Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rust/sip: register parser for tcp v5 #9321

Closed
wants to merge 6 commits into from
Closed

rust/sip: register parser for tcp v5 #9321

wants to merge 6 commits into from

Conversation

glongo
Copy link
Contributor

@glongo glongo commented Aug 1, 2023
edited by jufajardini

Make sure these boxes are signed before submitting your Pull Request -- thank you.

Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/3351

Previous PR: #8897

Describe changes:

  • Commit splitted and comments in previous pr addressed.

suricata-verify-pr: 1341

SV_BRANCH=OISF/suricata-verify#1341

@glongo
sip/parser: accept valid chars
2ff6cbe 
Accepts valid characters as defined in RFC3261.
@glongo
rust/sip: register parser for sip
34bdcfa 
This patch lets the parser to work over tcp protocol, taking care of handling
data before calling the request/response parsers.
@glongo
rust/sip: add direction to transaction
f7acf73 
This patch permits to set a direction when a new transaction is created in order
to avoid 'signature shadowing' as reported by Eric Leblond in commit
5aaf507
@glongo
eve/schema: add sip_tcp
ae800db
@glongo
output-json/sip: register logger for tcp
b624d2e 
This permits to log sip messages over tcp.
@glongo
suricata.yaml: define SIP_PORTS
af2fef8
@glongo glongo requested review from jasonish, victorjulien and a team as code owners August 1, 2023 20:01
This was referenced Aug 1, 2023
Closed
Closed
@jasonish jasonish self-assigned this Aug 3, 2023
@jufajardini
Copy link
Contributor

editted PR description to use new SV PR picking style, as I wasn't sure the old style still works. Re-triggered build tests, too.

@codecov
Copy link

codecov bot commented Aug 8, 2023
edited

Codecov Report

Merging #9321 (af2fef8) into master (26130d9) will decrease coverage by 0.01%.
Report is 20 commits behind head on master.
The diff coverage is 76.39%.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #9321      +/-   ##
==========================================
- Coverage   82.41%   82.41%   -0.01%     
==========================================
  Files         968      968              
  Lines      274055   274198     +143     
==========================================
+ Hits       225874   225971      +97     
- Misses      48181    48227      +46
Flag Coverage Δ
fuzzcorpus 64.66% <22.98%> (-0.03%) ⬇️
suricata-verify 60.86% <76.39%> (-0.01%) ⬇️
unittests 62.90% <9.31%> (-0.02%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

@jasonish
Copy link
Member

jasonish commented Aug 8, 2023

suricata-verify-pr: 1341

Yeah, that style doesn't work anymore.

jasonish
jasonish reviewed Aug 14, 2023
View reviewed changes
rust/src/sip/sip.rs
Comment on lines +200 to +202
if let Ok((_, resp_line)) = sip_take_line(input) {
tx.response_line = resp_line;
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know this isn't new, just a refactor. But should we be creating an empty transaction of sip_take_line fails?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If sip_parse_request is succeeded, sip_take_line shouldn't fail because the whole request is parsed before.

jasonish
jasonish reviewed Aug 14, 2023
View reviewed changes
suricata.yaml.in
@@ -50,7 +50,7 @@ vars:
GENEVE_PORTS: 6081
VXLAN_PORTS: 4789
TEREDO_PORTS: 3544

SIP_PORTS: "[5060, 5061]"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Empty line is lost here, can you please add back.

jasonish
jasonish reviewed Aug 14, 2023
View reviewed changes
rust/src/sip/sip.rs
Comment on lines +396 to +402
pub unsafe extern "C" fn rs_sip_probing_parser_tcp_ts(
_flow: *const Flow,
_direction: u8,
input: *const u8,
input_len: u32,
_rdir: *mut u8,
) -> AppProto {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This isn't our formatting for new rust code. Would you be willing to rustfmt the whole SIP module, commit, then apply your changes letting rustfmt do its thing? I think the module is small enough to do a one-shot rustfmt on it, then apply your changes.

jasonish
jasonish requested changes Aug 14, 2023
View reviewed changes
Copy link
Member

@jasonish jasonish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the pull request @glongo. Could you please address a few minor things:

  • rebase
  • formatting

The S-V test appears to be a crafted pcap right? Once rebased, I can test on some live TCP SIP traffic.

@glongo
Copy link
Contributor Author

glongo commented Aug 15, 2023
edited by catenacyber

Replaced by #9387

@glongo glongo closed this Aug 15, 2023
@glongo glongo deleted the dev-sip-tcp-v5 branch February 28, 2024 14:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasonish jasonish jasonish requested changes

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien is a code owner

Assignees

@jasonish jasonish

Labels
None yet
Milestone
No milestone
3 participants
@glongo @jufajardini @jasonish