OISF · glongo · Sep 13, 2023 · Sep 15, 2023 · Sep 15, 2023 · Sep 15, 2023
diff --git a/doc/userguide/upgrade.rst b/doc/userguide/upgrade.rst
@@ -52,6 +52,14 @@ Major changes
   for the ``stats`` event.
 - Stats counters that are 0 can now be hidden from EVE logs. Default behavior
   still logs those (see :ref:`EVE Output - Stats <eve-json-output-stats>` for configuration setting).
+- The following sticky buffers for matching SIP headers have been implemented:
+    - sip.via
+    - sip.from
+    - sip.to
+    - sip.content_type
+    - sip.content_length
+
+  Note: Headers expressed in compact form will still be matched.
 
 Upgrading 6.0 to 7.0
 --------------------

diff --git a/rust/src/sip/detect.rs b/rust/src/sip/detect.rs
@@ -1,4 +1,4 @@
-/* Copyright (C) 2019 Open Information Security Foundation
+/* Copyright (C) 2024 Open Information Security Foundation
  *
  * You can copy, redistribute or modify this Program under the terms of
  * the GNU General Public License version 2 as published by the Free
@@ -19,8 +19,26 @@
 
 use crate::core::Direction;
 use crate::sip::sip::SIPTransaction;
+use std::ffi::CStr;
 use std::ptr;
 
+fn header_compact_name(h: &str) -> Option<String> {
+    let compact = match h {
+        "Call-ID" => "i",
+        "Contact" => "m",
+        "Content-Encoding" => "e",
+        "Content-Length" => "l",
+        "Content-Type" => "c",
+        "From" => "f",
+        "Subject" => "s",
+        "Supported" => "k",
+        "To" => "t",
+        "Via" => "v",
+        _ => return None,
+    };
+    Some(compact.to_string())
+}
+
 #[no_mangle]
 pub unsafe extern "C" fn rs_sip_tx_get_method(
     tx: &mut SIPTransaction, buffer: *mut *const u8, buffer_len: *mut u32,
@@ -165,3 +183,36 @@ pub unsafe extern "C" fn rs_sip_tx_get_response_line(
 
     return 0;
 }
+
+#[no_mangle]
+pub unsafe extern "C" fn rs_sip_tx_get_header_value(
+    tx: &mut SIPTransaction, direction: u8, strname: *const std::os::raw::c_char,
+    buffer: *mut *const u8, buffer_len: *mut u32,
+) -> u8 {
+    let hname: &CStr = CStr::from_ptr(strname);
+    if let Ok(s) = hname.to_str() {
+        let s2 = header_compact_name(s);
+        let headers = match direction.into() {
+            Direction::ToServer => tx.request.as_ref().map(|r| &r.headers),
+            Direction::ToClient => tx.response.as_ref().map(|r| &r.headers),
+        };
+        if let Some(headers) = headers {
+            let header_value = headers
+                .get(s)
+                .or_else(|| s2.as_ref().and_then(|s2| headers.get(s2)));
+
+            if let Some(value) = header_value {
+                if !value.is_empty() {
+                    *buffer = value.as_ptr();
+                    *buffer_len = value.len() as u32;
+                    return 1;
+                }
+            }
+        };
+    }
+
+    *buffer = ptr::null();
+    *buffer_len = 0;
+
+    return 0;
+}
diff --git a/rust/src/sip/parser.rs b/rust/src/sip/parser.rs
@@ -50,6 +50,7 @@ pub struct Response {
     pub version: String,
     pub code: String,
     pub reason: String,
+    pub headers: HashMap<String, String>,
 
     pub response_line_len: u16,
     pub headers_len: u16,
@@ -130,7 +131,7 @@ pub fn sip_parse_response(oi: &[u8]) -> IResult<&[u8], Response> {
     let (i, reason) = parse_reason(i)?;
     let (hi, _) = crlf(i)?;
     let response_line_len = oi.len() - hi.len();
-    let (phi, _headers) = parse_headers(hi)?;
+    let (phi, headers) = parse_headers(hi)?;
     let headers_len = hi.len() - phi.len();
     let (bi, _) = crlf(phi)?;
     let body_offset = oi.len() - bi.len();
@@ -140,6 +141,7 @@ pub fn sip_parse_response(oi: &[u8]) -> IResult<&[u8], Response> {
             version,
             code: code.into(),
             reason: reason.into(),
+            headers,
 
             response_line_len: response_line_len as u16,
             headers_len: headers_len as u16,

diff --git a/src/Makefile.am b/src/Makefile.am
@@ -289,13 +289,21 @@ noinst_HEADERS = \
 	detect-rpc.h \
 	detect-sameip.h \
 	detect-sid.h \
+	detect-sip-content-length.h \
+	detect-sip-content-type.h \
+	detect-sip-headers.h \
+	detect-sip-headers-stub.h \
+	detect-sip-from.h \
 	detect-sip-method.h \
 	detect-sip-protocol.h \
 	detect-sip-request-line.h \
 	detect-sip-response-line.h \
 	detect-sip-stat-code.h \
 	detect-sip-stat-msg.h \
+	detect-sip-to.h \
+	detect-sip-ua.h \
 	detect-sip-uri.h \
+	detect-sip-via.h \
 	detect-smb-ntlmssp.h \
 	detect-smb-share.h \
 	detect-smb-version.h \
@@ -903,13 +911,20 @@ libsuricata_c_a_SOURCES = \
 	detect-rpc.c \
 	detect-sameip.c \
 	detect-sid.c \
+	detect-sip-content-length.c \
+	detect-sip-content-type.c \
+	detect-sip-headers.c \
+	detect-sip-from.c \
 	detect-sip-method.c \
 	detect-sip-protocol.c \
 	detect-sip-request-line.c \
 	detect-sip-response-line.c \
 	detect-sip-stat-code.c \
 	detect-sip-stat-msg.c \
+	detect-sip-to.c \
+	detect-sip-ua.c \
 	detect-sip-uri.c \
+	detect-sip-via.c \
 	detect-smb-ntlmssp.c \
 	detect-smb-share.c \
 	detect-smb-version.c \

diff --git a/src/detect-engine-register.c b/src/detect-engine-register.c
@@ -206,6 +206,7 @@
 #include "detect-sip-stat-msg.h"
 #include "detect-sip-request-line.h"
 #include "detect-sip-response-line.h"
+#include "detect-sip-headers.h"
 #include "detect-rfb-secresult.h"
 #include "detect-rfb-sectype.h"
 #include "detect-rfb-name.h"
@@ -675,6 +676,7 @@ void SigTableSetup(void)
     DetectSipStatMsgRegister();
     DetectSipRequestLineRegister();
     DetectSipResponseLineRegister();
+    DetectSipHeadersRegister();
     DetectRfbSecresultRegister();
     DetectRfbSectypeRegister();
     DetectRfbNameRegister();

diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h
@@ -275,6 +275,12 @@ enum DetectKeywordId {
     DETECT_AL_SIP_STAT_MSG,
     DETECT_AL_SIP_REQUEST_LINE,
     DETECT_AL_SIP_RESPONSE_LINE,
+    DETECT_AL_SIP_HEADER_FROM,
+    DETECT_AL_SIP_HEADER_TO,
+    DETECT_AL_SIP_HEADER_VIA,
+    DETECT_AL_SIP_HEADER_UA,
+    DETECT_AL_SIP_HEADER_CONTENT_TYPE,
+    DETECT_AL_SIP_HEADER_CONTENT_LENGTH,
     DETECT_AL_RFB_SECRESULT,
     DETECT_AL_RFB_SECTYPE,
     DETECT_AL_RFB_NAME,

diff --git a/src/detect-sip-content-length.c b/src/detect-sip-content-length.c
@@ -0,0 +1,41 @@
+/* Copyright (C) 2024 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Giuseppe Longo <giuseppe@glongo.it>
+ *
+ * Implements the sip.content_length sticky buffer
+ */
+
+#define KEYWORD_NAME     "sip.content_length"
+#define KEYWORD_DOC      "sip-keywords.html#sip-content-length"
+#define BUFFER_NAME      "sip.content_length"
+#define BUFFER_DESC      "sip content-length header"
+#define HEADER_NAME      "Content-Length"
+#define KEYWORD_ID       DETECT_AL_SIP_HEADER_CONTENT_LENGTH
+#define KEYWORD_TOSERVER 1
+#define KEYWORD_TOCLIENT 1
+
+#include "detect-sip-headers-stub.h"
+#include "detect-sip-content-length.h"
+
+void RegisterSipHeadersContentLength(void)
+{
+    DetectSipHeadersRegisterStub();
+}
diff --git a/src/detect-sip-content-length.h b/src/detect-sip-content-length.h
@@ -0,0 +1,23 @@
+/* Copyright (C) 2024 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+#ifndef __DETECT_SIP_CONTENT_LENGTH_H__
+#define __DETECT_SIP_CONTENT_LENGTH_H__
+
+void RegisterSipHeadersContentLength(void);
+
+#endif /* __DETECT_SIP_CONTENT_LENGTH_H__ */
diff --git a/src/detect-sip-content-type.c b/src/detect-sip-content-type.c
@@ -0,0 +1,39 @@
+/* Copyright (C) 2024 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \author Giuseppe Longo <giuseppe@glongo.it>
+ *
+ * Implements the sip.content_type sticky buffer
+ */
+
+#define KEYWORD_NAME     "sip.content_type"
+#define KEYWORD_DOC      "sip-keywords.html#sip-content-type"
+#define BUFFER_NAME      "sip.content_type"
+#define BUFFER_DESC      "sip content-type header"
+#define HEADER_NAME      "Content-Type"
+#define KEYWORD_ID       DETECT_AL_SIP_HEADER_CONTENT_TYPE
+#define KEYWORD_TOSERVER 1
+#define KEYWORD_TOCLIENT 1
+
+#include "detect-sip-headers-stub.h"
+#include "detect-sip-content-type.h"
+
+void RegisterSipHeadersContentType(void)
+{
+    DetectSipHeadersRegisterStub();
+}
diff --git a/src/detect-sip-content-type.h b/src/detect-sip-content-type.h
@@ -0,0 +1,23 @@
+/* Copyright (C) 2024 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+#ifndef __DETECT_SIP_CONTENT_TYPE_H__
+#define __DETECT_SIP_CONTENT_TYPE_H__
+
+void RegisterSipHeadersContentType(void);
+
+#endif /* __DETECT_SIP_CONTENT_TYPE_H__ */
diff --git a/src/detect-sip-from.c b/src/detect-sip-from.c
@@ -0,0 +1,39 @@
+/* Copyright (C) 2024 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \author Giuseppe Longo <giuseppe@glongo.it>
+ *
+ * Implements the sip.from sticky buffer
+ */
+
+#define KEYWORD_NAME     "sip.from"
+#define KEYWORD_DOC      "sip-keywords.html#sip-from"
+#define BUFFER_NAME      "sip.from"
+#define BUFFER_DESC      "sip from header"
+#define HEADER_NAME      "From"
+#define KEYWORD_ID       DETECT_AL_SIP_HEADER_FROM
+#define KEYWORD_TOSERVER 1
+#define KEYWORD_TOCLIENT 1
+
+#include "detect-sip-headers-stub.h"
+#include "detect-sip-from.h"
+
+void RegisterSipHeadersFrom(void)
+{
+    DetectSipHeadersRegisterStub();
+}
diff --git a/src/detect-sip-from.h b/src/detect-sip-from.h
@@ -0,0 +1,23 @@
+/* Copyright (C) 2023 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+#ifndef __DETECT_SIP_FROM_H__
+#define __DETECT_SIP_FROM_H__
+
+void RegisterSipHeadersFrom(void);
+
+#endif /* __DETECT_SIP_FROM_H__ */