Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-13 12:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Rely on content inspection and not just is_orig to determine client/server.

Browse source
This commit is contained in:
Vlad Grigorescu 2014-04-22 20:31:53 -04:00
parent 25d7b71c50
commit 8744b66b56
4 changed files with 19 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

1
scripts/base/init-default.bro
View file

@ -47,6 +47,7 @@
@load base/protocols/irc
@load base/protocols/modbus
@load base/protocols/pop3
@load base/protocols/sip
@load base/protocols/snmp
@load base/protocols/smtp
@load base/protocols/socks

8
src/analyzer/protocol/sip/SIP.cc
View file

@ -23,11 +23,15 @@ void SIP_Analyzer::Done()
void SIP_Analyzer::DeliverPacket(int len, const u_char* data,
bool orig, int seq, const IP_Hdr* ip, int caplen)
{
Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
bool real_orig = true;
if ( len > 6 && data[0] == 'S' && data[1] == 'I' && data[2] == 'P' && data[3] == '/' )
real_orig = false;
Analyzer::DeliverPacket(len, data, real_orig, seq, ip, caplen);
try
{
interp->NewData(orig, data, data + len);
interp->NewData(real_orig, data, data + len);
}
catch ( const binpac::Exception& e )
{

13
src/analyzer/protocol/sip/sip-analyzer.pac
View file

@ -45,8 +45,8 @@ refine flow SIP_Flow += {
function proc_sip_header(name: bytestring, value: bytestring): bool
%{
content_length = bytestring_to_int(value, 10);
if ( name == "Content-Length" || name == "L" )
content_length = bytestring_to_int(value, 10);
if ( sip_header )
{
@ -123,8 +123,7 @@ refine flow SIP_Flow += {
%{
if ( sip_begin_entity )
{
BifEvent::generate_sip_begin_entity(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(),
is_orig());
BifEvent::generate_sip_begin_entity(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), is_orig());
}
%}
@ -132,13 +131,11 @@ refine flow SIP_Flow += {
%{
if ( sip_end_entity )
{
BifEvent::generate_sip_end_entity(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(),
is_orig());
BifEvent::generate_sip_end_entity(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), is_orig());
}
if ( sip_message_done )
{
BifEvent::generate_sip_message_done(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(),
is_orig());
BifEvent::generate_sip_message_done(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), is_orig());
}
return true;

11
src/analyzer/protocol/sip/sip-protocol.pac
View file

@ -8,6 +8,7 @@ type SIP_TOKEN = RE/[^()<>@,;:\\"\/\[\]?={} \t]+/;
type SIP_WS = RE/[ \t]*/;
type SIP_COLON = RE/:/;
type SIP_TO_EOL = RE/[^\r\n]*/;
type SIP_EOL = RE/(\r\n){1,2}/;
type SIP_URI = RE/[[:alnum:]@[:punct:]]+/;
type SIP_PDU(is_orig: bool) = case is_orig of {
@ -17,11 +18,13 @@ type SIP_PDU(is_orig: bool) = case is_orig of {
type SIP_Request = record {
request: SIP_RequestLine;
newline: padding[2];
msg: SIP_Message;
};
type SIP_Reply = record {
reply: SIP_ReplyLine;
newline: padding[2];
msg: SIP_Message;
};
@ -61,15 +64,15 @@ type SIP_Message = record {
body: SIP_Body;
};
type SIP_HEADER_NAME = RE/([^: \t]+)/;
type SIP_HEADER_NAME = RE/[^: \t]+/;
type SIP_Header = record {
: padding[2];
name: SIP_HEADER_NAME;
: SIP_COLON;
: SIP_WS;
value: SIP_TO_EOL;
: SIP_EOL;
} &oneline &byteorder=bigendian;
type SIP_Body() = record {
body: bytestring &chunked, &length = $context.flow.get_content_length();
type SIP_Body = record {
body: bytestring &length = $context.flow.get_content_length();
};