Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

detect/sip: add sticky buffers to match headers #10839

Closed
wants to merge 10 commits into from
Closed

detect/sip: add sticky buffers to match headers #10839

wants to merge 10 commits into from

Conversation

glongo
Copy link
Contributor

@glongo glongo commented Apr 14, 2024

Make sure these boxes are signed before submitting your Pull Request -- thank you.

Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/6374

Describe changes:
This patchset introduces several sticky buffers to match the following SIP headers:

  • From
  • To
  • Via
  • User-Agent
  • Content-Type
  • Content-Length

SV_BRANCH=OISF/suricata-verify#1764

glongo added 10 commits April 14, 2024 14:02
@glongo
detect/sip: add stub file for headers keywords
383645c 
A stub file has been added to implement the sticky buffers for SIP headers.

Ticket OISF#6374
@glongo
rust/sip: store response headers
a1ee06c 
To match on response SIP headers, those headers must be stored.

Ticket OISF#6374
@glongo
rust/sip: match on headers map
e3c4c88 
Ticket OISF#6374
@glongo
detect/sip: add sip.from sticky buffer
eb8883a 
Ticket OISF#6374
@glongo
detect/sip: add sip.to sticky buffer
9288988 
Ticket OISF#6374
@glongo
detect/sip: add sip.via sticky buffer
7972845 
Ticket OISF#6374
@glongo
detect/sip: add sip.user_agent sticky buffer
4172535 
Ticket OISF#6374
@glongo
detect/sip: add sip.content_type sticky buffer
249aaaa 
Ticket OISF#6374
@glongo
detect/sip: add sip.content_length sticky buffer
d2d5373 
Ticket OISF#6374
@glongo
detect/sip: register headers sticky buffers
300f5b9 
Ticket OISF#6374
@glongo glongo mentioned this pull request Apr 14, 2024
Closed
@codecov Codecov
Copy link

codecov bot commented Apr 14, 2024

Codecov Report

Attention: Patch coverage is 96.89922% with 4 lines in your changes are missing coverage. Please review.

Project coverage is 82.87%. Comparing base (784ce30) to head (300f5b9).

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #10839      +/-   ##
==========================================
+ Coverage   82.83%   82.87%   +0.04%     
==========================================
  Files         913      921       +8     
  Lines      246847   246975     +128     
==========================================
+ Hits       204474   204679     +205     
+ Misses      42373    42296      -77
Flag Coverage Δ
fuzzcorpus 64.35% <52.71%> (+0.05%) ⬆️
suricata-verify 62.11% <96.89%> (+0.02%) ⬆️
unittests 62.33% <52.71%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

@jlucovsky
Copy link
Contributor

I'm looking at RFC3261 and some of the keywords being added like:

  • Content-Type
  • Content-Length
    also have "compact forms (l and c respectively).

I don't know how prevalent the compact form usage is; should your additions handle both forms of the headers iff the header has a compact form?

@glongo
Copy link
Contributor Author

glongo commented Apr 15, 2024

I'm looking at RFC3261 and some of the keywords being added like:

* `Content-Type`

* `Content-Length`
  also have "compact forms (`l` and `c` respectively).

I don't know how prevalent the compact form usage is; should your additions handle both forms of the headers iff the header has a compact form?

Definitely, those compact form must be handled.

@catenacyber
Copy link
Contributor

Why not a generic sip.request_header keyword ? whose buffer would be name+value like http.request_header (and same for response)

@glongo
Copy link
Contributor Author

glongo commented Apr 17, 2024

Why not a generic sip.request_header keyword ? whose buffer would be name+value like http.request_header (and same for response)

I'm not sure I like that to be honest.
@victorjulien, thoughts?

@catenacyber
Copy link
Contributor

Why not a generic sip.request_header keyword ? whose buffer would be name+value like http.request_header (and same for response)

I'm not sure I like that to be honest. @victorjulien, thoughts?

Why do not you like it ?
It would allow more signatures expressivity (not restricted to the headers added here), with less lines of code...

@victorjulien
Copy link
Member

Why not a generic sip.request_header keyword ? whose buffer would be name+value like http.request_header (and same for response)

I'm not sure I like that to be honest. @victorjulien, thoughts?

Why do not you like it ? It would allow more signatures expressivity (not restricted to the headers added here), with less lines of code...

It's an important keyword for http. In general, the other http keywords like http.header_names, http.start, etc should probably all be recreated here. Rule writers love them :)

@glongo
Copy link
Contributor Author

glongo commented Apr 18, 2024

It's an important keyword for http. In general, the other http keywords like http.header_names, http.start, etc should probably all be recreated here. Rule writers love them :)

So, could I add a keyword as @catenacyber suggested in another PR, and leave this one as is once the compact form issue is resolved?

@victorjulien
Copy link
Member

It's an important keyword for http. In general, the other http keywords like http.header_names, http.start, etc should probably all be recreated here. Rule writers love them :)

So, could I add a keyword as @catenacyber suggested in another PR, and leave this one as is once the compact form issue is resolved?

I'm ok with doing them in follow up PRs. Btw I suggest a more comprehensive list :)

@glongo
Copy link
Contributor Author

glongo commented Apr 18, 2024

It's an important keyword for http. In general, the other http keywords like http.header_names, http.start, etc should probably all be recreated here. Rule writers love them :)

So, could I add a keyword as @catenacyber suggested in another PR, and leave this one as is once the compact form issue is resolved?

I'm ok with doing them in follow up PRs. Btw I suggest a more comprehensive list :)

Sure, it's just a starting point :)

@glongo
Copy link
Contributor Author

glongo commented Apr 18, 2024

Replaced with #10907

@glongo glongo closed this Apr 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasonish jasonish Awaiting requested review from jasonish jasonish is a code owner

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien is a code owner

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@glongo @jlucovsky @catenacyber @victorjulien