Conversation
Accepts valid characters as defined in RFC3261.
The `is_version_char` function incorrectly allowed characters that are not part of the valid SIP version "SIP/2.0". For instance, 'HTTP/1.1' was mistakenly accepted as a valid SIP version, although it's not. This commit fixes the issue by updating the condition to strictly check for the correct version string.
This patch lets the parser to work over tcp protocol, taking care of handling data before calling the request/response parsers. Ticket OISF#3351.
This patch permits to set a direction when a new transaction is created in order to avoid 'signature shadowing' as reported by Eric Leblond in commit 5aaf507
This permits to detect the SIP protocol using pattern matching instead of probing parser. Since it is no longer used, the respective probing functions have been removed.
glongo
requested review from
a team,
jasonish,
jufajardini and
victorjulien
as code owners
glongo
changed the title
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## master #9909 +/- ##
==========================================
- Coverage 82.35% 82.33% -0.02%
==========================================
Files 972 972
Lines 273060 273220 +160
==========================================
+ Hits 224870 224949 +79
- Misses 48190 48271 +81
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
|
||
| #[no_mangle] | ||
| pub unsafe extern "C" fn rs_sip_register_parser() { | ||
| let default_port = CString::new("[5060,5061]").unwrap(); |
| fn parse_version(i: &[u8]) -> IResult<&[u8], &str> { | ||
| map_res(take_while1(is_version_char), std::str::from_utf8)(i) | ||
| fn parse_version(i: &[u8]) -> IResult<&[u8], String> { | ||
| let (i, prefix) = map_res(tag("SIP/"), std::str::from_utf8)(i)?; |
There was a problem hiding this comment.
Do we really need the utf8 here ?
jufajardini
left a comment
jufajardini
left a comment
There was a problem hiding this comment.
Documentation changes look good to me :)
|
ERROR: ERROR: QA failed on ASAN_TLPR1_suri. Pipeline 16804 |
QA failure is triggered assertion Can you investigate if one pattern registered for protocol detection is a duplicate ? (or a prefix maybe ) |
Where is this error coming from? Is it reproducible? |
|
Yes but not sure we can share the pcap |
|
OPTIONS is also a HTTP method... |
This is exactly what I was fearing. Initially, I thought that using the same method between SIP and HTTP could lead to conflicts. |
TL;DR let's remove the If you want a pcap, you can try to create one by sending a |
|
Replaced by #9967 |
|
So OPTIONS could be a nice candidate for a PM+PP setup both in HTTP and SIP, where the PP would do the additional validation of the protocol? |
Indeed. The current behavior is to recognize it as HTTP. |
6 participants
Make sure these boxes are signed before submitting your Pull Request -- thank you.
https://docs.suricata.io/en/latest/devguide/codebase/contributing/contribution-process.html
https://suricata.io/about/contribution-agreement/ (note: this is only required once)
Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/3351
Describe changes:
Provide values to any of the below to override the defaults.
To use a pull request use a branch name like
pr/NwhereNis thepull request number.
Alternatively,
SV_BRANCHmay also be a link to anOISF/suricata-verify pull-request.