detect/sip: add sticky buffers to match headers v2 by glongo · Pull Request #10907 · OISF/suricata

glongo · 2024-04-18T15:06:35Z

Make sure these boxes are signed before submitting your Pull Request -- thank you.

I have read the contributing guide lines at
https://docs.suricata.io/en/latest/devguide/contributing/contribution-process.html
I have signed the Open Information Security Foundation contribution agreement at
https://suricata.io/about/contribution-agreement/ (note: this is only required once)
I have updated the user guide (in doc/userguide/) to reflect the changes made (if applicable)

Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/6374

Describe changes:

Match headers in compact form
Add doc
SV: add test for compact form

SV_BRANCH=OISF/suricata-verify#1787

A stub file has been added to implement the sticky buffers for SIP headers. Ticket OISF#6374

To match on response SIP headers, those headers must be stored. Ticket OISF#6374

Ticket OISF#6374

codecov · 2024-04-18T18:17:22Z

Codecov Report

Attention: Patch coverage is 96.45390% with 5 lines in your changes are missing coverage. Please review.

Project coverage is 82.84%. Comparing base (2b4e102) to head (7f5570e).
Report is 100 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #10907      +/-   ##
==========================================
+ Coverage   77.64%   82.84%   +5.20%     
==========================================
  Files         922      930       +8     
  Lines      247806   247976     +170     
==========================================
+ Hits       192400   205440   +13040     
+ Misses      55406    42536   -12870

Flag	Coverage Δ
fuzzcorpus	`64.26% <48.22%> (?)`
suricata-verify	`62.45% <96.45%> (+0.02%)`	⬆️
unittests	`62.19% <48.22%> (-0.01%)`	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

catenacyber · 2024-04-30T10:09:57Z

doc/userguide/upgrade.rst

 - Stats counters that are 0 can now be hidden from EVE logs. Default behavior
  still logs those (see :ref:`EVE Output - Stats <eve-json-output-stats>` for configuration setting).
+- The following sticky buffers for matching SIP headers have been implemented:
+    - sip.via


It looks like these miss in doc/userguide/rules/sip-keywords.rst ;-)

catenacyber · 2024-04-30T10:13:00Z

rust/src/sip/parser.rs

    pub version: String,
    pub code: String,
    pub reason: String,
+    pub headers: HashMap<String, String>,


What happens if I have multiple via headers ?

The value is updated and the old one is returned.

catenacyber

Thanks Giuseppe, will need at least a rebase, and doc update for these new keywords

catenacyber · 2024-04-30T10:14:46Z

Also for your info, you can take a look at #10966

glongo · 2024-05-01T06:59:19Z

Replaced with #11004

glongo added 11 commits April 18, 2024 15:25

detect/sip: add stub file for headers keywords

e23913a

A stub file has been added to implement the sticky buffers for SIP headers. Ticket OISF#6374

rust/sip: store response headers

f8fc238

To match on response SIP headers, those headers must be stored. Ticket OISF#6374

rust/sip: match on headers map

f9b7215

Ticket OISF#6374

detect/sip: add sip.from sticky buffer

e061f30

Ticket OISF#6374

detect/sip: add sip.to sticky buffer

f6ff049

Ticket OISF#6374

detect/sip: add sip.via sticky buffer

d087d4d

Ticket OISF#6374

detect/sip: add sip.user_agent sticky buffer

3dca93b

Ticket OISF#6374

detect/sip: add sip.content_type sticky buffer

f5703d8

Ticket OISF#6374

detect/sip: add sip.content_length sticky buffer

a9808b8

Ticket OISF#6374

detect/sip: register headers sticky buffers

52f3f7f

Ticket OISF#6374

doc: update upgrade section

7f5570e

glongo requested review from jasonish, jufajardini and victorjulien as code owners April 18, 2024 15:06

This was referenced Apr 18, 2024

detect/sip: add sticky buffers to match headers #10839

Closed

sip: add tests for headers sticky buffers v2 OISF/suricata-verify#1787

Closed

jufajardini added the needs rebase Needs rebase to main label Apr 29, 2024

catenacyber reviewed Apr 30, 2024

View reviewed changes

catenacyber requested changes Apr 30, 2024

View reviewed changes

glongo closed this May 1, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Comments

detect/sip: add sticky buffers to match headers v2#10907

detect/sip: add sticky buffers to match headers v2#10907
glongo wants to merge 11 commits intoOISF:masterfrom
glongo:dev-6374-sip-hdrs-sticky-buffers-v2

glongo commented Apr 18, 2024

Uh oh!

codecov bot commented Apr 18, 2024 •

edited

Loading

Uh oh!

catenacyber Apr 30, 2024

Uh oh!

catenacyber Apr 30, 2024

Uh oh!

glongo Apr 30, 2024

Uh oh!

catenacyber left a comment

Uh oh!

catenacyber commented Apr 30, 2024

Uh oh!

glongo commented May 1, 2024

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

3 participants

Comments

Conversation

glongo commented Apr 18, 2024

Uh oh!

codecov bot commented Apr 18, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

catenacyber Apr 30, 2024

Choose a reason for hiding this comment

Uh oh!

catenacyber Apr 30, 2024

Choose a reason for hiding this comment

Uh oh!

glongo Apr 30, 2024

Choose a reason for hiding this comment

Uh oh!

catenacyber left a comment

Choose a reason for hiding this comment

Uh oh!

catenacyber commented Apr 30, 2024

Uh oh!

glongo commented May 1, 2024

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

3 participants

codecov bot commented Apr 18, 2024 •

edited

Loading