--- /dev/null
+sip.pcap: sip-pattern-matching.syn
+ flowsynth.py -f pcap -w $@ $^
+
--- /dev/null
+# Test Purpose
+
+Test that SIP/TCP is detected with pattern matching.
+
+## PCAP
+
+This PCAP was generated with flowsynth.
--- /dev/null
+flow default udp 1.1.1.1:5555 > 2.2.2.2:5062;
+default > (content:"REGISTER sip:sip.cybercity.dk SIP/2.0\x0d
+Via: SIP/2.0/UDP 192.168.1.2;branch=z9hG4bKnp151248737-46ea715e192.168.1.2;rport\x0d
+From: <sip:voi18063@sip.cybercity.dk>;tag=903df0a\x0d
+To: <sip:voi18063@sip.cybercity.dk>\x0d
+Call-ID: 578222729-4665d775@578222732-4665d772\x0d
+Contact: <sip:voi18063@192.168.1.2:5060;line=9c7d2dbd8822013c>;expires=1200;q=0.500\x0d
+Expires: 1200\x0d
+CSeq: 68 REGISTER\x0d
+Content-Length: 0\x0d
+Max-Forwards: 70\x0d
+User-Agent: Nero SIPPS IP Phone Version 2.0.51.16\x0d\x0a\x0d\x0a";);
+default < (content:"SIP/2.0 401 Unauthorized\x0d
+Call-ID: 578222729-4665d775@578222732-4665d772\x0d
+CSeq: 68 REGISTER\x0d
+From: <sip:voi18063@sip.cybercity.dk>;tag=903df0a\x0d
+To: <sip:voi18063@sip.cybercity.dk>;tag=00-04092-1701af62-120c67172\x0d
+Via: SIP/2.0/UDP 192.168.1.2;received=80.230.219.70;rport=5060;branch=z9hG4bKnp151248737-46ea715e192.168.1.2\x0d
+WWW-Authenticate: Digest realm=\"sip.cybercity.dk\",nonce=\"1701af566be182070084c6f740706bb\",opaque=\"1701a1351f70795\",stale=false,algorithm=MD5\x0d
+Content-Length: 0\x0d\x0a\x0d\x0a";);
+
--- /dev/null
+checks:
+ - filter:
+ min-version: 8
+ count: 1
+ match:
+ event_type: sip
+ sip.method: "REGISTER"
+ sip.uri: "sip:sip.cybercity.dk"
+ sip.version: "SIP/2.0"
+ sip.request_line: "REGISTER sip:sip.cybercity.dk SIP/2.0"
+ - filter:
+ min-version: 8
+ count: 1
+ match:
+ event_type: sip
+ sip.version: "SIP/2.0"
+ sip.code: "401"
+ sip.reason: "Unauthorized"
+ sip.response_line: "SIP/2.0 401 Unauthorized"
--- /dev/null
+Match on SIP frames.
--- /dev/null
+alert sip any any -> any any (flow:to_server; frame:pdu; content:"REGISTER"; startswith; sid:2;)
+alert sip any any -> any any (flow:to_client; frame:pdu; content:"SIP/2.0 200 OK|0D 0A|"; startswith; sid:11;)
+
+alert sip any any -> any any (flow:to_server; frame:request.line; content:"REGISTER"; startswith; sid:21;)
+alert sip any any -> any any (flow:to_server; frame:request.line; content:"SIP/2.0|0D 0A|"; endswith; sid:22;)
+
+alert sip any any -> any any (flow:to_server; frame:request.headers; content:"Via:"; startswith; sid:31;)
+alert sip any any -> any any (flow:to_server; frame:request.headers; content:"Via:"; startswith; content:"0|0d 0a|"; endswith; sid:32;)
+
+alert sip any any -> any any (flow:to_client; frame:response.headers; content:"Via:"; startswith; sid:41;)
+alert sip any any -> any any (flow:to_client; frame:response.headers; content:"Via:"; startswith; content:"Content-Length: 0|0d 0a|"; endswith; sid:42;)
--- /dev/null
+requires:
+ min-version: 8
+
+args:
+ - -k none
+
+pcap: ../sip-tcp-method/sip-tcp.pcap
+
+checks:
+ - filter:
+ min-version: 8
+ count: 2
+ match:
+ proto: TCP
+ event_type: sip
+ - filter:
+ min-version: 8
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 2
+ - filter:
+ min-version: 8
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 22
+ - filter:
+ min-version: 8
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 31
+ - filter:
+ min-version: 8
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 32
+ frame.type: "request.headers"
+ frame.complete: true
+ frame.length: 532
+ frame.direction: toserver
+ - filter:
+ min-version: 8
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 41
+ - filter:
+ min-version: 8
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 42
+ - filter:
+ min-version: 8
+ count: 1
+ match:
+ event_type: stats
+ stats.app_layer.tx.sip_tcp: 2
+ stats.app_layer.flow.sip_tcp: 1
--- /dev/null
+Match on SIP over TCP method field.
--- /dev/null
+#include <arpa/inet.h> // inet_addr()
+#include <netdb.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <strings.h> // bzero()
+#include <sys/socket.h>
+#include <unistd.h> // read(), write(), close()
+#define MAX 1024
+#define PORT 5060
+#define SA struct sockaddr
+
+void func(int sockfd)
+{
+ char msg1[] = {
+ 0x52, 0x45, 0x47, 0x49, 0x53, 0x54, 0x45, 0x52,
+ 0x20, 0x73, 0x69, 0x70, 0x3a, 0x31, 0x39, 0x32,
+ 0x2e, 0x31, 0x36, 0x38, 0x2e, 0x34, 0x33, 0x2e,
+ 0x31, 0x30, 0x30, 0x3b, 0x74, 0x72, 0x61, 0x6e,
+ 0x73, 0x70, 0x6f, 0x72, 0x74, 0x3d, 0x54, 0x43,
+ 0x50, 0x20, 0x53, 0x49, 0x50, 0x2f, 0x32, 0x2e,
+ 0x30, 0x0d, 0x0a, 0x56, 0x69, 0x61, 0x3a, 0x20,
+ 0x53, 0x49, 0x50, 0x2f, 0x32, 0x2e, 0x30, 0x2f,
+ 0x54, 0x43, 0x50, 0x20, 0x31, 0x39, 0x32, 0x2e,
+ 0x31, 0x36, 0x38, 0x2e, 0x34, 0x33, 0x2e, 0x31,
+ 0x3a, 0x34, 0x38, 0x33, 0x37, 0x36, 0x3b, 0x62,
+ 0x72, 0x61, 0x6e, 0x63, 0x68, 0x3d, 0x7a, 0x39,
+ 0x68, 0x47, 0x34, 0x62, 0x4b, 0x2d, 0x35, 0x32,
+ 0x34, 0x32, 0x38, 0x37, 0x2d, 0x31, 0x2d, 0x2d,
+ 0x2d, 0x64, 0x63, 0x66, 0x34, 0x65, 0x64, 0x64,
+ 0x66, 0x61, 0x66, 0x39, 0x66, 0x31, 0x32, 0x33,
+ 0x39, 0x3b, 0x72, 0x70, 0x6f, 0x72, 0x74, 0x0d,
+ 0x0a, 0x4d, 0x61, 0x78, 0x2d, 0x46, 0x6f, 0x72,
+ 0x77, 0x61, 0x72, 0x64, 0x73, 0x3a, 0x20, 0x37,
+ 0x30, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x74, 0x61,
+ 0x63, 0x74, 0x3a, 0x20, 0x3c, 0x73, 0x69, 0x70,
+ 0x3a, 0x39, 0x38, 0x37, 0x36, 0x35, 0x34, 0x40,
+ 0x31, 0x39, 0x32, 0x2e, 0x31, 0x36, 0x38, 0x2e,
+ 0x34, 0x33, 0x2e, 0x31, 0x3a, 0x34, 0x38, 0x33,
+ 0x37, 0x36, 0x3b, 0x72, 0x69, 0x6e, 0x73, 0x74,
+ 0x61, 0x6e, 0x63, 0x65, 0x3d, 0x62, 0x65, 0x32,
+ 0x65, 0x63, 0x39, 0x38, 0x64, 0x30, 0x66, 0x34,
+ 0x33, 0x65, 0x37, 0x30, 0x63, 0x3b, 0x74, 0x72,
+ 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x3d,
+ 0x74, 0x63, 0x70, 0x3e, 0x0d, 0x0a, 0x54, 0x6f,
+ 0x3a, 0x20, 0x3c, 0x73, 0x69, 0x70, 0x3a, 0x39,
+ 0x38, 0x37, 0x36, 0x35, 0x34, 0x40, 0x31, 0x39,
+ 0x32, 0x2e, 0x31, 0x36, 0x38, 0x2e, 0x34, 0x33,
+ 0x2e, 0x31, 0x30, 0x30, 0x3b, 0x74, 0x72, 0x61,
+ 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x3d, 0x54,
+ 0x43, 0x50, 0x3e, 0x0d, 0x0a, 0x46, 0x72, 0x6f,
+ 0x6d, 0x3a, 0x20, 0x3c, 0x73, 0x69, 0x70, 0x3a,
+ 0x39, 0x38, 0x37, 0x36, 0x35, 0x34, 0x40, 0x31,
+ 0x39, 0x32, 0x2e, 0x31, 0x36, 0x38, 0x2e, 0x34,
+ 0x33, 0x2e, 0x31, 0x30, 0x30, 0x3b, 0x74, 0x72,
+ 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x3d,
+ 0x54, 0x43, 0x50, 0x3e, 0x3b, 0x74, 0x61, 0x67,
+ 0x3d, 0x39, 0x62, 0x39, 0x39, 0x31, 0x36, 0x37,
+ 0x66, 0x0d, 0x0a, 0x43, 0x61, 0x6c, 0x6c, 0x2d,
+ 0x49, 0x44, 0x3a, 0x20, 0x38, 0x4f, 0x6d, 0x74,
+ 0x59, 0x55, 0x55, 0x38, 0x45, 0x64, 0x6c, 0x61,
+ 0x66, 0x55, 0x68, 0x34, 0x67, 0x34, 0x6a, 0x69,
+ 0x41, 0x77, 0x2e, 0x2e, 0x0d, 0x0a, 0x43, 0x53,
+ 0x65, 0x71, 0x3a, 0x20, 0x31, 0x20, 0x52, 0x45,
+ 0x47, 0x49, 0x53, 0x54, 0x45, 0x52, 0x0d, 0x0a
+ };
+
+ char msg2[] = {
+ 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x3a,
+ 0x20, 0x36, 0x30, 0x30, 0x0d, 0x0a, 0x41, 0x6c,
+ 0x6c, 0x6f, 0x77, 0x3a, 0x20, 0x49, 0x4e, 0x56,
+ 0x49, 0x54, 0x45, 0x2c, 0x20, 0x41, 0x43, 0x4b,
+ 0x2c, 0x20, 0x43, 0x41, 0x4e, 0x43, 0x45, 0x4c,
+ 0x2c, 0x20, 0x42, 0x59, 0x45, 0x2c, 0x20, 0x4e,
+ 0x4f, 0x54, 0x49, 0x46, 0x59, 0x2c, 0x20, 0x52,
+ 0x45, 0x46, 0x45, 0x52, 0x2c, 0x20, 0x4d, 0x45,
+ 0x53, 0x53, 0x41, 0x47, 0x45, 0x2c, 0x20, 0x4f,
+ 0x50, 0x54, 0x49, 0x4f, 0x4e, 0x53, 0x2c, 0x20,
+ 0x49, 0x4e, 0x46, 0x4f, 0x2c, 0x20, 0x53, 0x55,
+ 0x42, 0x53, 0x43, 0x52, 0x49, 0x42, 0x45, 0x0d,
+ 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d, 0x41, 0x67,
+ 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x5a, 0x6f, 0x69,
+ 0x70, 0x65, 0x72, 0x20, 0x72, 0x76, 0x32, 0x2e,
+ 0x31, 0x30, 0x2e, 0x33, 0x2e, 0x32, 0x0d, 0x0a,
+ 0x41, 0x6c, 0x6c, 0x6f, 0x77, 0x2d, 0x45, 0x76,
+ 0x65, 0x6e, 0x74, 0x73, 0x3a, 0x20, 0x70, 0x72,
+ 0x65, 0x73, 0x65, 0x6e, 0x63, 0x65, 0x2c, 0x20,
+ 0x6b, 0x70, 0x6d, 0x6c, 0x2c, 0x20, 0x74, 0x61,
+ 0x6c, 0x6b, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x74,
+ 0x65, 0x6e, 0x74, 0x2d, 0x4c, 0x65, 0x6e, 0x67,
+ 0x74, 0x68, 0x3a, 0x20, 0x30, 0x0d, 0x0a, 0x0d,
+ 0x0a
+ };
+
+ char buff[MAX];
+
+ write(sockfd, msg1, sizeof(msg1));
+ write(sockfd, msg2, sizeof(msg2));
+ bzero(buff, sizeof(buff));
+ read(sockfd, buff, sizeof(buff));
+
+}
+
+int main()
+{
+ int sockfd, connfd;
+ struct sockaddr_in servaddr, cli;
+
+ // socket create and verification
+ sockfd = socket(AF_INET, SOCK_STREAM, 0);
+ if (sockfd == -1) {
+ printf("socket creation failed...\n");
+ exit(0);
+ }
+ else
+ printf("Socket successfully created..\n");
+ bzero(&servaddr, sizeof(servaddr));
+
+ // assign IP, PORT
+ servaddr.sin_family = AF_INET;
+ servaddr.sin_addr.s_addr = inet_addr("127.0.0.1");
+ servaddr.sin_port = htons(PORT);
+
+ // connect the client socket to server socket
+ if (connect(sockfd, (SA*)&servaddr, sizeof(servaddr))
+ != 0) {
+ printf("connection with the server failed...\n");
+ exit(0);
+ }
+ else
+ printf("connected to the server..\n");
+
+ func(sockfd);
+
+ close(sockfd);
+}
+
--- /dev/null
+#include <stdio.h>
+#include <netdb.h>
+#include <netinet/in.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <unistd.h> // read(), write(), close()
+#define MAX 1024
+#define PORT 5060
+#define SA struct sockaddr
+
+void func(int connfd)
+{
+ char msg[] = {
+ 0x53, 0x49, 0x50, 0x2f, 0x32, 0x2e, 0x30, 0x20,
+ 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d, 0x0a,
+ 0x56, 0x69, 0x61, 0x3a, 0x20, 0x53, 0x49, 0x50,
+ 0x2f, 0x32, 0x2e, 0x30, 0x2f, 0x54, 0x43, 0x50,
+ 0x20, 0x31, 0x39, 0x32, 0x2e, 0x31, 0x36, 0x38,
+ 0x2e, 0x34, 0x33, 0x2e, 0x31, 0x3a, 0x34, 0x38,
+ 0x33, 0x37, 0x36, 0x3b, 0x62, 0x72, 0x61, 0x6e,
+ 0x63, 0x68, 0x3d, 0x7a, 0x39, 0x68, 0x47, 0x34,
+ 0x62, 0x4b, 0x2d, 0x35, 0x32, 0x34, 0x32, 0x38,
+ 0x37, 0x2d, 0x31, 0x2d, 0x2d, 0x2d, 0x64, 0x63,
+ 0x66, 0x34, 0x65, 0x64, 0x64, 0x66, 0x61, 0x66,
+ 0x39, 0x66, 0x31, 0x32, 0x33, 0x39, 0x3b, 0x72,
+ 0x70, 0x6f, 0x72, 0x74, 0x3d, 0x34, 0x33, 0x31,
+ 0x36, 0x38, 0x3b, 0x72, 0x65, 0x63, 0x65, 0x69,
+ 0x76, 0x65, 0x64, 0x3d, 0x31, 0x39, 0x32, 0x2e,
+ 0x31, 0x36, 0x38, 0x2e, 0x34, 0x33, 0x2e, 0x31,
+ 0x0d, 0x0a, 0x54, 0x6f, 0x3a, 0x20, 0x3c, 0x73,
+ 0x69, 0x70, 0x3a, 0x39, 0x38, 0x37, 0x36, 0x35,
+ 0x34, 0x40, 0x31, 0x39, 0x32, 0x2e, 0x31, 0x36,
+ 0x38, 0x2e, 0x34, 0x33, 0x2e, 0x31, 0x30, 0x30,
+ 0x3b, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f,
+ 0x72, 0x74, 0x3d, 0x54, 0x43, 0x50, 0x3e, 0x3b,
+ 0x74, 0x61, 0x67, 0x3d, 0x39, 0x64, 0x64, 0x36,
+ 0x31, 0x66, 0x66, 0x36, 0x31, 0x65, 0x38, 0x30,
+ 0x32, 0x64, 0x38, 0x65, 0x32, 0x62, 0x65, 0x66,
+ 0x35, 0x66, 0x31, 0x34, 0x36, 0x32, 0x31, 0x65,
+ 0x66, 0x33, 0x63, 0x32, 0x2e, 0x35, 0x63, 0x31,
+ 0x62, 0x0d, 0x0a, 0x46, 0x72, 0x6f, 0x6d, 0x3a,
+ 0x20, 0x3c, 0x73, 0x69, 0x70, 0x3a, 0x39, 0x38,
+ 0x37, 0x36, 0x35, 0x34, 0x40, 0x31, 0x39, 0x32,
+ 0x2e, 0x31, 0x36, 0x38, 0x2e, 0x34, 0x33, 0x2e,
+ 0x31, 0x30, 0x30, 0x3b, 0x74, 0x72, 0x61, 0x6e,
+ 0x73, 0x70, 0x6f, 0x72, 0x74, 0x3d, 0x54, 0x43,
+ 0x50, 0x3e, 0x3b, 0x74, 0x61, 0x67, 0x3d, 0x39,
+ 0x62, 0x39, 0x39, 0x31, 0x36, 0x37, 0x66, 0x0d,
+ 0x0a, 0x43, 0x61, 0x6c, 0x6c, 0x2d, 0x49, 0x44,
+ 0x3a, 0x20, 0x38, 0x4f, 0x6d, 0x74, 0x59, 0x55,
+ 0x55, 0x38, 0x45, 0x64, 0x6c, 0x61, 0x66, 0x55,
+ 0x68, 0x34, 0x67, 0x34, 0x6a, 0x69, 0x41, 0x77,
+ 0x2e, 0x2e, 0x0d, 0x0a, 0x43, 0x53, 0x65, 0x71,
+ 0x3a, 0x20, 0x31, 0x20, 0x52, 0x45, 0x47, 0x49,
+ 0x53, 0x54, 0x45, 0x52, 0x0d, 0x0a, 0x43, 0x6f,
+ 0x6e, 0x74, 0x61, 0x63, 0x74, 0x3a, 0x20, 0x3c,
+ 0x73, 0x69, 0x70, 0x3a, 0x39, 0x38, 0x37, 0x36,
+ 0x35, 0x34, 0x40, 0x31, 0x39, 0x32, 0x2e, 0x31,
+ 0x36, 0x38, 0x2e, 0x34, 0x33, 0x2e, 0x31, 0x3a,
+ 0x34, 0x38, 0x33, 0x37, 0x36, 0x3b, 0x72, 0x69,
+ 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x3d,
+ 0x62, 0x65, 0x32, 0x65, 0x63, 0x39, 0x38, 0x64,
+ 0x30, 0x66, 0x34, 0x33, 0x65, 0x37, 0x30, 0x63,
+ 0x3b, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f,
+ 0x72, 0x74, 0x3d, 0x74, 0x63, 0x70, 0x3e, 0x3b,
+ 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x3d,
+ 0x36, 0x30, 0x30, 0x0d, 0x0a, 0x53, 0x65, 0x72,
+ 0x76, 0x65, 0x72, 0x3a, 0x20, 0x6b, 0x61, 0x6d,
+ 0x61, 0x69, 0x6c, 0x69, 0x6f, 0x20, 0x28, 0x35,
+ 0x2e, 0x32, 0x2e, 0x31, 0x20, 0x28, 0x78, 0x38,
+ 0x36, 0x5f, 0x36, 0x34, 0x2f, 0x6c, 0x69, 0x6e,
+ 0x75, 0x78, 0x29, 0x29, 0x0d, 0x0a, 0x43, 0x6f,
+ 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c, 0x65,
+ 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x30, 0x0d,
+ 0x0a, 0x0d, 0x0a
+ };
+
+ char buff[MAX];
+
+ bzero(buff, sizeof(buff));
+ read(connfd, buff, sizeof(buff));
+ read(connfd, buff, sizeof(buff));
+ write(connfd, msg, sizeof(msg));
+}
+
+int main()
+{
+ int sockfd, connfd, len;
+ struct sockaddr_in servaddr, cli;
+
+ sockfd = socket(AF_INET, SOCK_STREAM, 0);
+ if (sockfd == -1) {
+ printf("socket creation failed...\n");
+ exit(0);
+ }
+ else
+ printf("Socket successfully created..\n");
+ bzero(&servaddr, sizeof(servaddr));
+
+ // assign IP, PORT
+ servaddr.sin_family = AF_INET;
+ servaddr.sin_addr.s_addr = htonl(INADDR_ANY);
+ servaddr.sin_port = htons(PORT);
+
+ // Binding newly created socket to given IP and verification
+ if ((bind(sockfd, (SA*)&servaddr, sizeof(servaddr))) != 0) {
+ printf("socket bind failed...\n");
+ exit(0);
+ }
+ else
+ printf("Socket successfully binded..\n");
+
+ // Now server is ready to listen and verification
+ if ((listen(sockfd, 5)) != 0) {
+ printf("Listen failed...\n");
+ exit(0);
+ }
+ else
+ printf("Server listening..\n");
+ len = sizeof(cli);
+
+ // Accept the data packet from client and verification
+ connfd = accept(sockfd, (SA*)&cli, &len);
+ if (connfd < 0) {
+ printf("server accept failed...\n");
+ exit(0);
+ }
+ else
+ printf("server accept the client...\n");
+
+ // Function for chatting between client and server
+ //func(connfd);
+ func(connfd);
+
+ // After chatting close the socket
+ close(sockfd);
+}
+
--- /dev/null
+alert sip any any -> any any (flow:to_server; sip.method; content:"REGISTER"; sid:1;)
--- /dev/null
+requires:
+ min-version: 6
+
+args:
+ - -k none
+ - --set app-layer.protocols.sip.enabled=yes
+
+pcap: sip-tcp.pcap
+
+checks:
+ - filter:
+ min-version: 8
+ count: 1
+ match:
+ event_type: alert
+ - filter:
+ min-version: 8
+ count: 2
+ match:
+ proto: TCP
+ event_type: sip
+ - filter:
+ min-version: 8
+ count: 1
+ match:
+ event_type: stats
+ stats.app_layer.tx.sip_tcp: 2
+ stats.app_layer.flow.sip_tcp: 1
--- /dev/null
+sip.pcap: sip-tcp-pattern-matching.syn
+ flowsynth.py -f pcap -w $@ $^
+
--- /dev/null
+# Test Purpose
+
+Test that SIP/TCP is detected with pattern matching.
+
+## PCAP
+
+This PCAP was generated with flowsynth.
--- /dev/null
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:5062 (tcp.initialize; mss:9000;);
+default > (content:"REGISTER sip:sip.cybercity.dk SIP/2.0\x0d
+Via: SIP/2.0/UDP 192.168.1.2;branch=z9hG4bKnp151248737-46ea715e192.168.1.2;rport\x0d
+From: <sip:voi18063@sip.cybercity.dk>;tag=903df0a\x0d
+To: <sip:voi18063@sip.cybercity.dk>\x0d
+Call-ID: 578222729-4665d775@578222732-4665d772\x0d
+Contact: <sip:voi18063@192.168.1.2:5060;line=9c7d2dbd8822013c>;expires=1200;q=0.500\x0d
+Expires: 1200\x0d
+CSeq: 68 REGISTER\x0d
+Content-Length: 0\x0d
+Max-Forwards: 70\x0d
+User-Agent: Nero SIPPS IP Phone Version 2.0.51.16\x0d\x0a\x0d\x0a";);
+default < (content:"SIP/2.0 401 Unauthorized\x0d
+Call-ID: 578222729-4665d775@578222732-4665d772\x0d
+CSeq: 68 REGISTER\x0d
+From: <sip:voi18063@sip.cybercity.dk>;tag=903df0a\x0d
+To: <sip:voi18063@sip.cybercity.dk>;tag=00-04092-1701af62-120c67172\x0d
+Via: SIP/2.0/UDP 192.168.1.2;received=80.230.219.70;rport=5060;branch=z9hG4bKnp151248737-46ea715e192.168.1.2\x0d
+WWW-Authenticate: Digest realm=\"sip.cybercity.dk\",nonce=\"1701af566be182070084c6f740706bb\",opaque=\"1701a1351f70795\",stale=false,algorithm=MD5\x0d
+Content-Length: 0\x0d\x0a\x0d\x0a";);
+
--- /dev/null
+requires:
+ min-version: 6
+
+args:
+ - -k none
+
+checks:
+ - filter:
+ min-version: 8
+ count: 1
+ match:
+ proto: TCP
+ event_type: sip
+ sip.method: "REGISTER"
+ sip.uri: "sip:sip.cybercity.dk"
+ sip.version: "SIP/2.0"
+ sip.request_line: "REGISTER sip:sip.cybercity.dk SIP/2.0"
+ - filter:
+ min-version: 8
+ count: 1
+ match:
+ proto: TCP
+ event_type: sip
+ sip.version: "SIP/2.0"
+ sip.code: "401"
+ sip.reason: "Unauthorized"
+ sip.response_line: "SIP/2.0 401 Unauthorized"
+ - filter:
+ min-version: 8
+ count: 1
+ match:
+ event_type: stats
+ stats.app_layer.tx.sip_tcp: 2
+ stats.app_layer.flow.sip_tcp: 1
--- /dev/null
+Match on SIP version field.
--- /dev/null
+alert sip any any -> any any (flow:to_server; sip.protocol; content:"SIP/2.0"; sid:1;)
+alert sip any any -> any any (flow:to_client; sip.protocol; content:"SIP/2.0"; sid:2;)
--- /dev/null
+requires:
+ min-version: 6
+
+args:
+ - -k none
+ - --set app-layer.protocols.sip.enabled=yes
+
+pcap: ../sip-tcp-method/sip-tcp.pcap
+
+checks:
+ - filter:
+ min-version: 8
+ count: 2
+ match:
+ event_type: alert
+ - filter:
+ min-version: 8
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
+ - filter:
+ min-version: 8
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 2
+ - filter:
+ min-version: 8
+ count: 2
+ match:
+ proto: TCP
+ event_type: sip
+ - filter:
+ min-version: 8
+ count: 1
+ match:
+ event_type: stats
+ stats.app_layer.tx.sip_tcp: 2
+ stats.app_layer.flow.sip_tcp: 1
--- /dev/null
+Match on the whole SIP request line.
--- /dev/null
+alert sip any any -> any any (flow:to_server; sip.request_line; content:"REGISTER sip:192.168.43.100\;transport=TCP SIP/2.0"; sid:1;)
--- /dev/null
+requires:
+ min-version: 6
+
+args:
+ - -k none
+ - --set app-layer.protocols.sip.enabled=yes
+
+pcap: ../sip-tcp-method/sip-tcp.pcap
+
+checks:
+ - filter:
+ min-version: 8
+ count: 1
+ match:
+ event_type: alert
+ - filter:
+ min-version: 8
+ count: 2
+ match:
+ proto: TCP
+ event_type: sip
+ - filter:
+ min-version: 8
+ count: 1
+ match:
+ event_type: stats
+ stats.app_layer.tx.sip_tcp: 2
+ stats.app_layer.flow.sip_tcp: 1
--- /dev/null
+Match on the whole SIP response line.
--- /dev/null
+alert sip any any -> any any (flow:to_client; sip.response_line; content:"SIP/2.0 200 OK"; sid:1;)
--- /dev/null
+requires:
+ min-version: 6
+
+args:
+ - -k none
+ - --set app-layer.protocols.sip.enabled=yes
+
+pcap: ../sip-tcp-method/sip-tcp.pcap
+
+checks:
+ - filter:
+ min-version: 8
+ count: 1
+ match:
+ event_type: alert
+ - filter:
+ min-version: 8
+ count: 2
+ match:
+ proto: TCP
+ event_type: sip
+ - filter:
+ min-version: 8
+ count: 1
+ match:
+ event_type: stats
+ stats.app_layer.tx.sip_tcp: 2
+ stats.app_layer.flow.sip_tcp: 1
--- /dev/null
+Match on SIP stat code field.
--- /dev/null
+alert sip any any -> any any (flow:to_client; sip.stat_code; content:"200"; sid:1;)
--- /dev/null
+requires:
+ min-version: 6
+
+args:
+ - -k none
+ - --set app-layer.protocols.sip.enabled=yes
+
+pcap: ../sip-tcp-method/sip-tcp.pcap
+
+checks:
+ - filter:
+ min-version: 8
+ count: 1
+ match:
+ event_type: alert
+ - filter:
+ min-version: 8
+ count: 2
+ match:
+ proto: TCP
+ event_type: sip
+ - filter:
+ min-version: 8
+ count: 1
+ match:
+ event_type: stats
+ stats.app_layer.tx.sip_tcp: 2
+ stats.app_layer.flow.sip_tcp: 1
--- /dev/null
+Match on SIP stat msg field.
--- /dev/null
+alert sip any any -> any any (flow:to_client; sip.stat_msg; content:"OK"; sid:1;)
--- /dev/null
+requires:
+ min-version: 6
+
+args:
+ - -k none
+ - --set app-layer.protocols.sip.enabled=yes
+
+pcap: ../sip-tcp-method/sip-tcp.pcap
+
+checks:
+ - filter:
+ min-version: 8
+ count: 1
+ match:
+ event_type: alert
+ - filter:
+ min-version: 8
+ count: 2
+ match:
+ proto: TCP
+ event_type: sip
+ - filter:
+ min-version: 8
+ count: 1
+ match:
+ event_type: stats
+ stats.app_layer.tx.sip_tcp: 2
+ stats.app_layer.flow.sip_tcp: 1
--- /dev/null
+Match on SIP URI field.
--- /dev/null
+alert sip any any -> any any (flow:to_server; sip.uri; content:"sip:192.168.43.100\;transport=TCP"; sid:1;)
--- /dev/null
+requires:
+ min-version: 6
+
+args:
+ - -k none
+ - --set app-layer.protocols.sip.enabled=yes
+
+pcap: ../sip-tcp-method/sip-tcp.pcap
+
+checks:
+ - filter:
+ min-version: 8
+ count: 1
+ match:
+ event_type: alert
+ - filter:
+ min-version: 8
+ count: 2
+ match:
+ proto: TCP
+ event_type: sip
+ - filter:
+ min-version: 8
+ count: 1
+ match:
+ event_type: stats
+ stats.app_layer.tx.sip_tcp: 2
+ stats.app_layer.flow.sip_tcp: 1
projects / thirdparty / suricata-verify.git / commitdiff
