                        if !v.is_empty() {
+                            *buffer = v.as_ptr();
+                            *buffer_len = v.len() as u32;
+                            return 1;
+                        }
+                    }
+                }
+            }
+            Direction::ToClient => {
+                if let Some(ref r) = tx.response {
+                    if let Some(v) = r.headers.get(s) {
+                        if !v.is_empty() {
+                            *buffer = v.as_ptr();
+                            *buffer_len = v.len() as u32;
+                            return 1;
+                        }
+                    }
+                }
+            }
+        }
+    }
+
+    *buffer = ptr::null();
+    *buffer_len = 0;
+
+    return 0;
+}

rust/src/sip/parser.rs

@@ -50,6 +50,7 @@ pub struct Response {
     pub version: String,
     pub code: String,
     pub reason: String,
+    pub headers: HashMap<String, String>,
 
     pub response_line_len: u16,
     pub headers_len: u16,
@@ -130,7 +131,7 @@ pub fn sip_parse_response(oi: &[u8]) -> IResult<&[u8], Response> {
     let (i, reason) = parse_reason(i)?;
     let (hi, _) = crlf(i)?;
     let response_line_len = oi.len() - hi.len();
-    let (phi, _headers) = parse_headers(hi)?;
+    let (phi, headers) = parse_headers(hi)?;
     let headers_len = hi.len() - phi.len();
     let (bi, _) = crlf(phi)?;
     let body_offset = oi.len() - bi.len();
@@ -140,6 +141,7 @@ pub fn sip_parse_response(oi: &[u8]) -> IResult<&[u8], Response> {
             version,
             code: code.into(),
             reason: reason.into(),
+            headers,
 
             response_line_len: response_line_len as u16,
             headers_len: headers_len as u16,

src/Makefile.am

@@ -288,13 +288,21 @@ noinst_HEADERS = \
 	detect-rpc.h \
 	detect-sameip.h \
 	detect-sid.h \
+	detect-sip-content-length.h \
+	detect-sip-content-type.h \
+	detect-sip-headers.h \
+	detect-sip-headers-stub.h \
+	detect-sip-from.h \
 	detect-sip-method.h \
 	detect-sip-protocol.h \
 	detect-sip-request-line.h \
 	detect-sip-response-line.h \
 	detect-sip-stat-code.h \
 	detect-sip-stat-msg.h \
+	detect-sip-to.h \
+	detect-sip-ua.h \
 	detect-sip-uri.h \
+	detect-sip-via.h \
 	detect-smb-ntlmssp.h \
 	detect-smb-share.h \
 	detect-smb-version.h \
@@ -899,13 +907,20 @@ libsuricata_c_a_SOURCES = \
 	detect-rpc.c \
 	detect-sameip.c \
 	detect-sid.c \
+	detect-sip-content-length.c \
+	detect-sip-content-type.c \
+	detect-sip-headers.c \
+	detect-sip-from.c \
 	detect-sip-method.c \
 	detect-sip-protocol.c \
 	detect-sip-request-line.c \
 	detect-sip-response-line.c \
 	detect-sip-stat-code.c \
 	detect-sip-stat-msg.c \
+	detect-sip-to.c \
+	detect-sip-ua.c \
 	detect-sip-uri.c \
+	detect-sip-via.c \
 	detect-smb-ntlmssp.c \
 	detect-smb-share.c \
 	detect-smb-version.c \

src/detect-engine-register.c

@@ -206,6 +206,7 @@
 #include "detect-sip-stat-msg.h"
 #include "detect-sip-request-line.h"
 #include "detect-sip-response-line.h"
+#include "detect-sip-headers.h"
 #include "detect-rfb-secresult.h"
 #include "detect-rfb-sectype.h"
 #include "detect-rfb-name.h"
@@ -673,6 +674,7 @@ void SigTableSetup(void)
     DetectSipStatMsgRegister();
     DetectSipRequestLineRegister();
     DetectSipResponseLineRegister();
+    DetectSipHeadersRegister();
     DetectRfbSecresultRegister();
     DetectRfbSectypeRegister();
     DetectRfbNameRegister();

src/detect-engine-register.h

@@ -275,6 +275,12 @@ enum DetectKeywordId {
     DETECT_AL_SIP_STAT_MSG,
     DETECT_AL_SIP_REQUEST_LINE,
     DETECT_AL_SIP_RESPONSE_LINE,
+    DETECT_AL_SIP_HEADER_FROM,
+    DETECT_AL_SIP_HEADER_TO,
+    DETECT_AL_SIP_HEADER_VIA,
+    DETECT_AL_SIP_HEADER_UA,
+    DETECT_AL_SIP_HEADER_CONTENT_TYPE,
+    DETECT_AL_SIP_HEADER_CONTENT_LENGTH,
     DETECT_AL_RFB_SECRESULT,
     DETECT_AL_RFB_SECTYPE,
     DETECT_AL_RFB_NAME,

src/detect-sip-content-length.c

@@ -0,0 +1,41 @@
+/* Copyright (C) 2024 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Giuseppe Longo <giuseppe@glongo.it>
+ *
+ * Implements the sip.content_length sticky buffer
+ */
+
+#define KEYWORD_NAME     "sip.content_length"
+#define KEYWORD_DOC      "sip-keywords.html#sip-content-length"
+#define BUFFER_NAME      "sip.content_length"
+#define BUFFER_DESC      "sip content-length header"
+#define HEADER_NAME      "Content-Length"
+#define KEYWORD_ID       DETECT_AL_SIP_HEADER_CONTENT_LENGTH
+#define KEYWORD_TOSERVER 1
+#define KEYWORD_TOCLIENT 1
+
+#include "detect-sip-headers-stub.h"
+#include "detect-sip-content-length.h"
+
+void RegisterSipHeadersContentLength(void)
+{
+    DetectSipHeadersRegisterStub();
+}

src/detect-sip-content-length.h

@@ -0,0 +1,23 @@
+/* Copyright (C) 2024 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+#ifndef __DETECT_SIP_CONTENT_LENGTH_H__
+#define __DETECT_SIP_CONTENT_LENGTH_H__
+
+void RegisterSipHeadersContentLength(void);
+
+#endif /* __DETECT_SIP_CONTENT_LENGTH_H__ */

src/detect-sip-content-type.c

@@ -0,0 +1,39 @@
+/* Copyright (C) 2024 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \author Giuseppe Longo <giuseppe@glongo.it>
+ *
+ * Implements the sip.content_type sticky buffer
+ */
+
+#define KEYWORD_NAME     "sip.content_type"
+#define KEYWORD_DOC      "sip-keywords.html#sip-content-type"
+#define BUFFER_NAME      "sip.content_type"
+#define BUFFER_DESC      "sip content-type header"
+#define HEADER_NAME      "Content-Type"
+#define KEYWORD_ID       DETECT_AL_SIP_HEADER_CONTENT_TYPE
+#define KEYWORD_TOSERVER 1
+#define KEYWORD_TOCLIENT 1
+
+#include "detect-sip-headers-stub.h"
+#include "detect-sip-content-type.h"
+
+void RegisterSipHeadersContentType(void)
+{
+    DetectSipHeadersRegisterStub();
+}

src/detect-sip-content-type.h

@@ -0,0 +1,23 @@
+/* Copyright (C) 2024 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+#ifndef __DETECT_SIP_CONTENT_TYPE_H__
+#define __DETECT_SIP_CONTENT_TYPE_H__
+
+void RegisterSipHeadersContentType(void);
+
+#endif /* __DETECT_SIP_CONTENT_TYPE_H__ */

src/detect-sip-from.c

@@ -0,0 +1,39 @@
+/* Copyright (C) 2024 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \author Giuseppe Longo <giuseppe@glongo.it>
+ *
+ * Implements the sip.from sticky buffer
+ */
+
+#define KEYWORD_NAME     "sip.from"
+#define KEYWORD_DOC      "sip-keywords.html#sip-from"
+#define BUFFER_NAME      "sip.from"
+#define BUFFER_DESC      "sip from header"
+#define HEADER_NAME      "From"
+#define KEYWORD_ID       DETECT_AL_SIP_HEADER_FROM
+#define KEYWORD_TOSERVER 1
+#define KEYWORD_TOCLIENT 1
+
+#include "detect-sip-headers-stub.h"
+#include "detect-sip-from.h"
+
+void RegisterSipHeadersFrom(void)
+{
+    DetectSipHeadersRegisterStub();
+}

src/detect-sip-from.h

@@ -0,0 +1,23 @@
+/* Copyright (C) 2023 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+#ifndef __DETECT_SIP_FROM_H__
+#define __DETECT_SIP_FROM_H__
+
+void RegisterSipHeadersFrom(void);
+
+#endif /* __DETECT_SIP_FROM_H__ */