From 8f04776c66c0bd09c84e82c45fab76fcedbc9751 Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Sun, 14 Apr 2024 14:07:10 +0200 Subject: [PATCH] sip: add tests for headers sticky buffers Ticket #6374 --- tests/sip-compact-form/Makefile | 2 ++ tests/sip-compact-form/README.md | 7 ++++ tests/sip-compact-form/sip_compact_form.pcap | Bin 0 -> 976 bytes tests/sip-compact-form/sip_compact_form.syn | 33 +++++++++++++++++ tests/sip-compact-form/test.rules | 6 ++++ tests/sip-compact-form/test.yaml | 34 ++++++++++++++++++ tests/sip-content-length/README.md | 1 + tests/sip-content-length/test.rules | 2 ++ tests/sip-content-length/test.yaml | 19 ++++++++++ tests/sip-content-type/README.md | 1 + tests/sip-content-type/test.rules | 2 ++ tests/sip-content-type/test.yaml | 19 ++++++++++ tests/sip-from/README.md | 1 + tests/sip-from/test.rules | 2 ++ tests/sip-from/test.yaml | 19 ++++++++++ tests/sip-header-multi-value/Makefile | 2 ++ tests/sip-header-multi-value/README.md | 7 ++++ .../sip_header_multi_val.pcap | Bin 0 -> 1010 bytes .../sip_header_multi_val.syn | 34 ++++++++++++++++++ tests/sip-header-multi-value/test.rules | 3 ++ tests/sip-header-multi-value/test.yaml | 14 ++++++++ tests/sip-to/README.md | 1 + tests/sip-to/test.rules | 2 ++ tests/sip-to/test.yaml | 19 ++++++++++ tests/sip-user-agent/README.md | 1 + tests/sip-user-agent/test.rules | 1 + tests/sip-user-agent/test.yaml | 14 ++++++++ tests/sip-via/README.md | 1 + tests/sip-via/test.rules | 2 ++ tests/sip-via/test.yaml | 19 ++++++++++ 30 files changed, 268 insertions(+) create mode 100644 tests/sip-compact-form/Makefile create mode 100644 tests/sip-compact-form/README.md create mode 100644 tests/sip-compact-form/sip_compact_form.pcap create mode 100644 tests/sip-compact-form/sip_compact_form.syn create mode 100644 tests/sip-compact-form/test.rules create mode 100644 tests/sip-compact-form/test.yaml create mode 100644 tests/sip-content-length/README.md create mode 100644 tests/sip-content-length/test.rules create mode 100644 tests/sip-content-length/test.yaml create mode 100644 tests/sip-content-type/README.md create mode 100644 tests/sip-content-type/test.rules create mode 100644 tests/sip-content-type/test.yaml create mode 100644 tests/sip-from/README.md create mode 100644 tests/sip-from/test.rules create mode 100644 tests/sip-from/test.yaml create mode 100644 tests/sip-header-multi-value/Makefile create mode 100644 tests/sip-header-multi-value/README.md create mode 100644 tests/sip-header-multi-value/sip_header_multi_val.pcap create mode 100644 tests/sip-header-multi-value/sip_header_multi_val.syn create mode 100644 tests/sip-header-multi-value/test.rules create mode 100644 tests/sip-header-multi-value/test.yaml create mode 100644 tests/sip-to/README.md create mode 100644 tests/sip-to/test.rules create mode 100644 tests/sip-to/test.yaml create mode 100644 tests/sip-user-agent/README.md create mode 100644 tests/sip-user-agent/test.rules create mode 100644 tests/sip-user-agent/test.yaml create mode 100644 tests/sip-via/README.md create mode 100644 tests/sip-via/test.rules create mode 100644 tests/sip-via/test.yaml diff --git a/tests/sip-compact-form/Makefile b/tests/sip-compact-form/Makefile new file mode 100644 index 000000000..a646f1cde --- /dev/null +++ b/tests/sip-compact-form/Makefile @@ -0,0 +1,2 @@ +sip_compact_form.pcap: sip_compact_form.syn + flowsynth.py -f pcap -w $@ $^ diff --git a/tests/sip-compact-form/README.md b/tests/sip-compact-form/README.md new file mode 100644 index 000000000..1916fc171 --- /dev/null +++ b/tests/sip-compact-form/README.md @@ -0,0 +1,7 @@ +# Test Purpose + +Test that SIP headers with compact form are matched. + +## PCAP + +This PCAP was generated with flowsynth. diff --git a/tests/sip-compact-form/sip_compact_form.pcap b/tests/sip-compact-form/sip_compact_form.pcap new file mode 100644 index 0000000000000000000000000000000000000000..61ed2ff54c37d345ab273ad44ace4fc0aba587de GIT binary patch literal 976 zc-nnZO>fgc5KUWKYp7Z8cFyIwoCi>sz>3ZXQ$nzo`+FB@mmxJ}~i+G(o( z01j~D$c-CkIC6v|2M+uNen%PiORZEflI_*bo0<2X=g*I?pQlTAN|$kZS}IN9_xGd6 zy^nwImcGoC&Yt%>i+%gUldawFuioA(HA*v|3fRK^!?h`lX^e;89{iknM}IY2+s(}e zWQhv=8nb=o)d=ScM`@z0jvnui2f`Z39NNvO$}D0UN5SQ}y0shu^_fLo&!QF!9O9C> zjuxZ1AD;OAm%Ot&Qj~DtWnv-*PtyfYk~X=_nWRrM3$zuJJ@gYvQ=FlIn@jT^v;_CJhGZB)DK+ zhWgTK8J6m;rN)~wEbidVMq{P1QHJ$sv$@`Cm!Y-3*<9HvW5vq4Y2c3yu}d1BD=dtn z4t1TY6GI>h=WxTYtiVHz{+dP-wq38Y+BF!KF2D9H-(EN^fN2@HS$du-*<_ zjw=${#O9pYF7?4CoNs$?m3J9opIIenU G!~OyL9Rw%< literal 0 Hc-jL100001 diff --git a/tests/sip-compact-form/sip_compact_form.syn b/tests/sip-compact-form/sip_compact_form.syn new file mode 100644 index 000000000..836c048a1 --- /dev/null +++ b/tests/sip-compact-form/sip_compact_form.syn @@ -0,0 +1,33 @@ +flow default udp 1.1.1.1:5555 > 2.2.2.2:5060; +default > (content:"INVITE sip:97239287044@voip.brujula.net SIP/2.0\x0d +v: SIP/2.0/UDP 192.168.1.2:5060;branch=z9hG4bKnp104984053-44ce4a41192.168.1.2;rport\x0d +f: \"arik\" ;tag=6433ef9\x0d +t: \x0d +Call-ID: 105090259-446faf7a@192.168.1.2\x0d +CSeq: 1 INVITE\x0d +User-Agent: Nero SIPPS IP Phone Version 2.0.51.16\x0d +Expires: 120\x0d +Accept: application/sdp\x0d +c: application/sdp\x0d +l: 272\x0d +Contact: \x0d +Max-Forwards: 70\x0d +Allow: INVITE, ACK, CANCEL, BYE, REFER, OPTIONS, NOTIFY, INFO\x0d +\x0d +v=0\x0d +o=SIPPS 105015165 105015162 IN IP4 192.168.1.2\x0d +s=SIP call\x0d +i=Session Description Protocol\x0d +u=https://www.sdp.proto\x0d +e=j.doe@example.com (Jane Doe)\x0d +p=+1 617 555-6011 (Jane Doe)\x0d +c=IN IP4 192.168.1.2\x0d +b=AS:64\x0d +t=3034423619 3042462419\x0d +r=604800 3600 0 90000\x0d +z=2882844526 -1h 2898848070 0\x0d +k=prompt\x0d +a=sendrecv\x0d +m=audio 30000 RTP/AVP 0 8 97 2 3\x0d +a=rtpmap:0 pcmu/8000\x0d\x0a";); + diff --git a/tests/sip-compact-form/test.rules b/tests/sip-compact-form/test.rules new file mode 100644 index 000000000..2708cc47e --- /dev/null +++ b/tests/sip-compact-form/test.rules @@ -0,0 +1,6 @@ +alert sip any any -> any any (sip.from; content:"arik"; sid:1;) +alert sip any any -> any any (sip.to; content:"sip:"; sid:2;) +alert sip any any -> any any (sip.via; content:"SIP/2.0/UDP"; sid:3;) +alert sip any any -> any any (sip.content_type; content:"application/sdp"; sid:4;) +alert sip any any -> any any (sip.content_length; content:"272"; sid:5;) + diff --git a/tests/sip-compact-form/test.yaml b/tests/sip-compact-form/test.yaml new file mode 100644 index 000000000..0e2dfbca6 --- /dev/null +++ b/tests/sip-compact-form/test.yaml @@ -0,0 +1,34 @@ +pcap: sip_compact_form.pcap + +args: +- -k none + +requires: + min-version: 8.0.0 + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 4 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 5 diff --git a/tests/sip-content-length/README.md b/tests/sip-content-length/README.md new file mode 100644 index 000000000..dee6558b6 --- /dev/null +++ b/tests/sip-content-length/README.md @@ -0,0 +1 @@ +Match on SIP Content-Length header field. diff --git a/tests/sip-content-length/test.rules b/tests/sip-content-length/test.rules new file mode 100644 index 000000000..f556819fe --- /dev/null +++ b/tests/sip-content-length/test.rules @@ -0,0 +1,2 @@ +alert sip any any -> any any (flow:to_server; sip.content_length; content:"270"; sid:1;) +alert sip any any -> any any (flow:to_client; sip.content_length; content:"199"; sid:2;) diff --git a/tests/sip-content-length/test.yaml b/tests/sip-content-length/test.yaml new file mode 100644 index 000000000..9c55227d3 --- /dev/null +++ b/tests/sip-content-length/test.yaml @@ -0,0 +1,19 @@ +pcap: ../sip-method/sip.pcap + +args: +- -k none + +requires: + min-version: 8.0.0 + +checks: + - filter: + count: 8 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 diff --git a/tests/sip-content-type/README.md b/tests/sip-content-type/README.md new file mode 100644 index 000000000..27726535b --- /dev/null +++ b/tests/sip-content-type/README.md @@ -0,0 +1 @@ +Match on SIP Content-Type header field. diff --git a/tests/sip-content-type/test.rules b/tests/sip-content-type/test.rules new file mode 100644 index 000000000..aaeea4076 --- /dev/null +++ b/tests/sip-content-type/test.rules @@ -0,0 +1,2 @@ +alert sip any any -> any any (flow:to_server; sip.content_type; content:"application/sdp"; sid:1;) +alert sip any any -> any any (flow:to_client; sip.content_type; content:"application/sdp"; sid:2;) diff --git a/tests/sip-content-type/test.yaml b/tests/sip-content-type/test.yaml new file mode 100644 index 000000000..aed8a9c20 --- /dev/null +++ b/tests/sip-content-type/test.yaml @@ -0,0 +1,19 @@ +pcap: ../sip-method/sip.pcap + +args: +- -k none + +requires: + min-version: 8.0.0 + +checks: + - filter: + count: 11 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 diff --git a/tests/sip-from/README.md b/tests/sip-from/README.md new file mode 100644 index 000000000..5963bd767 --- /dev/null +++ b/tests/sip-from/README.md @@ -0,0 +1 @@ +Match on SIP From header field. diff --git a/tests/sip-from/test.rules b/tests/sip-from/test.rules new file mode 100644 index 000000000..f93f2597c --- /dev/null +++ b/tests/sip-from/test.rules @@ -0,0 +1,2 @@ +alert sip any any -> any any (flow:to_server; sip.from; content:"sip:"; sid:1;) +alert sip any any -> any any (flow:to_client; sip.from; content:"sip:"; sid:2;) diff --git a/tests/sip-from/test.yaml b/tests/sip-from/test.yaml new file mode 100644 index 000000000..aef99d853 --- /dev/null +++ b/tests/sip-from/test.yaml @@ -0,0 +1,19 @@ +pcap: ../sip-method/sip.pcap + +args: +- -k none + +requires: + min-version: 8.0.0 + +checks: + - filter: + count: 47 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 34 + match: + event_type: alert + alert.signature_id: 2 diff --git a/tests/sip-header-multi-value/Makefile b/tests/sip-header-multi-value/Makefile new file mode 100644 index 000000000..5b46bff42 --- /dev/null +++ b/tests/sip-header-multi-value/Makefile @@ -0,0 +1,2 @@ +sip_header_multi_val.pcap: sip_header_multi_val.syn + flowsynth.py -f pcap -w $@ $^ diff --git a/tests/sip-header-multi-value/README.md b/tests/sip-header-multi-value/README.md new file mode 100644 index 000000000..c0bb998fe --- /dev/null +++ b/tests/sip-header-multi-value/README.md @@ -0,0 +1,7 @@ +# Test Purpose + +Test that SIP header with multiple values are matched. + +## PCAP + +This PCAP was generated with flowsynth. diff --git a/tests/sip-header-multi-value/sip_header_multi_val.pcap b/tests/sip-header-multi-value/sip_header_multi_val.pcap new file mode 100644 index 0000000000000000000000000000000000000000..61718ec91cda489f0632bedbec45e4b20d43e4b1 GIT binary patch literal 1010 zc-nnZO>fgc5DhH{WXT7F;5)X=6Ve56(rDk1fAC%QBLx~Uhx(yI9Tt1UC#!o# z6xk$s5l!y#y$6M+ghwGKp4;L)lU#6mCS}!VWh&bm$FO@{nEd(fb+}z?38|0xE5n@X zxU*V`r-{#9SB@jws^Vk%|D@lst)V*MQRZ^*JjS}1PFuZ=7%1^bM3@($Tz@Rafml1E z7l{M8k1RO$&9)ww(zH5HWr0%q(x}>;bO5~+(upc0>_}7QssQxM@hH}@t?r@DjV!SW zLq9uNCN(Att*3b=DkQhdk+!YuoV#fZET~neq7vEZ^e1MW(TNj15{Io#WfsDWuvJiZ znoiXsK2hF;&iaEUtatkB-G@!M`vh;cyPMtZCTyj{-d2Cmg#OmBxA~-r8Jk>g*pOvra$QdbsZo{66vpStq^fio zx7&-w!oi6hUB_%oCeNIal56r%%=A<`nVP}P`vU#lQ1X^->12h1PXq8gujLa;|A}VF zdBXOR&LH+VE>YqVmviR&Gy<1!#(l;qZkI`X!b3v9_3=d@A_&`hk+3jiA?F_Rp+zUa z!YB-p7$C{Eo+l`Jrg5u9Qp#dvWOiU%vqa2Cxx)Gg*dC_s&Q6LoLx=)k;MQzY>6y?m M0iDg}?eM7CAFYZJ2><{9 literal 0 Hc-jL100001 diff --git a/tests/sip-header-multi-value/sip_header_multi_val.syn b/tests/sip-header-multi-value/sip_header_multi_val.syn new file mode 100644 index 000000000..f82d79ac6 --- /dev/null +++ b/tests/sip-header-multi-value/sip_header_multi_val.syn @@ -0,0 +1,34 @@ +flow default udp 1.1.1.1:5555 > 2.2.2.2:5060; +default > (content:"INVITE sip:97239287044@voip.brujula.net SIP/2.0\x0d +v: SIP/2.0/UDP 192.168.1.2:5060;branch=z9hG4bKnp104984053-44ce4a41192.168.1.2;rport\x0d +f: \"arik\" ;tag=6433ef9\x0d +t: \x0d +To: \x0d +Call-ID: 105090259-446faf7a@192.168.1.2\x0d +CSeq: 1 INVITE\x0d +User-Agent: Nero SIPPS IP Phone Version 2.0.51.16\x0d +Expires: 120\x0d +Accept: application/sdp\x0d +c: application/sdp\x0d +l: 272\x0d +Contact: \x0d +Max-Forwards: 70\x0d +Allow: INVITE, ACK, CANCEL, BYE, REFER, OPTIONS, NOTIFY, INFO\x0d +\x0d +v=0\x0d +o=SIPPS 105015165 105015162 IN IP4 192.168.1.2\x0d +s=SIP call\x0d +i=Session Description Protocol\x0d +u=https://www.sdp.proto\x0d +e=j.doe@example.com (Jane Doe)\x0d +p=+1 617 555-6011 (Jane Doe)\x0d +c=IN IP4 192.168.1.2\x0d +b=AS:64\x0d +t=3034423619 3042462419\x0d +r=604800 3600 0 90000\x0d +z=2882844526 -1h 2898848070 0\x0d +k=prompt\x0d +a=sendrecv\x0d +m=audio 30000 RTP/AVP 0 8 97 2 3\x0d +a=rtpmap:0 pcmu/8000\x0d\x0a";); + diff --git a/tests/sip-header-multi-value/test.rules b/tests/sip-header-multi-value/test.rules new file mode 100644 index 000000000..d057ea6c9 --- /dev/null +++ b/tests/sip-header-multi-value/test.rules @@ -0,0 +1,3 @@ +alert sip any any -> any any (sip.to; content:"sip:97239287044"; sid:1;) +alert sip any any -> any any (sip.to; content:"sip:12345"; sid:2;) + diff --git a/tests/sip-header-multi-value/test.yaml b/tests/sip-header-multi-value/test.yaml new file mode 100644 index 000000000..23a1f69d9 --- /dev/null +++ b/tests/sip-header-multi-value/test.yaml @@ -0,0 +1,14 @@ +pcap: sip_header_multi_val.pcap + +args: +- -k none + +requires: + min-version: 8.0.0 + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 diff --git a/tests/sip-to/README.md b/tests/sip-to/README.md new file mode 100644 index 000000000..2936ff154 --- /dev/null +++ b/tests/sip-to/README.md @@ -0,0 +1 @@ +Match on SIP To header field. diff --git a/tests/sip-to/test.rules b/tests/sip-to/test.rules new file mode 100644 index 000000000..247926264 --- /dev/null +++ b/tests/sip-to/test.rules @@ -0,0 +1,2 @@ +alert sip any any -> any any (flow:to_server; sip.to; content:"sip:97239287044"; sid:1;) +alert sip any any -> any any (flow:to_client; sip.to; content:"sip:97239287044"; sid:2;) diff --git a/tests/sip-to/test.yaml b/tests/sip-to/test.yaml new file mode 100644 index 000000000..48075ab64 --- /dev/null +++ b/tests/sip-to/test.yaml @@ -0,0 +1,19 @@ +pcap: ../sip-method/sip.pcap + +args: +- -k none + +requires: + min-version: 8.0.0 + +checks: + - filter: + count: 15 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 3 + match: + event_type: alert + alert.signature_id: 2 diff --git a/tests/sip-user-agent/README.md b/tests/sip-user-agent/README.md new file mode 100644 index 000000000..9e66cd8dd --- /dev/null +++ b/tests/sip-user-agent/README.md @@ -0,0 +1 @@ +Match on SIP User-Agent header field. diff --git a/tests/sip-user-agent/test.rules b/tests/sip-user-agent/test.rules new file mode 100644 index 000000000..a38190187 --- /dev/null +++ b/tests/sip-user-agent/test.rules @@ -0,0 +1 @@ +alert sip any any -> any any (flow:to_server; sip.user_agent; content:"Nero"; sid:1;) diff --git a/tests/sip-user-agent/test.yaml b/tests/sip-user-agent/test.yaml new file mode 100644 index 000000000..125062b7c --- /dev/null +++ b/tests/sip-user-agent/test.yaml @@ -0,0 +1,14 @@ +pcap: ../sip-method/sip.pcap + +args: +- -k none + +requires: + min-version: 8.0.0 + +checks: + - filter: + count: 40 + match: + event_type: alert + alert.signature_id: 1 diff --git a/tests/sip-via/README.md b/tests/sip-via/README.md new file mode 100644 index 000000000..40e60f42e --- /dev/null +++ b/tests/sip-via/README.md @@ -0,0 +1 @@ +Match on SIP Via header field. diff --git a/tests/sip-via/test.rules b/tests/sip-via/test.rules new file mode 100644 index 000000000..cde4b4387 --- /dev/null +++ b/tests/sip-via/test.rules @@ -0,0 +1,2 @@ +alert sip any any -> any any (flow:to_server; sip.via; content:"SIP/2.0/UDP"; sid:1;) +alert sip any any -> any any (flow:to_client; sip.via; content:"SIP/2.0/UDP"; sid:2;) diff --git a/tests/sip-via/test.yaml b/tests/sip-via/test.yaml new file mode 100644 index 000000000..aef99d853 --- /dev/null +++ b/tests/sip-via/test.yaml @@ -0,0 +1,19 @@ +pcap: ../sip-method/sip.pcap + +args: +- -k none + +requires: + min-version: 8.0.0 + +checks: + - filter: + count: 47 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 34 + match: + event_type: alert + alert.signature_id: 2 -- 2.47.2