From 94afcd89c01c56d0f419ea9fb8139c99ed0506f8 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Fri, 17 Apr 2015 21:46:56 -0400
Subject: [PATCH] Small update for the SIP logs and DPD sig.

The logs were incomplete for intermediate 1xx responses.
---
 scripts/base/protocols/sip/dpd.sig  |  2 +-
 scripts/base/protocols/sip/main.bro | 37 ++++++++++++++++++++++-------
 2 files changed, 29 insertions(+), 10 deletions(-)

diff --git a/scripts/base/protocols/sip/dpd.sig b/scripts/base/protocols/sip/dpd.sig
index 143e2d843d..369e7a6ab7 100644
--- a/scripts/base/protocols/sip/dpd.sig
+++ b/scripts/base/protocols/sip/dpd.sig
@@ -1,5 +1,5 @@
 signature dpd_sip {
   ip-proto == udp
-  payload /^( SIP\/[0-9]\.[0-9]\x0d\x0a|SIP\/[0-9]\.[0-9] [0-9][0-9][0-9] )/
+  payload /^ ?SIP\/[0-9]\.[0-9](\x0d\x0a| [0-9][0-9][0-9] )/
   enable "sip"
 }
diff --git a/scripts/base/protocols/sip/main.bro b/scripts/base/protocols/sip/main.bro
index 13aeb78e16..11644a3398 100644
--- a/scripts/base/protocols/sip/main.bro
+++ b/scripts/base/protocols/sip/main.bro
@@ -129,6 +129,20 @@ function set_state(c: connection, is_request: bool)
 		c$sip = c$sip_state$pending[c$sip_state$current_response];
 	}
 	
+function flush_pending(c: connection)
+	{
+	# Flush all pending but incomplete request/response pairs.
+	if ( c?$sip_state )
+		{
+		for ( r in c$sip_state$pending )
+			{
+			# We don't use pending elements at index 0.
+			if ( r == 0 ) next;
+			Log::write(SIP::LOG, c$sip_state$pending[r]);
+			}
+		}
+	}
+
 event sip_request(c: connection, method: string, original_URI: string, version: string) &priority=5
 	{
 	set_state(c, T);
@@ -142,7 +156,8 @@ event sip_request(c: connection, method: string, original_URI: string, version:
 	
 event sip_reply(c: connection, version: string, code: count, reason: string) &priority=5
 	{
-	if ( c$sip_state$current_response !in c$sip_state$pending )
+	if ( c$sip_state$current_response !in c$sip_state$pending &&
+	     (code < 100 && 200 <= code) )
 		++c$sip_state$current_response;
 	set_state(c, F);
 	
@@ -198,21 +213,25 @@ event sip_end_entity(c: connection, is_request: bool) &priority = -5
 	if ( ! is_request )
 		{
 		Log::write(SIP::LOG, c$sip);
-		delete c$sip_state$pending[c$sip_state$current_response];
+
+		if ( c$sip$status_code < 100 || 200 <= c$sip$status_code )
+			delete c$sip_state$pending[c$sip_state$current_response];
+
+		if ( c$sip$method == "BYE" &&
+		     c$sip$status_code >= 200 && c$sip$status_code < 300 )
+			{
+			flush_pending(c);
+			delete c$sip;
+			delete c$sip_state;
+			}
 		}
 	}
 
 event connection_state_remove(c: connection) &priority=-5
 	{
-	# Flush all pending but incomplete request/response pairs.
 	if ( c?$sip_state )
 		{
-		for ( r in c$sip_state$pending )
-			{
-			# We don't use pending elements at index 0.
-			if ( r == 0 ) next;
-			Log::write(SIP::LOG, c$sip_state$pending[r]);
-			}
+		flush_pending(c);
 		}
 	}