detect/sip: add sticky buffers to match headers v5 #11620
Conversation
According to RFC 3261, a single header can be repeated one or more times, and its name can also be specified using the 'compact form.' This patch updates the hashmap used for storing headers to accommodate multiple values instead of just one. Additionally, if a header name is defined in the compact form, it is expanded into its long form (i.e., the standard name). This conversion simplifies the logic for matching a given header and ensures 1:1 parity with keywords. Ticket OISF#6374
To match on response SIP headers, those headers must be stored. Ticket OISF#6374
This adds a sticky (multi) buffer to match the "From" header field in both requests and responses. Ticket OISF#6374
This adds a sticky (multi) buffer to match the 'To' header field in both requests and responses. Ticket OISF#6374
This adds a sticky (multi) buffer to match the "Via" header field in both requests and responses. Ticket OISF#6374
This adds a sticky (multi) buffer to match the "User-Agent" header field in both requests and responses. Ticket OISF#6374
This adds a sticky (multi) buffer to match the "Content-Type" header field in both requests and responses. Ticket OISF#6374
This adds a sticky (multi) buffer to match the "Content-Length" header field in both requests and responses. Ticket OISF#6374
glongo
requested review from
jasonish,
jufajardini and
victorjulien
as code owners
|
CI is red because of #11622 for your info |
Thanks :-)
Why these 2 exceptions ? |
They require other C functions to be exposed in rust, such as |
| flow_flags, | ||
| buffer, | ||
| buffer_len, | ||
| "From\0".as_ptr() as *const c_char, |
There was a problem hiding this comment.
Cannot we use a rust string or slice instead of going to a c_char pointer ?
There was a problem hiding this comment.
The compiler complains about that:
extern fn uses type `str`, which is not FFI-safe
Same for string.
| @@ -292,7 +311,7 @@ mod tests { | |||
| assert_eq!(req.method, "REGISTER"); | |||
| assert_eq!(req.path, "sip:sip.cybercity.dk"); | |||
| assert_eq!(req.version, "SIP/2.0"); | |||
| assert_eq!(req.headers["Content-Length"], "0"); | |||
| assert_eq!(req.headers["Content-Length"].first().unwrap(), "0"); | |||
There was a problem hiding this comment.
Could we have a test with a header having multiple values ?
|
Looks really nice :-) Could you rebase it to get green CI ? |
|
Replaced with #11672 |
Make sure these boxes are signed before submitting your Pull Request -- thank you.
https://docs.suricata.io/en/latest/devguide/contributing/contribution-process.html
https://suricata.io/about/contribution-agreement/ (note: this is only required once)
https://redmine.openinfosecfoundation.org/projects/suricata/issues
(if applicable)
Link to ticket:
https://redmine.openinfosecfoundation.org/issues/6374
https://redmine.openinfosecfoundation.org/issues/7204
Describe changes:
sip.methodandsip.uriNote:
sip.methodandsip.urirequire other C functions to be exposed in rust in order to be rewritten.I can address this in a follow-up PR, I just need some time to review it.
SV_BRANCH=OISF/suricata-verify#2005