sip: add tests for sip over tcp v5

tests/sip-pattern-matching/Makefile

@@ -0,0 +1,3 @@
+sip.pcap: sip-pattern-matching.syn
+	flowsynth.py -f pcap -w $@ $^
+

tests/sip-pattern-matching/README.md

@@ -0,0 +1,7 @@
+# Test Purpose
+
+Test that SIP/TCP is detected with pattern matching.
+
+## PCAP
+
+This PCAP was generated with flowsynth.

tests/sip-pattern-matching/sip-pattern-matching.syn

@@ -0,0 +1,21 @@
+flow default udp 1.1.1.1:5555 > 2.2.2.2:5062;
+default > (content:"REGISTER sip:sip.cybercity.dk SIP/2.0\x0d
+Via: SIP/2.0/UDP 192.168.1.2;branch=z9hG4bKnp151248737-46ea715e192.168.1.2;rport\x0d
+From: <sip:[email protected]>;tag=903df0a\x0d
+To: <sip:[email protected]>\x0d
+Call-ID: 578222729-4665d775@578222732-4665d772\x0d
+Contact:  <sip:[email protected]:5060;line=9c7d2dbd8822013c>;expires=1200;q=0.500\x0d
+Expires: 1200\x0d
+CSeq: 68 REGISTER\x0d
+Content-Length: 0\x0d
+Max-Forwards: 70\x0d
+User-Agent: Nero SIPPS IP Phone Version 2.0.51.16\x0d\x0a\x0d\x0a";);
+default < (content:"SIP/2.0 401 Unauthorized\x0d
+Call-ID: 578222729-4665d775@578222732-4665d772\x0d
+CSeq: 68 REGISTER\x0d
+From: <sip:[email protected]>;tag=903df0a\x0d
+To: <sip:[email protected]>;tag=00-04092-1701af62-120c67172\x0d
+Via: SIP/2.0/UDP 192.168.1.2;received=80.230.219.70;rport=5060;branch=z9hG4bKnp151248737-46ea715e192.168.1.2\x0d
+WWW-Authenticate: Digest realm=\"sip.cybercity.dk\",nonce=\"1701af566be182070084c6f740706bb\",opaque=\"1701a1351f70795\",stale=false,algorithm=MD5\x0d
+Content-Length: 0\x0d\x0a\x0d\x0a";);
+

tests/sip-pattern-matching/test.yaml

@@ -0,0 +1,19 @@
+checks:
+  - filter:
+      min-version: 8
+      count: 1
+      match:
+        event_type: sip
+        sip.method: "REGISTER"
+        sip.uri: "sip:sip.cybercity.dk"
+        sip.version: "SIP/2.0"
+        sip.request_line: "REGISTER sip:sip.cybercity.dk SIP/2.0"
+  - filter:
+      min-version: 8
+      count: 1
+      match:
+        event_type: sip
+        sip.version: "SIP/2.0"
+        sip.code: "401"
+        sip.reason: "Unauthorized"
+        sip.response_line: "SIP/2.0 401 Unauthorized"

tests/sip-tcp-body-frames/README.md

@@ -0,0 +1 @@
+Match on SIP frames.

tests/sip-tcp-body-frames/test.rules

@@ -0,0 +1,11 @@
+alert sip any any -> any any (flow:to_server; frame:pdu; content:"REGISTER"; startswith; sid:2;)
+alert sip any any -> any any (flow:to_client; frame:pdu; content:"SIP/2.0 200 OK|0D 0A|"; startswith; sid:11;)
+
+alert sip any any -> any any (flow:to_server; frame:request.line; content:"REGISTER"; startswith; sid:21;)
+alert sip any any -> any any (flow:to_server; frame:request.line; content:"SIP/2.0|0D 0A|"; endswith; sid:22;)
+
+alert sip any any -> any any (flow:to_server; frame:request.headers; content:"Via:"; startswith; sid:31;)
+alert sip any any -> any any (flow:to_server; frame:request.headers; content:"Via:"; startswith; content:"0|0d 0a|"; endswith; sid:32;)
+
+alert sip any any -> any any (flow:to_client; frame:response.headers; content:"Via:"; startswith; sid:41;)
+alert sip any any -> any any (flow:to_client; frame:response.headers; content:"Via:"; startswith; content:"Content-Length: 0|0d 0a|"; endswith; sid:42;)

tests/sip-tcp-body-frames/test.yaml

@@ -0,0 +1,62 @@
+requires:
+  min-version: 8
+
+args:
+  - -k none
+
+pcap: ../sip-tcp-method/sip-tcp.pcap
+
+checks:
+  - filter:
+      min-version: 8
+      count: 2
+      match:
+        proto: TCP
+        event_type: sip
+  - filter:
+      min-version: 8
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      min-version: 8
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 22
+  - filter:
+      min-version: 8
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 31
+  - filter:
+      min-version: 8
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 32
+        frame.type: "request.headers"
+        frame.complete: true
+        frame.length: 532
+        frame.direction: toserver
+  - filter:
+      min-version: 8
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 41
+  - filter:
+      min-version: 8
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 42
+  - filter:
+      min-version: 8
+      count: 1
+      match:
+        event_type: stats
+        stats.app_layer.tx.sip_tcp: 2
+        stats.app_layer.flow.sip_tcp: 1

tests/sip-tcp-method/README.md

@@ -0,0 +1 @@
+Match on SIP over TCP method field.

tests/sip-tcp-method/sip_client.c

@@ -0,0 +1,137 @@
+#include <arpa/inet.h> // inet_addr()
+#include <netdb.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <strings.h> // bzero()
+#include <sys/socket.h>
+#include <unistd.h> // read(), write(), close()
+#define MAX 1024
+#define PORT 5060
+#define SA struct sockaddr
+
+void func(int sockfd)
+{
+	char msg1[] = {
+		0x52, 0x45, 0x47, 0x49, 0x53, 0x54, 0x45, 0x52,
+		0x20, 0x73, 0x69, 0x70, 0x3a, 0x31, 0x39, 0x32,
+		0x2e, 0x31, 0x36, 0x38, 0x2e, 0x34, 0x33, 0x2e,
+		0x31, 0x30, 0x30, 0x3b, 0x74, 0x72, 0x61, 0x6e,
+		0x73, 0x70, 0x6f, 0x72, 0x74, 0x3d, 0x54, 0x43,
+		0x50, 0x20, 0x53, 0x49, 0x50, 0x2f, 0x32, 0x2e,
+		0x30, 0x0d, 0x0a, 0x56, 0x69, 0x61, 0x3a, 0x20,
+		0x53, 0x49, 0x50, 0x2f, 0x32, 0x2e, 0x30, 0x2f,
+		0x54, 0x43, 0x50, 0x20, 0x31, 0x39, 0x32, 0x2e,
+		0x31, 0x36, 0x38, 0x2e, 0x34, 0x33, 0x2e, 0x31,
+		0x3a, 0x34, 0x38, 0x33, 0x37, 0x36, 0x3b, 0x62,
+		0x72, 0x61, 0x6e, 0x63, 0x68, 0x3d, 0x7a, 0x39,
+		0x68, 0x47, 0x34, 0x62, 0x4b, 0x2d, 0x35, 0x32,
+		0x34, 0x32, 0x38, 0x37, 0x2d, 0x31, 0x2d, 0x2d,
+		0x2d, 0x64, 0x63, 0x66, 0x34, 0x65, 0x64, 0x64,
+		0x66, 0x61, 0x66, 0x39, 0x66, 0x31, 0x32, 0x33,
+		0x39, 0x3b, 0x72, 0x70, 0x6f, 0x72, 0x74, 0x0d,
+		0x0a, 0x4d, 0x61, 0x78, 0x2d, 0x46, 0x6f, 0x72,
+		0x77, 0x61, 0x72, 0x64, 0x73, 0x3a, 0x20, 0x37,
+		0x30, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x74, 0x61,
+		0x63, 0x74, 0x3a, 0x20, 0x3c, 0x73, 0x69, 0x70,
+		0x3a, 0x39, 0x38, 0x37, 0x36, 0x35, 0x34, 0x40,
+		0x31, 0x39, 0x32, 0x2e, 0x31, 0x36, 0x38, 0x2e,
+		0x34, 0x33, 0x2e, 0x31, 0x3a, 0x34, 0x38, 0x33,
+		0x37, 0x36, 0x3b, 0x72, 0x69, 0x6e, 0x73, 0x74,
+		0x61, 0x6e, 0x63, 0x65, 0x3d, 0x62, 0x65, 0x32,
+		0x65, 0x63, 0x39, 0x38, 0x64, 0x30, 0x66, 0x34,
+		0x33, 0x65, 0x37, 0x30, 0x63, 0x3b, 0x74, 0x72,
+		0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x3d,
+		0x74, 0x63, 0x70, 0x3e, 0x0d, 0x0a, 0x54, 0x6f,
+		0x3a, 0x20, 0x3c, 0x73, 0x69, 0x70, 0x3a, 0x39,
+		0x38, 0x37, 0x36, 0x35, 0x34, 0x40, 0x31, 0x39,
+		0x32, 0x2e, 0x31, 0x36, 0x38, 0x2e, 0x34, 0x33,
+		0x2e, 0x31, 0x30, 0x30, 0x3b, 0x74, 0x72, 0x61,
+		0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x3d, 0x54,
+		0x43, 0x50, 0x3e, 0x0d, 0x0a, 0x46, 0x72, 0x6f,
+		0x6d, 0x3a, 0x20, 0x3c, 0x73, 0x69, 0x70, 0x3a,
+		0x39, 0x38, 0x37, 0x36, 0x35, 0x34, 0x40, 0x31,
+		0x39, 0x32, 0x2e, 0x31, 0x36, 0x38, 0x2e, 0x34,
+		0x33, 0x2e, 0x31, 0x30, 0x30, 0x3b, 0x74, 0x72,
+		0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x3d,
+		0x54, 0x43, 0x50, 0x3e, 0x3b, 0x74, 0x61, 0x67,
+		0x3d, 0x39, 0x62, 0x39, 0x39, 0x31, 0x36, 0x37,
+		0x66, 0x0d, 0x0a, 0x43, 0x61, 0x6c, 0x6c, 0x2d,
+		0x49, 0x44, 0x3a, 0x20, 0x38, 0x4f, 0x6d, 0x74,
+		0x59, 0x55, 0x55, 0x38, 0x45, 0x64, 0x6c, 0x61,
+		0x66, 0x55, 0x68, 0x34, 0x67, 0x34, 0x6a, 0x69,
+		0x41, 0x77, 0x2e, 0x2e, 0x0d, 0x0a, 0x43, 0x53,
+		0x65, 0x71, 0x3a, 0x20, 0x31, 0x20, 0x52, 0x45,
+		0x47, 0x49, 0x53, 0x54, 0x45, 0x52, 0x0d, 0x0a
+	};
+
+	char msg2[] = {
+		0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x3a,
+		0x20, 0x36, 0x30, 0x30, 0x0d, 0x0a, 0x41, 0x6c,
+		0x6c, 0x6f, 0x77, 0x3a, 0x20, 0x49, 0x4e, 0x56,
+		0x49, 0x54, 0x45, 0x2c, 0x20, 0x41, 0x43, 0x4b,
+		0x2c, 0x20, 0x43, 0x41, 0x4e, 0x43, 0x45, 0x4c,
+		0x2c, 0x20, 0x42, 0x59, 0x45, 0x2c, 0x20, 0x4e,
+		0x4f, 0x54, 0x49, 0x46, 0x59, 0x2c, 0x20, 0x52,
+		0x45, 0x46, 0x45, 0x52, 0x2c, 0x20, 0x4d, 0x45,
+		0x53, 0x53, 0x41, 0x47, 0x45, 0x2c, 0x20, 0x4f,
+		0x50, 0x54, 0x49, 0x4f, 0x4e, 0x53, 0x2c, 0x20,
+		0x49, 0x4e, 0x46, 0x4f, 0x2c, 0x20, 0x53, 0x55,
+		0x42, 0x53, 0x43, 0x52, 0x49, 0x42, 0x45, 0x0d,
+		0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d, 0x41, 0x67,
+		0x65, 0x6e, 0x74, 0x3a, 0x20, 0x5a, 0x6f, 0x69,
+		0x70, 0x65, 0x72, 0x20, 0x72, 0x76, 0x32, 0x2e,
+		0x31, 0x30, 0x2e, 0x33, 0x2e, 0x32, 0x0d, 0x0a,
+		0x41, 0x6c, 0x6c, 0x6f, 0x77, 0x2d, 0x45, 0x76,
+		0x65, 0x6e, 0x74, 0x73, 0x3a, 0x20, 0x70, 0x72,
+		0x65, 0x73, 0x65, 0x6e, 0x63, 0x65, 0x2c, 0x20,
+		0x6b, 0x70, 0x6d, 0x6c, 0x2c, 0x20, 0x74, 0x61,
+		0x6c, 0x6b, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x74,
+		0x65, 0x6e, 0x74, 0x2d, 0x4c, 0x65, 0x6e, 0x67,
+		0x74, 0x68, 0x3a, 0x20, 0x30, 0x0d, 0x0a, 0x0d,
+		0x0a
+	};
+
+	char buff[MAX];
+
+    write(sockfd, msg1, sizeof(msg1));
+    write(sockfd, msg2, sizeof(msg2));
+    bzero(buff, sizeof(buff));
+    read(sockfd, buff, sizeof(buff));
+
+}
+
+int main()
+{
+	int sockfd, connfd;
+	struct sockaddr_in servaddr, cli;
+
+	// socket create and verification
+	sockfd = socket(AF_INET, SOCK_STREAM, 0);
+	if (sockfd == -1) {
+		printf("socket creation failed...\n");
+		exit(0);
+	}
+	else
+		printf("Socket successfully created..\n");
+	bzero(&servaddr, sizeof(servaddr));
+
+	// assign IP, PORT
+	servaddr.sin_family = AF_INET;
+	servaddr.sin_addr.s_addr = inet_addr("127.0.0.1");
+	servaddr.sin_port = htons(PORT);
+
+	// connect the client socket to server socket
+	if (connect(sockfd, (SA*)&servaddr, sizeof(servaddr))
+		!= 0) {
+		printf("connection with the server failed...\n");
+		exit(0);
+	}
+	else
+		printf("connected to the server..\n");
+
+	func(sockfd);
+
+	close(sockfd);
+}
+