From 8744b66b562e321d9c907cee36bc004a6f876397 Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Tue, 22 Apr 2014 20:31:53 -0400 Subject: [PATCH] Rely on content inspection and not just is_orig to determine client/server. --- scripts/base/init-default.bro | 1 + src/analyzer/protocol/sip/SIP.cc | 8 ++++++-- src/analyzer/protocol/sip/sip-analyzer.pac | 13 +++++-------- src/analyzer/protocol/sip/sip-protocol.pac | 11 +++++++---- 4 files changed, 19 insertions(+), 14 deletions(-) diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro index 431b5dfe62..8b276eff0d 100644 --- a/scripts/base/init-default.bro +++ b/scripts/base/init-default.bro @@ -47,6 +47,7 @@ @load base/protocols/irc @load base/protocols/modbus @load base/protocols/pop3 +@load base/protocols/sip @load base/protocols/snmp @load base/protocols/smtp @load base/protocols/socks diff --git a/src/analyzer/protocol/sip/SIP.cc b/src/analyzer/protocol/sip/SIP.cc index bfbe3ec156..00f8274327 100644 --- a/src/analyzer/protocol/sip/SIP.cc +++ b/src/analyzer/protocol/sip/SIP.cc @@ -23,11 +23,15 @@ void SIP_Analyzer::Done() void SIP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen) { - Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); + bool real_orig = true; + if ( len > 6 && data[0] == 'S' && data[1] == 'I' && data[2] == 'P' && data[3] == '/' ) + real_orig = false; + + Analyzer::DeliverPacket(len, data, real_orig, seq, ip, caplen); try { - interp->NewData(orig, data, data + len); + interp->NewData(real_orig, data, data + len); } catch ( const binpac::Exception& e ) { diff --git a/src/analyzer/protocol/sip/sip-analyzer.pac b/src/analyzer/protocol/sip/sip-analyzer.pac index 4dcdaf6d54..47fa8ffda2 100644 --- a/src/analyzer/protocol/sip/sip-analyzer.pac +++ b/src/analyzer/protocol/sip/sip-analyzer.pac @@ -45,8 +45,8 @@ refine flow SIP_Flow += { function proc_sip_header(name: bytestring, value: bytestring): bool %{ - - content_length = bytestring_to_int(value, 10); + if ( name == "Content-Length" || name == "L" ) + content_length = bytestring_to_int(value, 10); if ( sip_header ) { @@ -123,8 +123,7 @@ refine flow SIP_Flow += { %{ if ( sip_begin_entity ) { - BifEvent::generate_sip_begin_entity(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), - is_orig()); + BifEvent::generate_sip_begin_entity(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), is_orig()); } %} @@ -132,13 +131,11 @@ refine flow SIP_Flow += { %{ if ( sip_end_entity ) { - BifEvent::generate_sip_end_entity(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), - is_orig()); + BifEvent::generate_sip_end_entity(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), is_orig()); } if ( sip_message_done ) { - BifEvent::generate_sip_message_done(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), - is_orig()); + BifEvent::generate_sip_message_done(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), is_orig()); } return true; diff --git a/src/analyzer/protocol/sip/sip-protocol.pac b/src/analyzer/protocol/sip/sip-protocol.pac index 0475dcceca..958e3921cd 100644 --- a/src/analyzer/protocol/sip/sip-protocol.pac +++ b/src/analyzer/protocol/sip/sip-protocol.pac @@ -8,6 +8,7 @@ type SIP_TOKEN = RE/[^()<>@,;:\\"\/\[\]?={} \t]+/; type SIP_WS = RE/[ \t]*/; type SIP_COLON = RE/:/; type SIP_TO_EOL = RE/[^\r\n]*/; +type SIP_EOL = RE/(\r\n){1,2}/; type SIP_URI = RE/[[:alnum:]@[:punct:]]+/; type SIP_PDU(is_orig: bool) = case is_orig of { @@ -17,11 +18,13 @@ type SIP_PDU(is_orig: bool) = case is_orig of { type SIP_Request = record { request: SIP_RequestLine; + newline: padding[2]; msg: SIP_Message; }; type SIP_Reply = record { reply: SIP_ReplyLine; + newline: padding[2]; msg: SIP_Message; }; @@ -61,15 +64,15 @@ type SIP_Message = record { body: SIP_Body; }; -type SIP_HEADER_NAME = RE/([^: \t]+)/; +type SIP_HEADER_NAME = RE/[^: \t]+/; type SIP_Header = record { - : padding[2]; name: SIP_HEADER_NAME; : SIP_COLON; : SIP_WS; value: SIP_TO_EOL; + : SIP_EOL; } &oneline &byteorder=bigendian; -type SIP_Body() = record { - body: bytestring &chunked, &length = $context.flow.get_content_length(); +type SIP_Body = record { + body: bytestring &length = $context.flow.get_content_length(); };