Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge remote-tracking branch 'origin/topic/vladg/bit-1458'

Browse source 
* origin/topic/vladg/bit-1458:
  Move SIP analyzer to flowunit instead of datagram

BIT-1458 #merged
This commit is contained in:
Johanna Amann 2015-09-03 20:10:36 -07:00
commit ab57c72251
6 changed files with 19 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

5
CHANGES
View file

@ -1,4 +1,9 @@
2.4-125 | 2015-09-03 20:10:36 -0700
* Move SIP analyzer to flowunit instead of datagram Addresses
BIT-1458 (Vlad Grigorescu)
2.4-122 | 2015-08-31 14:39:41 -0700
* Add a number of out-of-bound checks to layer 2 code. Addresses

2
VERSION
View file

@ -1 +1 @@
2.4-122
2.4-125

27
src/analyzer/protocol/sip/sip-protocol.pac
View file

@ -1,16 +1,6 @@
enum ExpectBody {
BODY_EXPECTED,
BODY_NOT_EXPECTED,
BODY_MAYBE,
};
type SIP_TOKEN = RE/[^()<>@,;:\\"\/\[\]?={} \t]+/;
type SIP_WS = RE/[ \t]*/;
type SIP_COLON = RE/:/;
type SIP_TO_EOL = RE/[^\r\n]*/;
type SIP_EOL = RE/(\r\n){1,2}/;
type SIP_URI = RE/[[:alnum:]@[:punct:]]+/;
type SIP_NL = RE/(\r\n)/;
type SIP_PDU(is_orig: bool) = case is_orig of {
true -> request: SIP_Request;
@ -18,14 +8,12 @@ type SIP_PDU(is_orig: bool) = case is_orig of {
};
type SIP_Request = record {
request: SIP_RequestLine;
newline: SIP_NL;
request: SIP_RequestLine &oneline;
msg: SIP_Message;
};
type SIP_Reply = record {
reply: SIP_ReplyLine;
newline: SIP_NL;
reply: SIP_ReplyLine &oneline;
msg: SIP_Message;
};
@ -34,7 +22,7 @@ type SIP_RequestLine = record {
: SIP_WS;
uri: SIP_URI;
: SIP_WS;
version: SIP_Version;
version: SIP_Version &restofdata;
} &oneline;
type SIP_ReplyLine = record {
@ -42,7 +30,7 @@ type SIP_ReplyLine = record {
: SIP_WS;
status: SIP_Status;
: SIP_WS;
reason: SIP_TO_EOL;
reason: bytestring &restofdata;
} &oneline;
type SIP_Status = record {
@ -69,11 +57,10 @@ type SIP_HEADER_NAME = RE/[^: \t]+/;
type SIP_Header = record {
name: SIP_HEADER_NAME;
: SIP_WS;
: SIP_COLON;
: ":";
: SIP_WS;
value: SIP_TO_EOL;
: SIP_EOL;
} &oneline &byteorder=bigendian;
value: bytestring &restofdata;
} &oneline;
type SIP_Body = record {
body: bytestring &length = $context.flow.get_content_length();

2
src/analyzer/protocol/sip/sip.pac
View file

@ -21,7 +21,7 @@ connection SIP_Conn(bro_analyzer: BroAnalyzer) {
%include sip-protocol.pac
flow SIP_Flow(is_orig: bool) {
datagram = SIP_PDU(is_orig) withcontext(connection, this);
flowunit = SIP_PDU(is_orig) withcontext(connection, this);
};
%include sip-analyzer.pac

2
src/analyzer/protocol/sip/sip_TCP.pac
View file

@ -24,7 +24,7 @@ connection SIP_Conn(bro_analyzer: BroAnalyzer) {
%include sip-protocol.pac
flow SIP_Flow(is_orig: bool) {
datagram = SIP_PDU(is_orig) withcontext(connection, this);
flowunit = SIP_PDU(is_orig) withcontext(connection, this);
};
%include sip-analyzer.pac

5
testing/btest/Baseline/scripts.base.protocols.sip.wireshark/sip.log
View file

@ -3,7 +3,7 @@
#empty_field (empty)
#unset_field -
#path sip
#open 2015-04-30-03-33-33
#open 2015-09-03-21-02-33
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method uri date request_from request_to response_from response_to reply_to call_id seq subject request_path response_path user_agent status_code status_msg warning request_body_len response_body_len content_type
#types time string addr port addr port count string string string string string string string string string string string vector[string] vector[string] string count string string string string string
1120469572.844249 CXWv6p3arKYeMETxOg 192.168.1.2 5060 212.242.33.35 5060 0 REGISTER sip:sip.cybercity.dk - <sip:voi18063@sip.cybercity.dk> <sip:voi18063@sip.cybercity.dk> <sip:voi18063@sip.cybercity.dk> <sip:voi18063@sip.cybercity.dk>;tag=00-04092-1701af62-120c67172 - 578222729-4665d775@578222732-4665d772 68 REGISTER - SIP/2.0/UDP 192.168.1.2 SIP/2.0/UDP 192.168.1.2;received=80.230.219.70;rport=5060 Nero SIPPS IP Phone Version 2.0.51.16 401 Unauthorized - 0 0 -
@ -37,8 +37,9 @@
1120470900.060556 CIPOse170MGiRM1Qf4 192.168.1.2 5060 212.242.33.35 5060 0 ACK sip:0097239287044@sip.cybercity.dk - "arik" <sip:35104723@sip.cybercity.dk> <sip:0097239287044@sip.cybercity.dk>;tag=00-04083-1701ba17-57d493ef5 - - - 24487391-449bf2a0@192.168.1.2 2 ACK - SIP/2.0/UDP 192.168.1.2 (empty) - - - - 0 - -
1120470966.443914 C7XEbhP654jzLoe3a 192.168.1.2 5060 212.242.33.35 5060 0 INVITE sip:35104724@sip.cybercity.dk - "arik" <sip:35104723@sip.cybercity.dk> <sip:35104724@sip.cybercity.dk> "arik" <sip:35104723@sip.cybercity.dk> <sip:35104724@sip.cybercity.dk>;tag=00-04079-1701ba6f-3e08e2f66 - 11894297-4432a9f8@192.168.1.2 1 INVITE - SIP/2.0/UDP 192.168.1.2:5060 SIP/2.0/UDP 192.168.1.2:5060;received=80.230.219.70;rport=5060 Nero SIPPS IP Phone Version 2.0.51.16 407 authentication required - 270 0 -
1120470966.606422 C7XEbhP654jzLoe3a 192.168.1.2 5060 212.242.33.35 5060 0 INVITE sip:35104724@sip.cybercity.dk Mon, 04 Jul 2005 09:56:06 GMT "arik" <sip:35104723@sip.cybercity.dk> <sip:35104724@sip.cybercity.dk> "arik" <sip:35104723@sip.cybercity.dk> <sip:35104724@sip.cybercity.dk> - 11894297-4432a9f8@192.168.1.2 2 INVITE - SIP/2.0/UDP 192.168.1.2:5060,SIP/2.0/UDP 192.168.1.2 SIP/2.0/UDP 192.168.1.2;received=80.230.219.70;rport=5060 Nero SIPPS IP Phone Version 2.0.51.16 100 Trying - 270 0 -
1120470966.606422 C7XEbhP654jzLoe3a 192.168.1.2 5060 212.242.33.35 5060 0 INVITE sip:35104724@sip.cybercity.dk Mon, 04 Jul 2005 09:56:06 GMT "arik" <sip:35104723@sip.cybercity.dk> <sip:35104724@sip.cybercity.dk> "arik" <sip:35104723@sip.cybercity.dk> <sip:35104724@sip.cybercity.dk>;tag=00-04075-1701baa2-2dfdf7c21 - 11894297-4432a9f8@192.168.1.2 2 INVITE - SIP/2.0/UDP 192.168.1.2:5060,SIP/2.0/UDP 192.168.1.2 SIP/2.0/UDP 192.168.1.2;received=80.230.219.70;rport=5060,SIP/2.0/UDP 192.168.1.2;received=80.230.219.70;rport=5060 Nero SIPPS IP Phone Version 2.0.51.16 183 In band info available - 270 199 application/sdp
1120470966.606422 C7XEbhP654jzLoe3a 192.168.1.2 5060 212.242.33.35 5060 0 INVITE sip:35104724@sip.cybercity.dk Mon, 04 Jul 2005 09:56:06 GMT "arik" <sip:35104723@sip.cybercity.dk> <sip:35104724@sip.cybercity.dk> "arik" <sip:35104723@sip.cybercity.dk> <sip:35104724@sip.cybercity.dk>;tag=00-04075-1701baa2-2dfdf7c21 - 11894297-4432a9f8@192.168.1.2 2 INVITE - SIP/2.0/UDP 192.168.1.2:5060,SIP/2.0/UDP 192.168.1.2 SIP/2.0/UDP 192.168.1.2;received=80.230.219.70;rport=5060,SIP/2.0/UDP 192.168.1.2;received=80.230.219.70;rport=5060,SIP/2.0/UDP 192.168.1.2;received=80.230.219.70;rport=5060 Nero SIPPS IP Phone Version 2.0.51.16 480 Error - 270 0 application/sdp
1120470984.353086 C7XEbhP654jzLoe3a 192.168.1.2 5060 212.242.33.35 5060 0 REGISTER sip:sip.cybercity.dk - <sip:35104723@sip.cybercity.dk> <sip:35104723@sip.cybercity.dk> <sip:35104723@sip.cybercity.dk> <sip:35104723@sip.cybercity.dk>;tag=00-04074-1701bac9-1daa0b4c5 - 29858147-465b0752@29858051-465b07b2 5 REGISTER - SIP/2.0/UDP 192.168.1.2,SIP/2.0/UDP 192.168.1.2 SIP/2.0/UDP 192.168.1.2;received=80.230.219.70;rport=5060 Nero SIPPS IP Phone Version 2.0.51.16 401 Unauthorized - 0 0 -
1120471018.723316 C7XEbhP654jzLoe3a 192.168.1.2 5060 212.242.33.35 5060 0 REGISTER sip:sip.cybercity.dk - <sip:35104723@sip.cybercity.dk> <sip:35104723@sip.cybercity.dk> <sip:35104723@sip.cybercity.dk> <sip:35104723@sip.cybercity.dk> - 29858147-465b0752@29858051-465b07b2 6 REGISTER - SIP/2.0/UDP 192.168.1.2 SIP/2.0/UDP 192.168.1.2;received=80.230.219.70;rport=5060 Nero SIPPS IP Phone Version 2.0.51.16 100 Trying - 0 0 -
1120471018.723316 C7XEbhP654jzLoe3a 192.168.1.2 5060 212.242.33.35 5060 0 REGISTER sip:sip.cybercity.dk - <sip:35104723@sip.cybercity.dk> <sip:35104723@sip.cybercity.dk> <sip:35104723@sip.cybercity.dk> <sip:35104723@sip.cybercity.dk>;tag=00-04087-1701bae7-76fb74995 - 29858147-465b0752@29858051-465b07b2 6 REGISTER - SIP/2.0/UDP 192.168.1.2 SIP/2.0/UDP 192.168.1.2;received=80.230.219.70;rport=5060,SIP/2.0/UDP 192.168.1.2;received=80.230.219.70;rport=5060 Nero SIPPS IP Phone Version 2.0.51.16 200 OK - 0 0 -
#close 2015-04-30-03-33-33
#close 2015-09-03-21-02-33