mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
218 lines
7.5 KiB
Text
218 lines
7.5 KiB
Text
##! Implements base functionality for SIP analysis. The logging model is
|
|
##! to log request/response pairs and all relevant metadata together in
|
|
##! a single record.
|
|
|
|
@load base/utils/numbers
|
|
@load base/utils/files
|
|
|
|
module SIP;
|
|
|
|
export {
|
|
redef enum Log::ID += { LOG };
|
|
|
|
type Info: record {
|
|
## Timestamp for when the request happened.
|
|
ts: time &log;
|
|
## Unique ID for the connection.
|
|
uid: string &log;
|
|
## The connection's 4-tuple of endpoint addresses/ports.
|
|
id: conn_id &log;
|
|
## Represents the pipelined depth into the connection of this
|
|
## request/response transaction.
|
|
trans_depth: count &log;
|
|
## Verb used in the SIP request (INVITE, REGISTER etc.).
|
|
method: string &log &optional;
|
|
## URI used in the request.
|
|
uri: string &log &optional;
|
|
## Contents of the Date: header from the client
|
|
date: string &log &optional;
|
|
## Contents of the From: header (call sender)
|
|
## Note: The tag= value that's usually appended to the sender
|
|
## is stripped off and not logged.
|
|
from: string &log &optional;
|
|
## Contents of the To: header (call recipient)
|
|
to: string &log &optional;
|
|
## Contents of the Reply-To: header
|
|
reply_to: string &log &optional;
|
|
## Contents of the Call-ID: header from the client
|
|
call_id: string &log &optional;
|
|
## Contents of the CSeq: header from the client
|
|
seq: string &log &optional;
|
|
## Contents of the Subject: header from the client
|
|
subject: string &log &optional;
|
|
## The message transmission path, as extracted from the headers.
|
|
path: vector of string &log &optional;
|
|
## Contents of the User-Agent: header from the client
|
|
user_agent: string &log &optional;
|
|
## Status code returned by the server.
|
|
status_code: count &log &optional;
|
|
## Status message returned by the server.
|
|
status_msg: string &log &optional;
|
|
## Contents of the Warning: header
|
|
warning: string &log &optional;
|
|
## Contents of the Content-Length: header from the client
|
|
request_body_len: string &log &optional;
|
|
## Contents of the Content-Length: header from the server
|
|
response_body_len: string &log &optional;
|
|
## Contents of the Content-Type: header from the server
|
|
content_type: string &log &optional;
|
|
};
|
|
|
|
type State: record {
|
|
## Pending requests.
|
|
pending: table[count] of Info;
|
|
## Current request in the pending queue.
|
|
current_request: count &default=0;
|
|
## Current response in the pending queue.
|
|
current_response: count &default=0;
|
|
};
|
|
|
|
## A list of SIP methods. Other methods will generate a weird. Note
|
|
## that the SIP analyzer will only accept methods consisting solely
|
|
## of letters ``[A-Za-z]``.
|
|
const sip_methods: set[string] = {
|
|
"REGISTER", "INVITE", "ACK", "CANCEL", "BYE", "OPTIONS"
|
|
} &redef;
|
|
|
|
## Event that can be handled to access the SIP record as it is sent on
|
|
## to the logging framework.
|
|
global log_sip: event(rec: Info);
|
|
}
|
|
|
|
# Add the sip state tracking fields to the connection record.
|
|
redef record connection += {
|
|
sip: Info &optional;
|
|
sip_state: State &optional;
|
|
};
|
|
|
|
const ports = { 5060/udp };
|
|
redef likely_server_ports += { ports };
|
|
|
|
event bro_init() &priority=5
|
|
{
|
|
Log::create_stream(SIP::LOG, [$columns=Info, $ev=log_sip]);
|
|
Analyzer::register_for_ports(Analyzer::ANALYZER_SIP, ports);
|
|
}
|
|
|
|
function new_sip_session(c: connection): Info
|
|
{
|
|
local tmp: Info;
|
|
tmp$ts=network_time();
|
|
tmp$uid=c$uid;
|
|
tmp$id=c$id;
|
|
# $current_request is set prior to the Info record creation so we
|
|
# can use the value directly here.
|
|
tmp$trans_depth = c$sip_state$current_request;
|
|
|
|
tmp$path = vector();
|
|
|
|
return tmp;
|
|
}
|
|
|
|
function set_state(c: connection, is_request: bool)
|
|
{
|
|
if ( ! c?$sip_state )
|
|
{
|
|
local s: State;
|
|
c$sip_state = s;
|
|
}
|
|
|
|
# These deal with new requests and responses.
|
|
if ( is_request && c$sip_state$current_request !in c$sip_state$pending )
|
|
c$sip_state$pending[c$sip_state$current_request] = new_sip_session(c);
|
|
if ( ! is_request && c$sip_state$current_response !in c$sip_state$pending )
|
|
c$sip_state$pending[c$sip_state$current_response] = new_sip_session(c);
|
|
|
|
if ( is_request )
|
|
c$sip = c$sip_state$pending[c$sip_state$current_request];
|
|
else
|
|
c$sip = c$sip_state$pending[c$sip_state$current_response];
|
|
}
|
|
|
|
event sip_request(c: connection, method: string, original_URI: string, version: string) &priority=5
|
|
{
|
|
set_state(c, T);
|
|
|
|
c$sip$method = method;
|
|
c$sip$uri = original_URI;
|
|
|
|
if ( method !in sip_methods )
|
|
event conn_weird("unknown_SIP_method", c, method);
|
|
}
|
|
|
|
event sip_reply(c: connection, version: string, code: count, reason: string) &priority=5
|
|
{
|
|
if ( c$sip_state$current_response !in c$sip_state$pending )
|
|
++c$sip_state$current_response;
|
|
set_state(c, F);
|
|
|
|
c$sip$status_code = code;
|
|
c$sip$status_msg = reason;
|
|
}
|
|
|
|
event sip_header(c: connection, is_request: bool, name: string, value: string) &priority=5
|
|
{
|
|
if ( ! c?$sip_state )
|
|
{
|
|
local s: State;
|
|
c$sip_state = s;
|
|
}
|
|
|
|
if ( is_request ) # from client
|
|
{
|
|
if ( c$sip_state$current_request !in c$sip_state$pending )
|
|
++c$sip_state$current_request;
|
|
set_state(c, is_request);
|
|
if ( name == "CALL-ID" ) c$sip$call_id = value;
|
|
else if ( name == "CONTENT-LENGTH" || name == "L" ) c$sip$request_body_len = value;
|
|
else if ( name == "CSEQ" ) c$sip$seq = value;
|
|
else if ( name == "DATE" ) c$sip$date = value;
|
|
else if ( name == "FROM" || name == "F" ) c$sip$from = split1(value, /;[ ]?tag=/)[1];
|
|
else if ( name == "REPLY-TO" ) c$sip$reply_to = value;
|
|
else if ( name == "SUBJECT" || name == "S" ) c$sip$subject = value;
|
|
else if ( name == "TO" || name == "T" ) c$sip$to = value;
|
|
else if ( name == "USER-AGENT" ) c$sip$user_agent = value;
|
|
else if ( name == "VIA" || name == "V" ) c$sip$path[|c$sip$path|] = split1(value, /;[ ]?branch/)[1];
|
|
c$sip_state$pending[c$sip_state$current_request] = c$sip;
|
|
}
|
|
else # from server
|
|
{
|
|
if ( c$sip_state$current_response !in c$sip_state$pending )
|
|
++c$sip_state$current_response;
|
|
set_state(c, is_request);
|
|
if ( name == "CONTENT-LENGTH" || name == "L" ) c$sip$response_body_len = value;
|
|
else if ( name == "CONTENT-TYPE" || name == "C" ) c$sip$content_type = value;
|
|
else if ( name == "WARNING" ) c$sip$warning = value;
|
|
c$sip_state$pending[c$sip_state$current_response] = c$sip;
|
|
}
|
|
}
|
|
|
|
event sip_end_entity(c: connection, is_request: bool) &priority = 5
|
|
{
|
|
set_state(c, is_request);
|
|
}
|
|
|
|
event sip_end_entity(c: connection, is_request: bool) &priority = -5
|
|
{
|
|
# The reply body is done so we're ready to log.
|
|
if ( ! is_request )
|
|
{
|
|
Log::write(SIP::LOG, c$sip);
|
|
delete c$sip_state$pending[c$sip_state$current_response];
|
|
}
|
|
}
|
|
|
|
event connection_state_remove(c: connection) &priority=-5
|
|
{
|
|
# Flush all pending but incomplete request/response pairs.
|
|
if ( c?$sip_state )
|
|
{
|
|
for ( r in c$sip_state$pending )
|
|
{
|
|
# We don't use pending elements at index 0.
|
|
if ( r == 0 ) next;
|
|
Log::write(SIP::LOG, c$sip_state$pending[r]);
|
|
}
|
|
}
|
|
}
|
|
|