Move the SIP analyzer to uint64 sequences, and a number of other small SIP fixes.

2025-10-02 14:48:21 +00:00 · 2014-08-26 22:26:42 -04:00 · 2014-08-26 22:26:42 -04:00 · 214e6b3ea9
commit 214e6b3ea9
parent f93f2af748
6 changed files with 102 additions and 49 deletions
--- a/scripts/base/protocols/sip/main.bro
+++ b/scripts/base/protocols/sip/main.bro
@ -86,6 +86,7 @@ redef record connection += {
 };

 const ports = { 5060/udp };
+redef likely_server_ports += { ports };

 event bro_init() &priority=5
 	{
@ -186,12 +187,12 @@ event sip_header(c: connection, is_request: bool, name: string, value: string) &
 		}
 	}
 	
-event sip_message_done(c: connection, is_request: bool) &priority = 5
+event sip_end_entity(c: connection, is_request: bool) &priority = 5
 	{
 	set_state(c, is_request);
 	}

-event sip_message_done(c: connection, is_request: bool) &priority = -5
+event sip_end_entity(c: connection, is_request: bool) &priority = -5
 	{
 	# The reply body is done so we're ready to log.
 	if ( ! is_request )
--- a/src/analyzer/protocol/sip/SIP.cc
+++ b/src/analyzer/protocol/sip/SIP.cc
@ -5,7 +5,7 @@
 using namespace analyzer::sip;

 SIP_Analyzer::SIP_Analyzer(Connection* c)
-: analyzer::Analyzer("SIP", c)
+	: Analyzer("SIP", c)
 	{
 	interp = new binpac::SIP::SIP_Conn(this);
 	}
@ -20,8 +20,8 @@ void SIP_Analyzer::Done()
 	Analyzer::Done();
 	}

-void SIP_Analyzer::DeliverPacket(int len, const u_char* data,
-				 bool orig, int seq, const IP_Hdr* ip, int caplen)
+void SIP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
+								 uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	bool real_orig = true;
 	if ( len > 6 && data[0] == 'S' && data[1] == 'I' && data[2] == 'P' && data[3] == '/' )
--- a/src/analyzer/protocol/sip/SIP.h
+++ b/src/analyzer/protocol/sip/SIP.h
@ -17,13 +17,14 @@ public:

 	virtual void Done();
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-				   int seq, const IP_Hdr* ip, int caplen);
+				   			   uint64 seq, const IP_Hdr* ip, int caplen);

 	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 	{ return new SIP_Analyzer(conn); }

 	static bool Available()
-	{ return sip_request; }
+	{ return sip_request || sip_reply || sip_header ||
+		     sip_all_headers || sip_begin_entity || sip_end_entity; }

 protected:
 	binpac::SIP::SIP_Conn* interp;
--- a/src/analyzer/protocol/sip/events.bif
+++ b/src/analyzer/protocol/sip/events.bif
@ -12,13 +12,68 @@
 ## original_URI: The unprocessed URI as specified in the request.
 ##
 ## version: The version number specified in the request (e.g., ``2.0``).
-##
 event sip_request%(c: connection, method: string, original_URI: string, version: string%);

+## Generated for SIP replies, used in Voice over IP (VoIP).
+##
+## This event is generated as soon as a reply's initial line has been parsed.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Session_Initiation_Protocol>`__
+## for more information about the SIP protocol.
+##
+## c: The connection.
+##
+## version: The SIP version in use.
+##
+## code: The response code.
+##
+## reason: Textual details for the response code.
 event sip_reply%(c: connection, version: string, code: count, reason: string%);
+
+## Generated for each SIP header.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Session_Initiation_Protocol>`__
+## for more information about the SIP protocol.
+##
+## c: The connection.
+##
+## is_orig: Whether the header came from the originator.
+##
+## name: Header name.
+##
+## value: Header value.
 event sip_header%(c: connection, is_orig: bool, name: string, value: string%);
+
+## Generated once for all SIP headers from the originator or responder.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Session_Initiation_Protocol>`__
+## for more information about the SIP protocol.
+##
+## c: The connection.
+##
+## is_orig: Whether the headers came from the originator.
+##
+## hlist: All the headers, and their values
 event sip_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%);
+
+## Generated at the beginning of a SIP message.
+##
+## This event is generated as soon as a message's initial line has been parsed.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Session_Initiation_Protocol>`__
+## for more information about the SIP protocol.
+##
+## c: The connection.
+##
+## is_orig: Whether the message came from the originator.
 event sip_begin_entity%(c: connection, is_orig: bool%);
+
+## Generated at the end of a SIP message.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Session_Initiation_Protocol>`__
+## for more information about the SIP protocol.
+##
+## c: The connection.
+##
+## is_orig: Whether the message came from the originator.
 event sip_end_entity%(c: connection, is_orig: bool%);
-event sip_entity_data%(c: connection, is_orig: bool, length: count, data: string%);
-event sip_message_done%(c: connection, is_orig: bool%);
--- a/src/analyzer/protocol/sip/sip-analyzer.pac
+++ b/src/analyzer/protocol/sip/sip-analyzer.pac
@ -133,10 +133,6 @@ refine flow SIP_Flow += {
 			{
 			BifEvent::generate_sip_end_entity(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), is_orig());
 			}
-		if ( sip_message_done )
-			{
-			BifEvent::generate_sip_message_done(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), is_orig());
-			}

 		return true;
 		%}