diff --git a/doc/userguide/rules/sip-keywords.rst b/doc/userguide/rules/sip-keywords.rst index be3662b1a5b0..64a67c20d144 100644 --- a/doc/userguide/rules/sip-keywords.rst +++ b/doc/userguide/rules/sip-keywords.rst @@ -13,6 +13,12 @@ sip.stat_code Response sip.stat_msg Response sip.response_line Response sip.protocol Both +sip.from Both +sip.to Both +sip.via Both +sip.user_agent Both +sip.content_type Both +sip.content_length Both ============================== ================== sip.method @@ -177,3 +183,129 @@ Example :: sip.protocol; content:"SIP/2.0" + +sip.from +-------- + +This keyword matches on the From field that can be present in SIP headers. + +Syntax +~~~~~~ + +:: + + sip.from; content: + +Where is the value of the From header. + +Example +~~~~~~~ + +:: + + sip.from; content:"user" + +sip.to +------ + +This keyword matches on the To field that can be present in SIP headers. + +Syntax +~~~~~~ + +:: + + sip.to; content: + +Where is the value of the To header. + +Example +~~~~~~~ + +:: + + sip.to; content:"user" + +sip.via +-------- + +This keyword matches on the Via field that can be present in SIP headers. + +Syntax +~~~~~~ + +:: + + sip.via; content: + +Where is the value of the Via header. + +Example +~~~~~~~ + +:: + + sip.via; content:"SIP/2.0/UDP" + +sip.user_agent +-------------- + +This keyword matches on the User-Agent field that can be present in SIP headers. + +Syntax +~~~~~~ + +:: + + sip.user_agent; content: + +Where is the value of the User-Agent header. + +Example +~~~~~~~ + +:: + + sip.user_agent; content:"Asterisk" + +sip.content_type +---------------- + +This keyword matches on the Content-Type field that can be present in SIP headers. + +Syntax +~~~~~~ + +:: + + sip.content_type; content: + +Where is the value of the Content-Type header. + +Example +~~~~~~~ + +:: + + sip.content_type; content:"application/sdp" + +sip.content_length +------------------ + +This keyword matches on the Content-Length field that can be present in SIP headers. + +Syntax +~~~~~~ + +:: + + sip.content_length; content: + +Where is the value of the Content-Length header. + +Example +~~~~~~~ + +:: + + sip.content_length; content:"200" diff --git a/doc/userguide/upgrade.rst b/doc/userguide/upgrade.rst index 81e487fc0cdc..72d7ac960b0c 100644 --- a/doc/userguide/upgrade.rst +++ b/doc/userguide/upgrade.rst @@ -55,6 +55,14 @@ Major changes - SDP parser and logger have been introduced. Due to SDP being encapsulated within other protocols, such as SIP, they cannot be directly enabled or disabled. Instead, both the SDP parser and logger depend on being invoked by another parser (or logger). +- The following sticky buffers for matching SIP headers have been implemented: + - sip.via + - sip.from + - sip.to + - sip.content_type + - sip.content_length + + Note: Headers expressed in compact form will still be matched. Upgrading 6.0 to 7.0 -------------------- diff --git a/rust/src/sip/detect.rs b/rust/src/sip/detect.rs index 91df4fb29932..dc4deb581d68 100644 --- a/rust/src/sip/detect.rs +++ b/rust/src/sip/detect.rs @@ -1,4 +1,4 @@ -/* Copyright (C) 2019 Open Information Security Foundation +/* Copyright (C) 2024 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free @@ -19,8 +19,26 @@ use crate::core::Direction; use crate::sip::sip::SIPTransaction; +use std::ffi::CStr; use std::ptr; +fn header_compact_name(h: &str) -> Option { + let compact = match h { + "Call-ID" => "i", + "Contact" => "m", + "Content-Encoding" => "e", + "Content-Length" => "l", + "Content-Type" => "c", + "From" => "f", + "Subject" => "s", + "Supported" => "k", + "To" => "t", + "Via" => "v", + _ => return None, + }; + Some(compact.to_string()) +} + #[no_mangle] pub unsafe extern "C" fn rs_sip_tx_get_method( tx: &mut SIPTransaction, buffer: *mut *const u8, buffer_len: *mut u32, @@ -165,3 +183,36 @@ pub unsafe extern "C" fn rs_sip_tx_get_response_line( return 0; } + +#[no_mangle] +pub unsafe extern "C" fn rs_sip_tx_get_header_value( + tx: &mut SIPTransaction, direction: u8, strname: *const std::os::raw::c_char, + buffer: *mut *const u8, buffer_len: *mut u32, +) -> u8 { + let hname: &CStr = CStr::from_ptr(strname); + if let Ok(s) = hname.to_str() { + let s2 = header_compact_name(s); + let headers = match direction.into() { + Direction::ToServer => tx.request.as_ref().map(|r| &r.headers), + Direction::ToClient => tx.response.as_ref().map(|r| &r.headers), + }; + if let Some(headers) = headers { + let header_value = headers + .get(s) + .or_else(|| s2.as_ref().and_then(|s2| headers.get(s2))); + + if let Some(value) = header_value { + if !value.is_empty() { + *buffer = value.as_ptr(); + *buffer_len = value.len() as u32; + return 1; + } + } + }; + } + + *buffer = ptr::null(); + *buffer_len = 0; + + return 0; +} diff --git a/rust/src/sip/parser.rs b/rust/src/sip/parser.rs index a7314f163914..d728e4b40297 100644 --- a/rust/src/sip/parser.rs +++ b/rust/src/sip/parser.rs @@ -52,6 +52,7 @@ pub struct Response { pub version: String, pub code: String, pub reason: String, + pub headers: HashMap, pub response_line_len: u16, pub headers_len: u16, @@ -135,7 +136,7 @@ pub fn sip_parse_response(oi: &[u8]) -> IResult<&[u8], Response> { let (i, reason) = parse_reason(i)?; let (hi, _) = crlf(i)?; let response_line_len = oi.len() - hi.len(); - let (phi, _headers) = parse_headers(hi)?; + let (phi, headers) = parse_headers(hi)?; let headers_len = hi.len() - phi.len(); let (bi, _) = crlf(phi)?; let body_offset = oi.len() - bi.len(); @@ -146,6 +147,7 @@ pub fn sip_parse_response(oi: &[u8]) -> IResult<&[u8], Response> { version, code: code.into(), reason: reason.into(), + headers, response_line_len: response_line_len as u16, headers_len: headers_len as u16, diff --git a/src/Makefile.am b/src/Makefile.am index d2fd1e29ea11..28365ca245dc 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -283,13 +283,21 @@ noinst_HEADERS = \ detect-rpc.h \ detect-sameip.h \ detect-sid.h \ + detect-sip-content-length.h \ + detect-sip-content-type.h \ + detect-sip-headers.h \ + detect-sip-headers-stub.h \ + detect-sip-from.h \ detect-sip-method.h \ detect-sip-protocol.h \ detect-sip-request-line.h \ detect-sip-response-line.h \ detect-sip-stat-code.h \ detect-sip-stat-msg.h \ + detect-sip-to.h \ + detect-sip-ua.h \ detect-sip-uri.h \ + detect-sip-via.h \ detect-smb-ntlmssp.h \ detect-smb-share.h \ detect-smb-version.h \ @@ -891,13 +899,20 @@ libsuricata_c_a_SOURCES = \ detect-rpc.c \ detect-sameip.c \ detect-sid.c \ + detect-sip-content-length.c \ + detect-sip-content-type.c \ + detect-sip-headers.c \ + detect-sip-from.c \ detect-sip-method.c \ detect-sip-protocol.c \ detect-sip-request-line.c \ detect-sip-response-line.c \ detect-sip-stat-code.c \ detect-sip-stat-msg.c \ + detect-sip-to.c \ + detect-sip-ua.c \ detect-sip-uri.c \ + detect-sip-via.c \ detect-smb-ntlmssp.c \ detect-smb-share.c \ detect-smb-version.c \ diff --git a/src/detect-engine-register.c b/src/detect-engine-register.c index 5608ae218f51..16cbd4152ef2 100644 --- a/src/detect-engine-register.c +++ b/src/detect-engine-register.c @@ -206,6 +206,7 @@ #include "detect-sip-stat-msg.h" #include "detect-sip-request-line.h" #include "detect-sip-response-line.h" +#include "detect-sip-headers.h" #include "detect-rfb-secresult.h" #include "detect-rfb-sectype.h" #include "detect-rfb-name.h" @@ -675,6 +676,7 @@ void SigTableSetup(void) DetectSipStatMsgRegister(); DetectSipRequestLineRegister(); DetectSipResponseLineRegister(); + DetectSipHeadersRegister(); DetectRfbSecresultRegister(); DetectRfbSectypeRegister(); DetectRfbNameRegister(); diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h index cd2edf5979b8..f946f6b5ba8d 100644 --- a/src/detect-engine-register.h +++ b/src/detect-engine-register.h @@ -275,6 +275,12 @@ enum DetectKeywordId { DETECT_AL_SIP_STAT_MSG, DETECT_AL_SIP_REQUEST_LINE, DETECT_AL_SIP_RESPONSE_LINE, + DETECT_AL_SIP_HEADER_FROM, + DETECT_AL_SIP_HEADER_TO, + DETECT_AL_SIP_HEADER_VIA, + DETECT_AL_SIP_HEADER_UA, + DETECT_AL_SIP_HEADER_CONTENT_TYPE, + DETECT_AL_SIP_HEADER_CONTENT_LENGTH, DETECT_AL_RFB_SECRESULT, DETECT_AL_RFB_SECTYPE, DETECT_AL_RFB_NAME, diff --git a/src/detect-sip-content-length.c b/src/detect-sip-content-length.c new file mode 100644 index 000000000000..ebc5657d2fe3 --- /dev/null +++ b/src/detect-sip-content-length.c @@ -0,0 +1,41 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Giuseppe Longo + * + * Implements the sip.content_length sticky buffer + */ + +#define KEYWORD_NAME "sip.content_length" +#define KEYWORD_DOC "sip-keywords.html#sip-content-length" +#define BUFFER_NAME "sip.content_length" +#define BUFFER_DESC "sip content-length header" +#define HEADER_NAME "Content-Length" +#define KEYWORD_ID DETECT_AL_SIP_HEADER_CONTENT_LENGTH +#define KEYWORD_TOSERVER 1 +#define KEYWORD_TOCLIENT 1 + +#include "detect-sip-headers-stub.h" +#include "detect-sip-content-length.h" + +void RegisterSipHeadersContentLength(void) +{ + DetectSipHeadersRegisterStub(); +} diff --git a/src/detect-sip-content-length.h b/src/detect-sip-content-length.h new file mode 100644 index 000000000000..c5261d556e06 --- /dev/null +++ b/src/detect-sip-content-length.h @@ -0,0 +1,23 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +#ifndef __DETECT_SIP_CONTENT_LENGTH_H__ +#define __DETECT_SIP_CONTENT_LENGTH_H__ + +void RegisterSipHeadersContentLength(void); + +#endif /* __DETECT_SIP_CONTENT_LENGTH_H__ */ diff --git a/src/detect-sip-content-type.c b/src/detect-sip-content-type.c new file mode 100644 index 000000000000..2ab720c93f51 --- /dev/null +++ b/src/detect-sip-content-type.c @@ -0,0 +1,39 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \author Giuseppe Longo + * + * Implements the sip.content_type sticky buffer + */ + +#define KEYWORD_NAME "sip.content_type" +#define KEYWORD_DOC "sip-keywords.html#sip-content-type" +#define BUFFER_NAME "sip.content_type" +#define BUFFER_DESC "sip content-type header" +#define HEADER_NAME "Content-Type" +#define KEYWORD_ID DETECT_AL_SIP_HEADER_CONTENT_TYPE +#define KEYWORD_TOSERVER 1 +#define KEYWORD_TOCLIENT 1 + +#include "detect-sip-headers-stub.h" +#include "detect-sip-content-type.h" + +void RegisterSipHeadersContentType(void) +{ + DetectSipHeadersRegisterStub(); +} diff --git a/src/detect-sip-content-type.h b/src/detect-sip-content-type.h new file mode 100644 index 000000000000..27477a09ab6c --- /dev/null +++ b/src/detect-sip-content-type.h @@ -0,0 +1,23 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +#ifndef __DETECT_SIP_CONTENT_TYPE_H__ +#define __DETECT_SIP_CONTENT_TYPE_H__ + +void RegisterSipHeadersContentType(void); + +#endif /* __DETECT_SIP_CONTENT_TYPE_H__ */ diff --git a/src/detect-sip-from.c b/src/detect-sip-from.c new file mode 100644 index 000000000000..7a22bca9b37f --- /dev/null +++ b/src/detect-sip-from.c @@ -0,0 +1,39 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \author Giuseppe Longo + * + * Implements the sip.from sticky buffer + */ + +#define KEYWORD_NAME "sip.from" +#define KEYWORD_DOC "sip-keywords.html#sip-from" +#define BUFFER_NAME "sip.from" +#define BUFFER_DESC "sip from header" +#define HEADER_NAME "From" +#define KEYWORD_ID DETECT_AL_SIP_HEADER_FROM +#define KEYWORD_TOSERVER 1 +#define KEYWORD_TOCLIENT 1 + +#include "detect-sip-headers-stub.h" +#include "detect-sip-from.h" + +void RegisterSipHeadersFrom(void) +{ + DetectSipHeadersRegisterStub(); +} diff --git a/src/detect-sip-from.h b/src/detect-sip-from.h new file mode 100644 index 000000000000..223d83575c8f --- /dev/null +++ b/src/detect-sip-from.h @@ -0,0 +1,23 @@ +/* Copyright (C) 2023 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +#ifndef __DETECT_SIP_FROM_H__ +#define __DETECT_SIP_FROM_H__ + +void RegisterSipHeadersFrom(void); + +#endif /* __DETECT_SIP_FROM_H__ */ diff --git a/src/detect-sip-headers-stub.h b/src/detect-sip-headers-stub.h new file mode 100644 index 000000000000..df452cdd80bf --- /dev/null +++ b/src/detect-sip-headers-stub.h @@ -0,0 +1,136 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \author Giuseppe Longo + * + * Stub for per SIP header detection keyword. + */ + +#include "suricata-common.h" +#include "flow.h" + +#include "detect.h" +#include "detect-parse.h" +#include "detect-engine.h" +#include "detect-engine-mpm.h" +#include "detect-engine-prefilter.h" + +#include "util-debug.h" +#include "rust.h" + +static int g_buffer_id = 0; + +#ifdef KEYWORD_TOSERVER +static InspectionBuffer *GetRequestData(DetectEngineThreadCtx *det_ctx, + const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv, + const int list_id) +{ + SCEnter(); + + InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); + if (buffer->inspect == NULL) { + uint32_t b_len = 0; + const uint8_t *b = NULL; + + if (rs_sip_tx_get_header_value(txv, STREAM_TOSERVER, HEADER_NAME, &b, &b_len) != 1) + return NULL; + if (b == NULL || b_len == 0) + return NULL; + + InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); + InspectionBufferApplyTransforms(buffer, transforms); + } + + return buffer; +} + +#endif +#ifdef KEYWORD_TOCLIENT +static InspectionBuffer *GetResponseData(DetectEngineThreadCtx *det_ctx, + const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv, + const int list_id) +{ + SCEnter(); + + InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); + if (buffer->inspect == NULL) { + uint32_t b_len = 0; + const uint8_t *b = NULL; + + if (rs_sip_tx_get_header_value(txv, STREAM_TOCLIENT, HEADER_NAME, &b, &b_len) != 1) + return NULL; + if (b == NULL || b_len == 0) + return NULL; + + InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); + InspectionBufferApplyTransforms(buffer, transforms); + } + + return buffer; +} +#endif + +/** + * \brief this function setup the http.header keyword used in the rule + * + * \param de_ctx Pointer to the Detection Engine Context + * \param s Pointer to the Signature to which the current keyword belongs + * \param str Should hold an empty string always + * + * \retval 0 On success + */ +static int DetectSipHeadersSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str) +{ + if (DetectBufferSetActiveList(de_ctx, s, g_buffer_id) < 0) + return -1; + + if (DetectSignatureSetAppProto(s, ALPROTO_SIP) < 0) + return -1; + + return 0; +} + +static void DetectSipHeadersRegisterStub(void) +{ + sigmatch_table[KEYWORD_ID].name = KEYWORD_NAME; + sigmatch_table[KEYWORD_ID].desc = KEYWORD_NAME " sticky buffer for the " BUFFER_DESC; + sigmatch_table[KEYWORD_ID].url = "/rules/" KEYWORD_DOC; + sigmatch_table[KEYWORD_ID].Setup = DetectSipHeadersSetupSticky; + sigmatch_table[KEYWORD_ID].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; + +#ifdef KEYWORD_TOSERVER + DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, + GetRequestData, ALPROTO_SIP, 1); +#endif +#ifdef KEYWORD_TOCLIENT + DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister, + GetResponseData, ALPROTO_SIP, 1); +#endif +#ifdef KEYWORD_TOSERVER + DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_SIP, SIG_FLAG_TOSERVER, 0, + DetectEngineInspectBufferGeneric, GetRequestData); +#endif +#ifdef KEYWORD_TOCLIENT + DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_SIP, SIG_FLAG_TOCLIENT, 0, + DetectEngineInspectBufferGeneric, GetResponseData); +#endif + + DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC); + + g_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME); +} diff --git a/src/detect-sip-headers.c b/src/detect-sip-headers.c new file mode 100644 index 000000000000..ea00fde0cf28 --- /dev/null +++ b/src/detect-sip-headers.c @@ -0,0 +1,38 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \author Giuseppe Longo + */ + +#include "detect-sip-headers.h" +#include "detect-sip-from.h" +#include "detect-sip-to.h" +#include "detect-sip-via.h" +#include "detect-sip-ua.h" +#include "detect-sip-content-type.h" +#include "detect-sip-content-length.h" + +void DetectSipHeadersRegister(void) +{ + RegisterSipHeadersFrom(); + RegisterSipHeadersTo(); + RegisterSipHeadersVia(); + RegisterSipHeadersUa(); + RegisterSipHeadersContentType(); + RegisterSipHeadersContentLength(); +} diff --git a/src/detect-sip-headers.h b/src/detect-sip-headers.h new file mode 100644 index 000000000000..37bbd3af1f18 --- /dev/null +++ b/src/detect-sip-headers.h @@ -0,0 +1,23 @@ +/* Copyright (C) 2023 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +#ifndef __DETECT_SIP_HEADERS_H__ +#define __DETECT_SIP_HEADERS_H__ + +void DetectSipHeadersRegister(void); + +#endif /* __DETECT_SIP_HEADERS_H__ */ diff --git a/src/detect-sip-to.c b/src/detect-sip-to.c new file mode 100644 index 000000000000..73fe74ab4757 --- /dev/null +++ b/src/detect-sip-to.c @@ -0,0 +1,39 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \author Giuseppe Longo + * + * Implements the sip.to sticky buffer + */ + +#define KEYWORD_NAME "sip.to" +#define KEYWORD_DOC "sip-keywords.html#sip-to" +#define BUFFER_NAME "sip.to" +#define BUFFER_DESC "sip to header" +#define HEADER_NAME "To" +#define KEYWORD_ID DETECT_AL_SIP_HEADER_TO +#define KEYWORD_TOSERVER 1 +#define KEYWORD_TOCLIENT 1 + +#include "detect-sip-headers-stub.h" +#include "detect-sip-to.h" + +void RegisterSipHeadersTo(void) +{ + DetectSipHeadersRegisterStub(); +} diff --git a/src/detect-sip-to.h b/src/detect-sip-to.h new file mode 100644 index 000000000000..5fa93d08d1d9 --- /dev/null +++ b/src/detect-sip-to.h @@ -0,0 +1,23 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +#ifndef __DETECT_SIP_TO_H__ +#define __DETECT_SIP_TO_H__ + +void RegisterSipHeadersTo(void); + +#endif /* __DETECT_SIP_TO_H__ */ diff --git a/src/detect-sip-ua.c b/src/detect-sip-ua.c new file mode 100644 index 000000000000..efc21c98db21 --- /dev/null +++ b/src/detect-sip-ua.c @@ -0,0 +1,39 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \author Giuseppe Longo + * + * Implements the sip.user_agent sticky buffer + */ + +#define KEYWORD_NAME "sip.user_agent" +#define KEYWORD_DOC "sip-keywords.html#sip-user-agent" +#define BUFFER_NAME "sip.user_agent" +#define BUFFER_DESC "sip user agent header" +#define HEADER_NAME "User-Agent" +#define KEYWORD_ID DETECT_AL_SIP_HEADER_UA +#define KEYWORD_TOSERVER 1 +#define KEYWORD_TOCLIENT 1 + +#include "detect-sip-headers-stub.h" +#include "detect-sip-ua.h" + +void RegisterSipHeadersUa(void) +{ + DetectSipHeadersRegisterStub(); +} diff --git a/src/detect-sip-ua.h b/src/detect-sip-ua.h new file mode 100644 index 000000000000..daaf8abf107a --- /dev/null +++ b/src/detect-sip-ua.h @@ -0,0 +1,23 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +#ifndef __DETECT_SIP_UA_H__ +#define __DETECT_SIP_UA_H__ + +void RegisterSipHeadersUa(void); + +#endif /* __DETECT_SIP_UA_H__ */ diff --git a/src/detect-sip-via.c b/src/detect-sip-via.c new file mode 100644 index 000000000000..687c7a20d641 --- /dev/null +++ b/src/detect-sip-via.c @@ -0,0 +1,39 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \author Giuseppe Longo + * + * Implements the sip.via sticky buffer + */ + +#define KEYWORD_NAME "sip.via" +#define KEYWORD_DOC "sip-keywords.html#sip-via" +#define BUFFER_NAME "sip.via" +#define BUFFER_DESC "sip via header" +#define HEADER_NAME "Via" +#define KEYWORD_ID DETECT_AL_SIP_HEADER_VIA +#define KEYWORD_TOSERVER 1 +#define KEYWORD_TOCLIENT 1 + +#include "detect-sip-headers-stub.h" +#include "detect-sip-via.h" + +void RegisterSipHeadersVia(void) +{ + DetectSipHeadersRegisterStub(); +} diff --git a/src/detect-sip-via.h b/src/detect-sip-via.h new file mode 100644 index 000000000000..dd070b51d9a1 --- /dev/null +++ b/src/detect-sip-via.h @@ -0,0 +1,23 @@ +/* Copyright (C) 2024 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +#ifndef __DETECT_SIP_VIA_H__ +#define __DETECT_SIP_VIA_H__ + +void RegisterSipHeadersVia(void); + +#endif /* __DETECT_SIP_VIA_H__ */