Rely on content inspection and not just is_orig to determine client/server.

scripts/base/init-default.bro

@@ -47,6 +47,7 @@
 @load base/protocols/irc
 @load base/protocols/modbus
 @load base/protocols/pop3
+@load base/protocols/sip
 @load base/protocols/snmp
 @load base/protocols/smtp
 @load base/protocols/socks

src/analyzer/protocol/sip/SIP.cc

@@ -23,11 +23,15 @@ void SIP_Analyzer::Done()
 void SIP_Analyzer::DeliverPacket(int len, const u_char* data,
 				 bool orig, int seq, const IP_Hdr* ip, int caplen)
 	{
-	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
+	bool real_orig = true;
+	if ( len > 6 && data[0] == 'S' && data[1] == 'I' && data[2] == 'P' && data[3] == '/' )
+	    real_orig = false;
+
+	Analyzer::DeliverPacket(len, data, real_orig, seq, ip, caplen);
 	
 	try
 		{
-		interp->NewData(orig, data, data + len);
+		interp->NewData(real_orig, data, data + len);
 		}
 	catch ( const binpac::Exception& e )
 		{

src/analyzer/protocol/sip/sip-analyzer.pac

@@ -45,7 +45,7 @@ refine flow SIP_Flow += {
 
 	function proc_sip_header(name: bytestring, value: bytestring): bool
 		%{
-
+		if ( name == "Content-Length" || name == "L" )
 			content_length = bytestring_to_int(value, 10);
 		
 		if ( sip_header )
@@ -123,8 +123,7 @@ refine flow SIP_Flow += {
 		%{
 		if ( sip_begin_entity )
 			{
-			BifEvent::generate_sip_begin_entity(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(),
+			BifEvent::generate_sip_begin_entity(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), is_orig());
-							    is_orig());
 			}
 		%}
 
@@ -132,13 +131,11 @@ refine flow SIP_Flow += {
 		%{
 		if ( sip_end_entity )
 			{
-			BifEvent::generate_sip_end_entity(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(),
+			BifEvent::generate_sip_end_entity(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), is_orig());
-							  is_orig());
 			}
 		if ( sip_message_done )
 			{
-			BifEvent::generate_sip_message_done(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(),
+			BifEvent::generate_sip_message_done(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), is_orig());
-							    is_orig());
 			}
 
 		return true;

src/analyzer/protocol/sip/sip-protocol.pac

@@ -8,6 +8,7 @@ type SIP_TOKEN  = RE/[^()<>@,;:\\"\/\[\]?={} \t]+/;
 type SIP_WS     = RE/[ \t]*/;
 type SIP_COLON	= RE/:/;
 type SIP_TO_EOL = RE/[^\r\n]*/;
+type SIP_EOL    = RE/(\r\n){1,2}/;
 type SIP_URI    = RE/[[:alnum:]@[:punct:]]+/;
 
 type SIP_PDU(is_orig: bool) = case is_orig of {
@@ -17,11 +18,13 @@ type SIP_PDU(is_orig: bool) = case is_orig of {
 
 type SIP_Request = record {
      request:        SIP_RequestLine;
+     newline:	     padding[2];
      msg:            SIP_Message;
 };
 
 type SIP_Reply = record {
      reply:          SIP_ReplyLine;
+     newline:	     padding[2];
      msg:            SIP_Message;
 };
 
@@ -61,15 +64,15 @@ type SIP_Message = record {
      body:           SIP_Body;
 };
 
-type SIP_HEADER_NAME = RE/([^: \t]+)/;
+type SIP_HEADER_NAME = RE/[^: \t]+/;
 type SIP_Header = record {
-     :               padding[2];
      name:           SIP_HEADER_NAME;
      :		     SIP_COLON;
      :               SIP_WS;
      value:          SIP_TO_EOL;
+     :		     SIP_EOL;
 } &oneline &byteorder=bigendian;
 
-type SIP_Body() = record {
+type SIP_Body = record {
-      body: bytestring &chunked, &length = $context.flow.get_content_length();
+      body: bytestring &length = $context.flow.get_content_length();
 };