GH-1507: Tolerate junk data before SIP requests

This allows for data that won't match a SIP request method to precede an
actual request and generates a new 'sip_junk_before_request' weird when
encountering such a situation.

src/analyzer/protocol/sip/sip-analyzer.pac

@@ -1,3 +1,7 @@
+%extern{
+#include "zeek/ZeekString.h"
+%}
+
 refine flow SIP_Flow += {
 
 	%member{
@@ -16,8 +20,16 @@ refine flow SIP_Flow += {
 		return content_length;
 		%}
 
-	function proc_sip_request(method: bytestring, uri: bytestring, vers: SIP_Version): bool
+	function proc_sip_request(junk: bytestring, method: bytestring, uri: bytestring, vers: SIP_Version): bool
 		%{
+		if ( junk.length() )
+			{
+			zeek::String zs{junk.begin(), junk.length(), false};
+			auto addl = zs.Render();
+			connection()->zeek_analyzer()->Weird("sip_junk_before_request", addl);
+			delete [] addl;
+			}
+
 		if ( sip_request )
 			{
 			zeek::BifEvent::enqueue_sip_request(connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(),
@@ -144,7 +156,7 @@ refine flow SIP_Flow += {
 };
 
 refine typeattr SIP_RequestLine += &let {
-       proc: bool = $context.flow.proc_sip_request(method, uri, version);
+       proc: bool = $context.flow.proc_sip_request(junk, method, uri, version);
 };
 
 refine typeattr SIP_ReplyLine += &let {

src/analyzer/protocol/sip/sip-protocol.pac

@@ -1,4 +1,5 @@
-type SIP_TOKEN  = RE/[^()<>@,;:\\"\/\[\]?={} \t]+/;
+type SIP_TOKEN  = RE/[a-zA-Z0-9_.!%*+`'~-]+/;
+type NOT_SIP_TOKEN  = RE/[^a-zA-Z0-9_.!%*+`'~-]*/;
 type SIP_WS     = RE/[ \t]*/;
 type SIP_URI    = RE/[[:alnum:]@[:punct:]]+/;
 
@@ -18,6 +19,7 @@ type SIP_Reply = record {
 };
 
 type SIP_RequestLine = record {
+	junk:		NOT_SIP_TOKEN;
 	method:		SIP_TOKEN;
 	:		SIP_WS;
 	uri:		SIP_URI;

testing/btest/Baseline/scripts.base.protocols.sip.junk/sip.log

@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	sip
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	uri	date	request_from	request_to	response_from	response_to	reply_to	call_id	seq	subject	request_path	response_path	user_agent	status_code	status_msg	warning	request_body_len	response_body_len	content_type
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	string	string	string	string	string	vector[string]	vector[string]	string	count	string	string	count	count	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	1.1.1.1	31000	1.1.1.2	5060	0	REGISTER	sip:1.1.1.1:5060	-	-	-	-	-	-	-	-	-	(empty)	(empty)	-	-	-	-	-	-	-
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.sip.junk/weird.log

@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	1.1.1.1	31000	1.1.1.2	5060	sip_junk_before_request	\\x00\\x00\\x00\\x00	F	zeek	SIP
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/scripts/base/protocols/sip/junk.zeek

@@ -0,0 +1,8 @@
+# This tests a PCAP with a few SIP commands from the Wireshark samples.
+
+# @TEST-EXEC: zeek -b -r $TRACES/sip/sip-junk-before-request.pcap %INPUT
+# @TEST-EXEC: btest-diff sip.log
+# @TEST-EXEC: btest-diff weird.log
+
+@load base/protocols/sip
+@load base/frameworks/notice/weird