From e23913ae6463f7c383bd0d663135a651b52b0065 Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Wed, 13 Sep 2023 09:35:35 +0200 Subject: [PATCH 01/11] detect/sip: add stub file for headers keywords A stub file has been added to implement the sticky buffers for SIP headers. Ticket #6374 --- src/Makefile.am | 1 + src/detect-sip-headers-stub.h | 136 ++++++++++++++++++++++++++++++++++ 2 files changed, 137 insertions(+) create mode 100644 src/detect-sip-headers-stub.h diff --git a/src/Makefile.am b/src/Makefile.am index 7dd33a759911..f30d7b4bc959 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -289,6 +289,7 @@ noinst_HEADERS = \ detect-rpc.h \ detect-sameip.h \ detect-sid.h \ + detect-sip-headers-stub.h \ detect-sip-method.h \ detect-sip-protocol.h \ detect-sip-request-line.h \ diff --git a/src/detect-sip-headers-stub.h b/src/detect-sip-headers-stub.h new file mode 100644 index 000000000000..df452cdd80bf --- /dev/null +++ b/src/detect-sip-headers-stub.h @@ -0,0 +1,136 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \author Giuseppe Longo + * + * Stub for per SIP header detection keyword. + */ + +#include "suricata-common.h" +#include "flow.h" + +#include "detect.h" +#include "detect-parse.h" +#include "detect-engine.h" +#include "detect-engine-mpm.h" +#include "detect-engine-prefilter.h" + +#include "util-debug.h" +#include "rust.h" + +static int g_buffer_id = 0; + +#ifdef KEYWORD_TOSERVER +static InspectionBuffer *GetRequestData(DetectEngineThreadCtx *det_ctx, + const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv, + const int list_id) +{ + SCEnter(); + + InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); + if (buffer->inspect == NULL) { + uint32_t b_len = 0; + const uint8_t *b = NULL; + + if (rs_sip_tx_get_header_value(txv, STREAM_TOSERVER, HEADER_NAME, &b, &b_len) != 1) + return NULL; + if (b == NULL || b_len == 0) + return NULL; + + InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); + InspectionBufferApplyTransforms(buffer, transforms); + } + + return buffer; +} + +#endif +#ifdef KEYWORD_TOCLIENT +static InspectionBuffer *GetResponseData(DetectEngineThreadCtx *det_ctx, + const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv, + const int list_id) +{ + SCEnter(); + + InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); + if (buffer->inspect == NULL) { + uint32_t b_len = 0; + const uint8_t *b = NULL; + + if (rs_sip_tx_get_header_value(txv, STREAM_TOCLIENT, HEADER_NAME, &b, &b_len) != 1) + return NULL; + if (b == NULL || b_len == 0) + return NULL; + + InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); + InspectionBufferApplyTransforms(buffer, transforms); + } + + return buffer; +} +#endif + +/** + * \brief this function setup the http.header keyword used in the rule + * + * \param de_ctx Pointer to the Detection Engine Context + * \param s Pointer to the Signature to which the current keyword belongs + * \param str Should hold an empty string always + * + * \retval 0 On success + */ +static int DetectSipHeadersSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str) +{ + if (DetectBufferSetActiveList(de_ctx, s, g_buffer_id) < 0) + return -1; + + if (DetectSignatureSetAppProto(s, ALPROTO_SIP) < 0) + return -1; + + return 0; +} + +static void DetectSipHeadersRegisterStub(void) +{ + sigmatch_table[KEYWORD_ID].name = KEYWORD_NAME; + sigmatch_table[KEYWORD_ID].desc = KEYWORD_NAME " sticky buffer for the " BUFFER_DESC; + sigmatch_table[KEYWORD_ID].url = "/rules/" KEYWORD_DOC; + sigmatch_table[KEYWORD_ID].Setup = DetectSipHeadersSetupSticky; + sigmatch_table[KEYWORD_ID].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; + +#ifdef KEYWORD_TOSERVER + DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, + GetRequestData, ALPROTO_SIP, 1); +#endif +#ifdef KEYWORD_TOCLIENT + DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister, + GetResponseData, ALPROTO_SIP, 1); +#endif +#ifdef KEYWORD_TOSERVER + DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_SIP, SIG_FLAG_TOSERVER, 0, + DetectEngineInspectBufferGeneric, GetRequestData); +#endif +#ifdef KEYWORD_TOCLIENT + DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_SIP, SIG_FLAG_TOCLIENT, 0, + DetectEngineInspectBufferGeneric, GetResponseData); +#endif + + DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC); + + g_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME); +} From f8fc2388636da07725da5157b2ccd0f8ec63b6e4 Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Fri, 15 Sep 2023 09:23:54 +0200 Subject: [PATCH 02/11] rust/sip: store response headers To match on response SIP headers, those headers must be stored. Ticket #6374 --- rust/src/sip/parser.rs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rust/src/sip/parser.rs b/rust/src/sip/parser.rs index 996201e42b44..8f7e1f545895 100644 --- a/rust/src/sip/parser.rs +++ b/rust/src/sip/parser.rs @@ -50,6 +50,7 @@ pub struct Response { pub version: String, pub code: String, pub reason: String, + pub headers: HashMap, pub response_line_len: u16, pub headers_len: u16, @@ -130,7 +131,7 @@ pub fn sip_parse_response(oi: &[u8]) -> IResult<&[u8], Response> { let (i, reason) = parse_reason(i)?; let (hi, _) = crlf(i)?; let response_line_len = oi.len() - hi.len(); - let (phi, _headers) = parse_headers(hi)?; + let (phi, headers) = parse_headers(hi)?; let headers_len = hi.len() - phi.len(); let (bi, _) = crlf(phi)?; let body_offset = oi.len() - bi.len(); @@ -140,6 +141,7 @@ pub fn sip_parse_response(oi: &[u8]) -> IResult<&[u8], Response> { version, code: code.into(), reason: reason.into(), + headers, response_line_len: response_line_len as u16, headers_len: headers_len as u16, From f9b721573ff8d47c29a5c53d48f8b861928da23e Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Fri, 15 Sep 2023 09:24:25 +0200 Subject: [PATCH 03/11] rust/sip: match on headers map Ticket #6374 --- rust/src/sip/detect.rs | 53 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 52 insertions(+), 1 deletion(-) diff --git a/rust/src/sip/detect.rs b/rust/src/sip/detect.rs index 91df4fb29932..dc4deb581d68 100644 --- a/rust/src/sip/detect.rs +++ b/rust/src/sip/detect.rs @@ -1,4 +1,4 @@ -/* Copyright (C) 2019 Open Information Security Foundation +/* Copyright (C) 2024 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free @@ -19,8 +19,26 @@ use crate::core::Direction; use crate::sip::sip::SIPTransaction; +use std::ffi::CStr; use std::ptr; +fn header_compact_name(h: &str) -> Option { + let compact = match h { + "Call-ID" => "i", + "Contact" => "m", + "Content-Encoding" => "e", + "Content-Length" => "l", + "Content-Type" => "c", + "From" => "f", + "Subject" => "s", + "Supported" => "k", + "To" => "t", + "Via" => "v", + _ => return None, + }; + Some(compact.to_string()) +} + #[no_mangle] pub unsafe extern "C" fn rs_sip_tx_get_method( tx: &mut SIPTransaction, buffer: *mut *const u8, buffer_len: *mut u32, @@ -165,3 +183,36 @@ pub unsafe extern "C" fn rs_sip_tx_get_response_line( return 0; } + +#[no_mangle] +pub unsafe extern "C" fn rs_sip_tx_get_header_value( + tx: &mut SIPTransaction, direction: u8, strname: *const std::os::raw::c_char, + buffer: *mut *const u8, buffer_len: *mut u32, +) -> u8 { + let hname: &CStr = CStr::from_ptr(strname); + if let Ok(s) = hname.to_str() { + let s2 = header_compact_name(s); + let headers = match direction.into() { + Direction::ToServer => tx.request.as_ref().map(|r| &r.headers), + Direction::ToClient => tx.response.as_ref().map(|r| &r.headers), + }; + if let Some(headers) = headers { + let header_value = headers + .get(s) + .or_else(|| s2.as_ref().and_then(|s2| headers.get(s2))); + + if let Some(value) = header_value { + if !value.is_empty() { + *buffer = value.as_ptr(); + *buffer_len = value.len() as u32; + return 1; + } + } + }; + } + + *buffer = ptr::null(); + *buffer_len = 0; + + return 0; +} From e061f30f76bb21691c6544d109bb17b3cb2c7cc1 Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Fri, 15 Sep 2023 09:26:23 +0200 Subject: [PATCH 04/11] detect/sip: add sip.from sticky buffer Ticket #6374 --- src/Makefile.am | 2 ++ src/detect-engine-register.h | 1 + src/detect-sip-from.c | 39 ++++++++++++++++++++++++++++++++++++ src/detect-sip-from.h | 23 +++++++++++++++++++++ 4 files changed, 65 insertions(+) create mode 100644 src/detect-sip-from.c create mode 100644 src/detect-sip-from.h diff --git a/src/Makefile.am b/src/Makefile.am index f30d7b4bc959..da900bee60ce 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -290,6 +290,7 @@ noinst_HEADERS = \ detect-sameip.h \ detect-sid.h \ detect-sip-headers-stub.h \ + detect-sip-from.h \ detect-sip-method.h \ detect-sip-protocol.h \ detect-sip-request-line.h \ @@ -904,6 +905,7 @@ libsuricata_c_a_SOURCES = \ detect-rpc.c \ detect-sameip.c \ detect-sid.c \ + detect-sip-from.c \ detect-sip-method.c \ detect-sip-protocol.c \ detect-sip-request-line.c \ diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h index cd2edf5979b8..f51010ad7e43 100644 --- a/src/detect-engine-register.h +++ b/src/detect-engine-register.h @@ -275,6 +275,7 @@ enum DetectKeywordId { DETECT_AL_SIP_STAT_MSG, DETECT_AL_SIP_REQUEST_LINE, DETECT_AL_SIP_RESPONSE_LINE, + DETECT_AL_SIP_HEADER_FROM, DETECT_AL_RFB_SECRESULT, DETECT_AL_RFB_SECTYPE, DETECT_AL_RFB_NAME, diff --git a/src/detect-sip-from.c b/src/detect-sip-from.c new file mode 100644 index 000000000000..7a22bca9b37f --- /dev/null +++ b/src/detect-sip-from.c @@ -0,0 +1,39 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \author Giuseppe Longo + * + * Implements the sip.from sticky buffer + */ + +#define KEYWORD_NAME "sip.from" +#define KEYWORD_DOC "sip-keywords.html#sip-from" +#define BUFFER_NAME "sip.from" +#define BUFFER_DESC "sip from header" +#define HEADER_NAME "From" +#define KEYWORD_ID DETECT_AL_SIP_HEADER_FROM +#define KEYWORD_TOSERVER 1 +#define KEYWORD_TOCLIENT 1 + +#include "detect-sip-headers-stub.h" +#include "detect-sip-from.h" + +void RegisterSipHeadersFrom(void) +{ + DetectSipHeadersRegisterStub(); +} diff --git a/src/detect-sip-from.h b/src/detect-sip-from.h new file mode 100644 index 000000000000..223d83575c8f --- /dev/null +++ b/src/detect-sip-from.h @@ -0,0 +1,23 @@ +/* Copyright (C) 2023 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +#ifndef __DETECT_SIP_FROM_H__ +#define __DETECT_SIP_FROM_H__ + +void RegisterSipHeadersFrom(void); + +#endif /* __DETECT_SIP_FROM_H__ */ From f6ff049e7d63219a0350ebc58695ead727803461 Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Sat, 13 Apr 2024 16:44:47 +0200 Subject: [PATCH 05/11] detect/sip: add sip.to sticky buffer Ticket #6374 --- src/Makefile.am | 2 ++ src/detect-engine-register.h | 1 + src/detect-sip-to.c | 39 ++++++++++++++++++++++++++++++++++++ src/detect-sip-to.h | 23 +++++++++++++++++++++ 4 files changed, 65 insertions(+) create mode 100644 src/detect-sip-to.c create mode 100644 src/detect-sip-to.h diff --git a/src/Makefile.am b/src/Makefile.am index da900bee60ce..4bbec6e017c2 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -297,6 +297,7 @@ noinst_HEADERS = \ detect-sip-response-line.h \ detect-sip-stat-code.h \ detect-sip-stat-msg.h \ + detect-sip-to.h \ detect-sip-uri.h \ detect-smb-ntlmssp.h \ detect-smb-share.h \ @@ -912,6 +913,7 @@ libsuricata_c_a_SOURCES = \ detect-sip-response-line.c \ detect-sip-stat-code.c \ detect-sip-stat-msg.c \ + detect-sip-to.c \ detect-sip-uri.c \ detect-smb-ntlmssp.c \ detect-smb-share.c \ diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h index f51010ad7e43..05af63d31952 100644 --- a/src/detect-engine-register.h +++ b/src/detect-engine-register.h @@ -276,6 +276,7 @@ enum DetectKeywordId { DETECT_AL_SIP_REQUEST_LINE, DETECT_AL_SIP_RESPONSE_LINE, DETECT_AL_SIP_HEADER_FROM, + DETECT_AL_SIP_HEADER_TO, DETECT_AL_RFB_SECRESULT, DETECT_AL_RFB_SECTYPE, DETECT_AL_RFB_NAME, diff --git a/src/detect-sip-to.c b/src/detect-sip-to.c new file mode 100644 index 000000000000..73fe74ab4757 --- /dev/null +++ b/src/detect-sip-to.c @@ -0,0 +1,39 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \author Giuseppe Longo + * + * Implements the sip.to sticky buffer + */ + +#define KEYWORD_NAME "sip.to" +#define KEYWORD_DOC "sip-keywords.html#sip-to" +#define BUFFER_NAME "sip.to" +#define BUFFER_DESC "sip to header" +#define HEADER_NAME "To" +#define KEYWORD_ID DETECT_AL_SIP_HEADER_TO +#define KEYWORD_TOSERVER 1 +#define KEYWORD_TOCLIENT 1 + +#include "detect-sip-headers-stub.h" +#include "detect-sip-to.h" + +void RegisterSipHeadersTo(void) +{ + DetectSipHeadersRegisterStub(); +} diff --git a/src/detect-sip-to.h b/src/detect-sip-to.h new file mode 100644 index 000000000000..5fa93d08d1d9 --- /dev/null +++ b/src/detect-sip-to.h @@ -0,0 +1,23 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +#ifndef __DETECT_SIP_TO_H__ +#define __DETECT_SIP_TO_H__ + +void RegisterSipHeadersTo(void); + +#endif /* __DETECT_SIP_TO_H__ */ From d087d4de75f80d66e2b41f38e404367e8a43e3f1 Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Sat, 13 Apr 2024 16:57:50 +0200 Subject: [PATCH 06/11] detect/sip: add sip.via sticky buffer Ticket #6374 --- src/Makefile.am | 2 ++ src/detect-engine-register.h | 1 + src/detect-sip-via.c | 39 ++++++++++++++++++++++++++++++++++++ src/detect-sip-via.h | 23 +++++++++++++++++++++ 4 files changed, 65 insertions(+) create mode 100644 src/detect-sip-via.c create mode 100644 src/detect-sip-via.h diff --git a/src/Makefile.am b/src/Makefile.am index 4bbec6e017c2..2f93e417e4de 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -299,6 +299,7 @@ noinst_HEADERS = \ detect-sip-stat-msg.h \ detect-sip-to.h \ detect-sip-uri.h \ + detect-sip-via.h \ detect-smb-ntlmssp.h \ detect-smb-share.h \ detect-smb-version.h \ @@ -915,6 +916,7 @@ libsuricata_c_a_SOURCES = \ detect-sip-stat-msg.c \ detect-sip-to.c \ detect-sip-uri.c \ + detect-sip-via.c \ detect-smb-ntlmssp.c \ detect-smb-share.c \ detect-smb-version.c \ diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h index 05af63d31952..856bba628d7c 100644 --- a/src/detect-engine-register.h +++ b/src/detect-engine-register.h @@ -277,6 +277,7 @@ enum DetectKeywordId { DETECT_AL_SIP_RESPONSE_LINE, DETECT_AL_SIP_HEADER_FROM, DETECT_AL_SIP_HEADER_TO, + DETECT_AL_SIP_HEADER_VIA, DETECT_AL_RFB_SECRESULT, DETECT_AL_RFB_SECTYPE, DETECT_AL_RFB_NAME, diff --git a/src/detect-sip-via.c b/src/detect-sip-via.c new file mode 100644 index 000000000000..687c7a20d641 --- /dev/null +++ b/src/detect-sip-via.c @@ -0,0 +1,39 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \author Giuseppe Longo + * + * Implements the sip.via sticky buffer + */ + +#define KEYWORD_NAME "sip.via" +#define KEYWORD_DOC "sip-keywords.html#sip-via" +#define BUFFER_NAME "sip.via" +#define BUFFER_DESC "sip via header" +#define HEADER_NAME "Via" +#define KEYWORD_ID DETECT_AL_SIP_HEADER_VIA +#define KEYWORD_TOSERVER 1 +#define KEYWORD_TOCLIENT 1 + +#include "detect-sip-headers-stub.h" +#include "detect-sip-via.h" + +void RegisterSipHeadersVia(void) +{ + DetectSipHeadersRegisterStub(); +} diff --git a/src/detect-sip-via.h b/src/detect-sip-via.h new file mode 100644 index 000000000000..dd070b51d9a1 --- /dev/null +++ b/src/detect-sip-via.h @@ -0,0 +1,23 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +#ifndef __DETECT_SIP_VIA_H__ +#define __DETECT_SIP_VIA_H__ + +void RegisterSipHeadersVia(void); + +#endif /* __DETECT_SIP_VIA_H__ */ From 3dca93bccc0d0f6167ecb88d4face57580f8df75 Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Sat, 13 Apr 2024 17:07:25 +0200 Subject: [PATCH 07/11] detect/sip: add sip.user_agent sticky buffer Ticket #6374 --- src/Makefile.am | 2 ++ src/detect-engine-register.h | 1 + src/detect-sip-ua.c | 39 ++++++++++++++++++++++++++++++++++++ src/detect-sip-ua.h | 23 +++++++++++++++++++++ 4 files changed, 65 insertions(+) create mode 100644 src/detect-sip-ua.c create mode 100644 src/detect-sip-ua.h diff --git a/src/Makefile.am b/src/Makefile.am index 2f93e417e4de..0d9869f03761 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -298,6 +298,7 @@ noinst_HEADERS = \ detect-sip-stat-code.h \ detect-sip-stat-msg.h \ detect-sip-to.h \ + detect-sip-ua.h \ detect-sip-uri.h \ detect-sip-via.h \ detect-smb-ntlmssp.h \ @@ -915,6 +916,7 @@ libsuricata_c_a_SOURCES = \ detect-sip-stat-code.c \ detect-sip-stat-msg.c \ detect-sip-to.c \ + detect-sip-ua.c \ detect-sip-uri.c \ detect-sip-via.c \ detect-smb-ntlmssp.c \ diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h index 856bba628d7c..857d4372b89c 100644 --- a/src/detect-engine-register.h +++ b/src/detect-engine-register.h @@ -278,6 +278,7 @@ enum DetectKeywordId { DETECT_AL_SIP_HEADER_FROM, DETECT_AL_SIP_HEADER_TO, DETECT_AL_SIP_HEADER_VIA, + DETECT_AL_SIP_HEADER_UA, DETECT_AL_RFB_SECRESULT, DETECT_AL_RFB_SECTYPE, DETECT_AL_RFB_NAME, diff --git a/src/detect-sip-ua.c b/src/detect-sip-ua.c new file mode 100644 index 000000000000..efc21c98db21 --- /dev/null +++ b/src/detect-sip-ua.c @@ -0,0 +1,39 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \author Giuseppe Longo + * + * Implements the sip.user_agent sticky buffer + */ + +#define KEYWORD_NAME "sip.user_agent" +#define KEYWORD_DOC "sip-keywords.html#sip-user-agent" +#define BUFFER_NAME "sip.user_agent" +#define BUFFER_DESC "sip user agent header" +#define HEADER_NAME "User-Agent" +#define KEYWORD_ID DETECT_AL_SIP_HEADER_UA +#define KEYWORD_TOSERVER 1 +#define KEYWORD_TOCLIENT 1 + +#include "detect-sip-headers-stub.h" +#include "detect-sip-ua.h" + +void RegisterSipHeadersUa(void) +{ + DetectSipHeadersRegisterStub(); +} diff --git a/src/detect-sip-ua.h b/src/detect-sip-ua.h new file mode 100644 index 000000000000..daaf8abf107a --- /dev/null +++ b/src/detect-sip-ua.h @@ -0,0 +1,23 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +#ifndef __DETECT_SIP_UA_H__ +#define __DETECT_SIP_UA_H__ + +void RegisterSipHeadersUa(void); + +#endif /* __DETECT_SIP_UA_H__ */ From f5703d819b86c4c508d1821cba2e49fb46616cb7 Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Sat, 13 Apr 2024 17:20:16 +0200 Subject: [PATCH 08/11] detect/sip: add sip.content_type sticky buffer Ticket #6374 --- src/Makefile.am | 2 ++ src/detect-engine-register.h | 1 + src/detect-sip-content-type.c | 39 +++++++++++++++++++++++++++++++++++ src/detect-sip-content-type.h | 23 +++++++++++++++++++++ 4 files changed, 65 insertions(+) create mode 100644 src/detect-sip-content-type.c create mode 100644 src/detect-sip-content-type.h diff --git a/src/Makefile.am b/src/Makefile.am index 0d9869f03761..e7c2d99ff570 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -289,6 +289,7 @@ noinst_HEADERS = \ detect-rpc.h \ detect-sameip.h \ detect-sid.h \ + detect-sip-content-type.h \ detect-sip-headers-stub.h \ detect-sip-from.h \ detect-sip-method.h \ @@ -908,6 +909,7 @@ libsuricata_c_a_SOURCES = \ detect-rpc.c \ detect-sameip.c \ detect-sid.c \ + detect-sip-content-type.c \ detect-sip-from.c \ detect-sip-method.c \ detect-sip-protocol.c \ diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h index 857d4372b89c..9b73072db1b4 100644 --- a/src/detect-engine-register.h +++ b/src/detect-engine-register.h @@ -279,6 +279,7 @@ enum DetectKeywordId { DETECT_AL_SIP_HEADER_TO, DETECT_AL_SIP_HEADER_VIA, DETECT_AL_SIP_HEADER_UA, + DETECT_AL_SIP_HEADER_CONTENT_TYPE, DETECT_AL_RFB_SECRESULT, DETECT_AL_RFB_SECTYPE, DETECT_AL_RFB_NAME, diff --git a/src/detect-sip-content-type.c b/src/detect-sip-content-type.c new file mode 100644 index 000000000000..2ab720c93f51 --- /dev/null +++ b/src/detect-sip-content-type.c @@ -0,0 +1,39 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \author Giuseppe Longo + * + * Implements the sip.content_type sticky buffer + */ + +#define KEYWORD_NAME "sip.content_type" +#define KEYWORD_DOC "sip-keywords.html#sip-content-type" +#define BUFFER_NAME "sip.content_type" +#define BUFFER_DESC "sip content-type header" +#define HEADER_NAME "Content-Type" +#define KEYWORD_ID DETECT_AL_SIP_HEADER_CONTENT_TYPE +#define KEYWORD_TOSERVER 1 +#define KEYWORD_TOCLIENT 1 + +#include "detect-sip-headers-stub.h" +#include "detect-sip-content-type.h" + +void RegisterSipHeadersContentType(void) +{ + DetectSipHeadersRegisterStub(); +} diff --git a/src/detect-sip-content-type.h b/src/detect-sip-content-type.h new file mode 100644 index 000000000000..27477a09ab6c --- /dev/null +++ b/src/detect-sip-content-type.h @@ -0,0 +1,23 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +#ifndef __DETECT_SIP_CONTENT_TYPE_H__ +#define __DETECT_SIP_CONTENT_TYPE_H__ + +void RegisterSipHeadersContentType(void); + +#endif /* __DETECT_SIP_CONTENT_TYPE_H__ */ From a9808b8a2f8f5251b4aedad11f4ef03e4608ecd6 Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Sat, 13 Apr 2024 17:29:31 +0200 Subject: [PATCH 09/11] detect/sip: add sip.content_length sticky buffer Ticket #6374 --- src/Makefile.am | 2 ++ src/detect-engine-register.h | 1 + src/detect-sip-content-length.c | 41 +++++++++++++++++++++++++++++++++ src/detect-sip-content-length.h | 23 ++++++++++++++++++ 4 files changed, 67 insertions(+) create mode 100644 src/detect-sip-content-length.c create mode 100644 src/detect-sip-content-length.h diff --git a/src/Makefile.am b/src/Makefile.am index e7c2d99ff570..729ebf516839 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -289,6 +289,7 @@ noinst_HEADERS = \ detect-rpc.h \ detect-sameip.h \ detect-sid.h \ + detect-sip-content-length.h \ detect-sip-content-type.h \ detect-sip-headers-stub.h \ detect-sip-from.h \ @@ -909,6 +910,7 @@ libsuricata_c_a_SOURCES = \ detect-rpc.c \ detect-sameip.c \ detect-sid.c \ + detect-sip-content-length.c \ detect-sip-content-type.c \ detect-sip-from.c \ detect-sip-method.c \ diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h index 9b73072db1b4..f946f6b5ba8d 100644 --- a/src/detect-engine-register.h +++ b/src/detect-engine-register.h @@ -280,6 +280,7 @@ enum DetectKeywordId { DETECT_AL_SIP_HEADER_VIA, DETECT_AL_SIP_HEADER_UA, DETECT_AL_SIP_HEADER_CONTENT_TYPE, + DETECT_AL_SIP_HEADER_CONTENT_LENGTH, DETECT_AL_RFB_SECRESULT, DETECT_AL_RFB_SECTYPE, DETECT_AL_RFB_NAME, diff --git a/src/detect-sip-content-length.c b/src/detect-sip-content-length.c new file mode 100644 index 000000000000..ebc5657d2fe3 --- /dev/null +++ b/src/detect-sip-content-length.c @@ -0,0 +1,41 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Giuseppe Longo + * + * Implements the sip.content_length sticky buffer + */ + +#define KEYWORD_NAME "sip.content_length" +#define KEYWORD_DOC "sip-keywords.html#sip-content-length" +#define BUFFER_NAME "sip.content_length" +#define BUFFER_DESC "sip content-length header" +#define HEADER_NAME "Content-Length" +#define KEYWORD_ID DETECT_AL_SIP_HEADER_CONTENT_LENGTH +#define KEYWORD_TOSERVER 1 +#define KEYWORD_TOCLIENT 1 + +#include "detect-sip-headers-stub.h" +#include "detect-sip-content-length.h" + +void RegisterSipHeadersContentLength(void) +{ + DetectSipHeadersRegisterStub(); +} diff --git a/src/detect-sip-content-length.h b/src/detect-sip-content-length.h new file mode 100644 index 000000000000..c5261d556e06 --- /dev/null +++ b/src/detect-sip-content-length.h @@ -0,0 +1,23 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +#ifndef __DETECT_SIP_CONTENT_LENGTH_H__ +#define __DETECT_SIP_CONTENT_LENGTH_H__ + +void RegisterSipHeadersContentLength(void); + +#endif /* __DETECT_SIP_CONTENT_LENGTH_H__ */ From 52f3f7fbd163638fb5bc6b5cabdc530311977382 Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Fri, 15 Sep 2023 09:27:37 +0200 Subject: [PATCH 10/11] detect/sip: register headers sticky buffers Ticket #6374 --- src/Makefile.am | 2 ++ src/detect-engine-register.c | 2 ++ src/detect-sip-headers.c | 38 ++++++++++++++++++++++++++++++++++++ src/detect-sip-headers.h | 23 ++++++++++++++++++++++ 4 files changed, 65 insertions(+) create mode 100644 src/detect-sip-headers.c create mode 100644 src/detect-sip-headers.h diff --git a/src/Makefile.am b/src/Makefile.am index 729ebf516839..ba11891bfb6e 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -291,6 +291,7 @@ noinst_HEADERS = \ detect-sid.h \ detect-sip-content-length.h \ detect-sip-content-type.h \ + detect-sip-headers.h \ detect-sip-headers-stub.h \ detect-sip-from.h \ detect-sip-method.h \ @@ -912,6 +913,7 @@ libsuricata_c_a_SOURCES = \ detect-sid.c \ detect-sip-content-length.c \ detect-sip-content-type.c \ + detect-sip-headers.c \ detect-sip-from.c \ detect-sip-method.c \ detect-sip-protocol.c \ diff --git a/src/detect-engine-register.c b/src/detect-engine-register.c index 5608ae218f51..16cbd4152ef2 100644 --- a/src/detect-engine-register.c +++ b/src/detect-engine-register.c @@ -206,6 +206,7 @@ #include "detect-sip-stat-msg.h" #include "detect-sip-request-line.h" #include "detect-sip-response-line.h" +#include "detect-sip-headers.h" #include "detect-rfb-secresult.h" #include "detect-rfb-sectype.h" #include "detect-rfb-name.h" @@ -675,6 +676,7 @@ void SigTableSetup(void) DetectSipStatMsgRegister(); DetectSipRequestLineRegister(); DetectSipResponseLineRegister(); + DetectSipHeadersRegister(); DetectRfbSecresultRegister(); DetectRfbSectypeRegister(); DetectRfbNameRegister(); diff --git a/src/detect-sip-headers.c b/src/detect-sip-headers.c new file mode 100644 index 000000000000..ea00fde0cf28 --- /dev/null +++ b/src/detect-sip-headers.c @@ -0,0 +1,38 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \author Giuseppe Longo + */ + +#include "detect-sip-headers.h" +#include "detect-sip-from.h" +#include "detect-sip-to.h" +#include "detect-sip-via.h" +#include "detect-sip-ua.h" +#include "detect-sip-content-type.h" +#include "detect-sip-content-length.h" + +void DetectSipHeadersRegister(void) +{ + RegisterSipHeadersFrom(); + RegisterSipHeadersTo(); + RegisterSipHeadersVia(); + RegisterSipHeadersUa(); + RegisterSipHeadersContentType(); + RegisterSipHeadersContentLength(); +} diff --git a/src/detect-sip-headers.h b/src/detect-sip-headers.h new file mode 100644 index 000000000000..37bbd3af1f18 --- /dev/null +++ b/src/detect-sip-headers.h @@ -0,0 +1,23 @@ +/* Copyright (C) 2023 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +#ifndef __DETECT_SIP_HEADERS_H__ +#define __DETECT_SIP_HEADERS_H__ + +void DetectSipHeadersRegister(void); + +#endif /* __DETECT_SIP_HEADERS_H__ */ From 7f5570e917dda92064d02dca70ee9eca5d1653d0 Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Thu, 18 Apr 2024 15:31:55 +0200 Subject: [PATCH 11/11] doc: update upgrade section --- doc/userguide/upgrade.rst | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/doc/userguide/upgrade.rst b/doc/userguide/upgrade.rst index 03463c18f8c8..e18cd332fa04 100644 --- a/doc/userguide/upgrade.rst +++ b/doc/userguide/upgrade.rst @@ -52,6 +52,14 @@ Major changes for the ``stats`` event. - Stats counters that are 0 can now be hidden from EVE logs. Default behavior still logs those (see :ref:`EVE Output - Stats ` for configuration setting). +- The following sticky buffers for matching SIP headers have been implemented: + - sip.via + - sip.from + - sip.to + - sip.content_type + - sip.content_length + + Note: Headers expressed in compact form will still be matched. Upgrading 6.0 to 7.0 --------------------