diff --git a/src/analyzer/protocol/sip/sip-analyzer.pac b/src/analyzer/protocol/sip/sip-analyzer.pac index 273d1ba738..11b56e6f52 100644 --- a/src/analyzer/protocol/sip/sip-analyzer.pac +++ b/src/analyzer/protocol/sip/sip-analyzer.pac @@ -1,3 +1,7 @@ +%extern{ +#include "zeek/ZeekString.h" +%} + refine flow SIP_Flow += { %member{ @@ -16,8 +20,16 @@ refine flow SIP_Flow += { return content_length; %} - function proc_sip_request(method: bytestring, uri: bytestring, vers: SIP_Version): bool + function proc_sip_request(junk: bytestring, method: bytestring, uri: bytestring, vers: SIP_Version): bool %{ + if ( junk.length() ) + { + zeek::String zs{junk.begin(), junk.length(), false}; + auto addl = zs.Render(); + connection()->zeek_analyzer()->Weird("sip_junk_before_request", addl); + delete [] addl; + } + if ( sip_request ) { zeek::BifEvent::enqueue_sip_request(connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(), @@ -144,7 +156,7 @@ refine flow SIP_Flow += { }; refine typeattr SIP_RequestLine += &let { - proc: bool = $context.flow.proc_sip_request(method, uri, version); + proc: bool = $context.flow.proc_sip_request(junk, method, uri, version); }; refine typeattr SIP_ReplyLine += &let { diff --git a/src/analyzer/protocol/sip/sip-protocol.pac b/src/analyzer/protocol/sip/sip-protocol.pac index 15f07df44a..3788022f51 100644 --- a/src/analyzer/protocol/sip/sip-protocol.pac +++ b/src/analyzer/protocol/sip/sip-protocol.pac @@ -1,4 +1,5 @@ -type SIP_TOKEN = RE/[^()<>@,;:\\"\/\[\]?={} \t]+/; +type SIP_TOKEN = RE/[a-zA-Z0-9_.!%*+`'~-]+/; +type NOT_SIP_TOKEN = RE/[^a-zA-Z0-9_.!%*+`'~-]*/; type SIP_WS = RE/[ \t]*/; type SIP_URI = RE/[[:alnum:]@[:punct:]]+/; @@ -18,6 +19,7 @@ type SIP_Reply = record { }; type SIP_RequestLine = record { + junk: NOT_SIP_TOKEN; method: SIP_TOKEN; : SIP_WS; uri: SIP_URI; diff --git a/testing/btest/Baseline/scripts.base.protocols.sip.junk/sip.log b/testing/btest/Baseline/scripts.base.protocols.sip.junk/sip.log new file mode 100644 index 0000000000..889e9a0466 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.sip.junk/sip.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path sip +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method uri date request_from request_to response_from response_to reply_to call_id seq subject request_path response_path user_agent status_code status_msg warning request_body_len response_body_len content_type +#types time string addr port addr port count string string string string string string string string string string string vector[string] vector[string] string count string string count count string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 1.1.1.1 31000 1.1.1.2 5060 0 REGISTER sip:1.1.1.1:5060 - - - - - - - - - (empty) (empty) - - - - - - - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.sip.junk/weird.log b/testing/btest/Baseline/scripts.base.protocols.sip.junk/weird.log new file mode 100644 index 0000000000..36b7c92ff3 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.sip.junk/weird.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path weird +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 1.1.1.1 31000 1.1.1.2 5060 sip_junk_before_request \\x00\\x00\\x00\\x00 F zeek SIP +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Traces/sip/sip-junk-before-request.pcap b/testing/btest/Traces/sip/sip-junk-before-request.pcap new file mode 100644 index 0000000000..095cda1126 Binary files /dev/null and b/testing/btest/Traces/sip/sip-junk-before-request.pcap differ diff --git a/testing/btest/scripts/base/protocols/sip/junk.zeek b/testing/btest/scripts/base/protocols/sip/junk.zeek new file mode 100644 index 0000000000..33094b2984 --- /dev/null +++ b/testing/btest/scripts/base/protocols/sip/junk.zeek @@ -0,0 +1,8 @@ +# This tests a PCAP with a few SIP commands from the Wireshark samples. + +# @TEST-EXEC: zeek -b -r $TRACES/sip/sip-junk-before-request.pcap %INPUT +# @TEST-EXEC: btest-diff sip.log +# @TEST-EXEC: btest-diff weird.log + +@load base/protocols/sip +@load base/frameworks/notice/weird