OISF · glongo · Aug 14, 2023 · Aug 1, 2023 · Nov 25, 2023 · Aug 1, 2023
diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst
@@ -2442,6 +2442,7 @@ address, you should enter 'any'.
     SHELLCODE_PORTS: "!80"
     ORACLE_PORTS: 1521
     SSH_PORTS: 22
+    SIP_PORTS: "[5060, 5061]"
 
 .. _host-os-policy:
 

diff --git a/etc/schema.json b/etc/schema.json
@@ -3800,7 +3800,10 @@
                                 "rfb": {
                                     "$ref": "#/$defs/stats_applayer_error"
                                 },
-                                "sip": {
+                                "sip_udp": {
+                                    "$ref": "#/$defs/stats_applayer_error"
+                                },
+                                "sip_tcp": {
                                     "$ref": "#/$defs/stats_applayer_error"
                                 },
                                 "smb": {
@@ -3917,7 +3920,10 @@
                                 "rfb": {
                                     "type": "integer"
                                 },
-                                "sip": {
+                                "sip_udp": {
+                                    "type": "integer"
+                                },
+                                "sip_tcp": {
                                     "type": "integer"
                                 },
                                 "smb": {
@@ -4028,7 +4034,10 @@
                                 "rfb": {
                                     "type": "integer"
                                 },
-                                "sip": {
+                                "sip_udp": {
+                                    "type": "integer"
+                                },
+                                "sip_tcp": {
                                     "type": "integer"
                                 },
                                 "smb": {

diff --git a/rust/src/sip/detect.rs b/rust/src/sip/detect.rs
@@ -23,9 +23,7 @@ use std::ptr;
 
 #[no_mangle]
 pub unsafe extern "C" fn rs_sip_tx_get_method(
-    tx: &mut SIPTransaction,
-    buffer: *mut *const u8,
-    buffer_len: *mut u32,
+    tx: &mut SIPTransaction, buffer: *mut *const u8, buffer_len: *mut u32,
 ) -> u8 {
     if let Some(ref r) = tx.request {
         let m = &r.method;
@@ -44,9 +42,7 @@ pub unsafe extern "C" fn rs_sip_tx_get_method(
 
 #[no_mangle]
 pub unsafe extern "C" fn rs_sip_tx_get_uri(
-    tx: &mut SIPTransaction,
-    buffer: *mut *const u8,
-    buffer_len: *mut u32,
+    tx: &mut SIPTransaction, buffer: *mut *const u8, buffer_len: *mut u32,
 ) -> u8 {
     if let Some(ref r) = tx.request {
         let p = &r.path;
@@ -65,10 +61,7 @@ pub unsafe extern "C" fn rs_sip_tx_get_uri(
 
 #[no_mangle]
 pub unsafe extern "C" fn rs_sip_tx_get_protocol(
-    tx: &mut SIPTransaction,
-    buffer: *mut *const u8,
-    buffer_len: *mut u32,
-    direction: u8,
+    tx: &mut SIPTransaction, buffer: *mut *const u8, buffer_len: *mut u32, direction: u8,
 ) -> u8 {
     match direction.into() {
         Direction::ToServer => {
@@ -101,9 +94,7 @@ pub unsafe extern "C" fn rs_sip_tx_get_protocol(
 
 #[no_mangle]
 pub unsafe extern "C" fn rs_sip_tx_get_stat_code(
-    tx: &mut SIPTransaction,
-    buffer: *mut *const u8,
-    buffer_len: *mut u32,
+    tx: &mut SIPTransaction, buffer: *mut *const u8, buffer_len: *mut u32,
 ) -> u8 {
     if let Some(ref r) = tx.response {
         let c = &r.code;
@@ -122,9 +113,7 @@ pub unsafe extern "C" fn rs_sip_tx_get_stat_code(
 
 #[no_mangle]
 pub unsafe extern "C" fn rs_sip_tx_get_stat_msg(
-    tx: &mut SIPTransaction,
-    buffer: *mut *const u8,
-    buffer_len: *mut u32,
+    tx: &mut SIPTransaction, buffer: *mut *const u8, buffer_len: *mut u32,
 ) -> u8 {
     if let Some(ref r) = tx.response {
         let re = &r.reason;
@@ -143,9 +132,7 @@ pub unsafe extern "C" fn rs_sip_tx_get_stat_msg(
 
 #[no_mangle]
 pub unsafe extern "C" fn rs_sip_tx_get_request_line(
-    tx: &mut SIPTransaction,
-    buffer: *mut *const u8,
-    buffer_len: *mut u32,
+    tx: &mut SIPTransaction, buffer: *mut *const u8, buffer_len: *mut u32,
 ) -> u8 {
     if let Some(ref r) = tx.request_line {
         if !r.is_empty() {
@@ -163,9 +150,7 @@ pub unsafe extern "C" fn rs_sip_tx_get_request_line(
 
 #[no_mangle]
 pub unsafe extern "C" fn rs_sip_tx_get_response_line(
-    tx: &mut SIPTransaction,
-    buffer: *mut *const u8,
-    buffer_len: *mut u32,
+    tx: &mut SIPTransaction, buffer: *mut *const u8, buffer_len: *mut u32,
 ) -> u8 {
     if let Some(ref r) = tx.response_line {
         if !r.is_empty() {

diff --git a/rust/src/sip/log.rs b/rust/src/sip/log.rs
@@ -51,4 +51,4 @@ fn log(tx: &SIPTransaction, js: &mut JsonBuilder) -> Result<(), JsonError> {
 #[no_mangle]
 pub extern "C" fn rs_sip_log_json(tx: &mut SIPTransaction, js: &mut JsonBuilder) -> bool {
     log(tx, js).is_ok()
-}
+}
diff --git a/rust/src/sip/parser.rs b/rust/src/sip/parser.rs
@@ -15,7 +15,7 @@
  * 02110-1301, USA.
  */
 
-// written by Giuseppe Longo <giuseppe@glono.it>
+// written by Giuseppe Longo <giuseppe@glongo.it>
 
 use nom7::bytes::streaming::{take, take_while, take_while1};
 use nom7::character::streaming::{char, crlf};
@@ -57,9 +57,13 @@ pub struct Response {
     pub body_len: u16,
 }
 
+/**
+ * Valid tokens and chars are defined in RFC3261:
+ * https://www.rfc-editor.org/rfc/rfc3261#section-25.1
+ */
 #[inline]
 fn is_token_char(b: u8) -> bool {
-    is_alphanumeric(b) || b"!%'*+-._`".contains(&b)
+    is_alphanumeric(b) || b"!%'*+-._`~".contains(&b)
 }
 
 #[inline]
@@ -69,12 +73,12 @@ fn is_method_char(b: u8) -> bool {
 
 #[inline]
 fn is_request_uri_char(b: u8) -> bool {
-    is_alphanumeric(b) || is_token_char(b) || b"~#@:".contains(&b)
+    is_alphanumeric(b) || is_token_char(b) || b"~#@:;=?+&$,/".contains(&b)
 }
 
 #[inline]
 fn is_version_char(b: u8) -> bool {
-    is_alphanumeric(b) || b"./".contains(&b)
+    b"SIP/2.0".contains(&b)
 }
 
 #[inline]
@@ -322,4 +326,33 @@ mod tests {
             }
         }
     }
+
+    #[test]
+    fn test_parse_invalid_version() {
+        let buf: &[u8] = "HTTP/1.1\r\n".as_bytes();
+
+        // This test must fail if 'HTTP/1.1' is accepted
+        match parse_version(buf) {
+            Ok((_, _)) => {
+                assert!(false);
+            }
+            Err(_) => {
+                assert!(true);
+            }
+        }
+    }
+
+    #[test]
+    fn test_parse_valid_version() {
+        let buf: &[u8] = "SIP/2.0\r\n".as_bytes();
+
+        match parse_version(buf) {
+            Ok((_, version)) => {
+                assert_eq!(version, "SIP/2.0");
+            }
+            Err(_) => {
+                assert!(false);
+            }
+        }
+    }
 }