From: Philippe Antoine <pantoine@oisf.net>
Date: Tue, 29 Oct 2024 21:29:06 +0000 (+0100)
Subject: sip: remove UPDATE method for detection
X-Git-Tag: suricata-8.0.0-beta1~657
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=38d7900fa9b8ce1db4cd296412fcfec094ba4794;p=thirdparty%2Fsuricata.git

sip: remove UPDATE method for detection

As it is also used for HTTP/1
Remove it only for TCP and keep it for UDP.

Ticket: 7436
---

diff --git a/rust/src/sip/sip.rs b/rust/src/sip/sip.rs
index 1a73d4e46a..5f52e0c8db 100755
--- a/rust/src/sip/sip.rs
+++ b/rust/src/sip/sip.rs
@@ -496,7 +496,6 @@ fn register_pattern_probe(proto: u8) -> i8 {
         "ACK\0",
         "BYE\0",
         "CANCEL\0",
-        "UPDATE\0",
         "REFER\0",
         "PRACK\0",
         "SUBSCRIBE\0",
@@ -526,6 +525,16 @@ fn register_pattern_probe(proto: u8) -> i8 {
             0,
             core::Direction::ToClient as u8,
         );
+        if proto == core::IPPROTO_UDP {
+            r |= AppLayerProtoDetectPMRegisterPatternCS(
+                proto,
+                ALPROTO_SIP,
+                "UPDATE\0".as_ptr() as *const std::os::raw::c_char,
+                "UPDATE".len() as u16,
+                0,
+                core::Direction::ToServer as u8,
+            );
+        }
     }
 
     if r == 0 {