detect/sip: add sticky buffers to match headers v3#11004
detect/sip: add sticky buffers to match headers v3#11004glongo wants to merge 11 commits intoOISF:masterfrom
Conversation
glongo
requested review from
jasonish,
jufajardini and
victorjulien
as code owners
catenacyber
left a comment
catenacyber
left a comment
There was a problem hiding this comment.
Thanks for the work :-)
Should these fields get logged in addition to have a keyword ?
Would you do a rebase for green CI ?
- CI : 🟠 probably just need a rebase
- Code : Checking now
- Commits segmentation : note sure, feels weird to have a specific commit for registering for instance
- Commit messages : ok for me
- Git ID set : looks fine for me
- CLA : you already contributed
- Doc update : will leave some more comments in the code
- Redmine ticket : ok
- Rustfmt : looks good
- Tests : looks good, left a few questions there
- Dependencies added: none
|
|
||
| sip.from; content:<from> | ||
|
|
||
| Where <from> is the value of the From header. |
There was a problem hiding this comment.
@jufajardini we should precise this is a sticky buffer, right ?
| - sip.content_type | ||
| - sip.content_length | ||
|
|
||
| Note: Headers expressed in compact form will still be matched. |
There was a problem hiding this comment.
I think the Note line is too much details for this file
| use std::ptr; | ||
|
|
||
| fn header_compact_name(h: &str) -> Option<String> { | ||
| let compact = match h { |
There was a problem hiding this comment.
Would you add a comment to the RFC specifying these ?
There was a problem hiding this comment.
Also, would not it be simpler the other way, to associate i to Call-Id?
| sip.from | ||
| -------- | ||
|
|
||
| This keyword matches on the From field that can be present in SIP headers. |
There was a problem hiding this comment.
What happens if there are multiple From headers ?
Should it be a multi buffer ?
| "Via" => "v", | ||
| _ => return None, | ||
| }; | ||
| Some(compact.to_string()) |
There was a problem hiding this comment.
Why do we need the allocation ?
| if let Some(headers) = headers { | ||
| let header_value = headers | ||
| .get(s) | ||
| .or_else(|| s2.as_ref().and_then(|s2| headers.get(s2))); |
There was a problem hiding this comment.
That means if I have the header in long and short form, I only get the long form, right ?
| .or_else(|| s2.as_ref().and_then(|s2| headers.get(s2))); | ||
|
|
||
| if let Some(value) = header_value { | ||
| if !value.is_empty() { |
There was a problem hiding this comment.
Why this test ? cf #11070 and https://redmine.openinfosecfoundation.org/issues/2224
| * 02110-1301, USA. | ||
| */ | ||
|
|
||
| #ifndef __DETECT_SIP_CONTENT_LENGTH_H__ |
| #define HEADER_NAME "User-Agent" | ||
| #define KEYWORD_ID DETECT_AL_SIP_HEADER_UA | ||
| #define KEYWORD_TOSERVER 1 | ||
| #define KEYWORD_TOCLIENT 1 |
There was a problem hiding this comment.
User Agent is to client as well ?
Or should we get rid of KEYWORD_TOSERVER as they are always true
There was a problem hiding this comment.
Yes, UA is to client as well.
| DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister, | ||
| GetResponseData, ALPROTO_SIP, 1); | ||
| #endif | ||
| #ifdef KEYWORD_TOSERVER |
There was a problem hiding this comment.
You can group the 2 lines instead of having 2 ifdef KEYWORD_TOSERVER groups
| return 0; | ||
| } | ||
|
|
||
| static void DetectSipHeadersRegisterStub(void) |
There was a problem hiding this comment.
I still think it would be easier and more expressive to have a sip.headers buffer or frame
| #include "detect-engine-mpm.h" | ||
| #include "detect-engine-prefilter.h" | ||
|
|
||
| #include "util-debug.h" |
|
Replaced with #11330 |
2 participants
Make sure these boxes are signed before submitting your Pull Request -- thank you.
https://docs.suricata.io/en/latest/devguide/contributing/contribution-process.html
https://suricata.io/about/contribution-agreement/ (note: this is only required once)
Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/6374
Describe changes:
SV_BRANCH=OISF/suricata-verify#1787