sip: add tests for sip over tcp

tests/sip-tcp-body-frames/README.md

@@ -0,0 +1 @@
+Match on SIP frames.

tests/sip-tcp-body-frames/test.rules

@@ -0,0 +1,11 @@
+alert sip any any -> any any (flow:to_server; frame:pdu; content:"REGISTER"; startswith; sid:2;)
+alert sip any any -> any any (flow:to_client; frame:pdu; content:"SIP/2.0 200 OK|0D 0A|"; startswith; sid:11;)
+
+alert sip any any -> any any (flow:to_server; frame:request.line; content:"REGISTER"; startswith; sid:21;)
+alert sip any any -> any any (flow:to_server; frame:request.line; content:"SIP/2.0|0D 0A|"; endswith; sid:22;)
+
+alert sip any any -> any any (flow:to_server; frame:request.headers; content:"Via:"; startswith; sid:31;)
+alert sip any any -> any any (flow:to_server; frame:request.headers; content:"Via:"; startswith; content:"0|0d 0a|"; endswith; sid:32;)
+
+alert sip any any -> any any (flow:to_client; frame:response.headers; content:"Via:"; startswith; sid:41;)
+alert sip any any -> any any (flow:to_client; frame:response.headers; content:"Via:"; startswith; content:"Content-Length: 0|0d 0a|"; endswith; sid:42;)

tests/sip-tcp-body-frames/test.yaml

@@ -0,0 +1,47 @@
+requires:
+  min-version: 7
+
+args:
+  - -k none
+
+pcap: ../sip-tcp-method/sip-tcp.pcap
+
+checks:
+  - filter:
+      count: 2
+      match:
+        event_type: sip
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 22
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 31
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 32
+        frame.type: "request.headers"
+        frame.complete: true
+        frame.length: 532
+        frame.direction: toserver
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 41
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 42

tests/sip-tcp-method/README.md

@@ -0,0 +1 @@
+Match on SIP over TCP method field.

tests/sip-tcp-method/sip_client.c

@@ -0,0 +1,137 @@
+#include <arpa/inet.h> // inet_addr()
+#include <netdb.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <strings.h> // bzero()
+#include <sys/socket.h>
+#include <unistd.h> // read(), write(), close()
+#define MAX 1024
+#define PORT 5060
+#define SA struct sockaddr
+
+void func(int sockfd)
+{
+	char msg1[] = {
+		0x52, 0x45, 0x47, 0x49, 0x53, 0x54, 0x45, 0x52,
+		0x20, 0x73, 0x69, 0x70, 0x3a, 0x31, 0x39, 0x32,
+		0x2e, 0x31, 0x36, 0x38, 0x2e, 0x34, 0x33, 0x2e,
+		0x31, 0x30, 0x30, 0x3b, 0x74, 0x72, 0x61, 0x6e,
+		0x73, 0x70, 0x6f, 0x72, 0x74, 0x3d, 0x54, 0x43,
+		0x50, 0x20, 0x53, 0x49, 0x50, 0x2f, 0x32, 0x2e,
+		0x30, 0x0d, 0x0a, 0x56, 0x69, 0x61, 0x3a, 0x20,
+		0x53, 0x49, 0x50, 0x2f, 0x32, 0x2e, 0x30, 0x2f,
+		0x54, 0x43, 0x50, 0x20, 0x31, 0x39, 0x32, 0x2e,
+		0x31, 0x36, 0x38, 0x2e, 0x34, 0x33, 0x2e, 0x31,
+		0x3a, 0x34, 0x38, 0x33, 0x37, 0x36, 0x3b, 0x62,
+		0x72, 0x61, 0x6e, 0x63, 0x68, 0x3d, 0x7a, 0x39,
+		0x68, 0x47, 0x34, 0x62, 0x4b, 0x2d, 0x35, 0x32,
+		0x34, 0x32, 0x38, 0x37, 0x2d, 0x31, 0x2d, 0x2d,
+		0x2d, 0x64, 0x63, 0x66, 0x34, 0x65, 0x64, 0x64,
+		0x66, 0x61, 0x66, 0x39, 0x66, 0x31, 0x32, 0x33,
+		0x39, 0x3b, 0x72, 0x70, 0x6f, 0x72, 0x74, 0x0d,
+		0x0a, 0x4d, 0x61, 0x78, 0x2d, 0x46, 0x6f, 0x72,
+		0x77, 0x61, 0x72, 0x64, 0x73, 0x3a, 0x20, 0x37,
+		0x30, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x74, 0x61,
+		0x63, 0x74, 0x3a, 0x20, 0x3c, 0x73, 0x69, 0x70,
+		0x3a, 0x39, 0x38, 0x37, 0x36, 0x35, 0x34, 0x40,
+		0x31, 0x39, 0x32, 0x2e, 0x31, 0x36, 0x38, 0x2e,
+		0x34, 0x33, 0x2e, 0x31, 0x3a, 0x34, 0x38, 0x33,
+		0x37, 0x36, 0x3b, 0x72, 0x69, 0x6e, 0x73, 0x74,
+		0x61, 0x6e, 0x63, 0x65, 0x3d, 0x62, 0x65, 0x32,
+		0x65, 0x63, 0x39, 0x38, 0x64, 0x30, 0x66, 0x34,
+		0x33, 0x65, 0x37, 0x30, 0x63, 0x3b, 0x74, 0x72,
+		0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x3d,
+		0x74, 0x63, 0x70, 0x3e, 0x0d, 0x0a, 0x54, 0x6f,
+		0x3a, 0x20, 0x3c, 0x73, 0x69, 0x70, 0x3a, 0x39,
+		0x38, 0x37, 0x36, 0x35, 0x34, 0x40, 0x31, 0x39,
+		0x32, 0x2e, 0x31, 0x36, 0x38, 0x2e, 0x34, 0x33,
+		0x2e, 0x31, 0x30, 0x30, 0x3b, 0x74, 0x72, 0x61,
+		0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x3d, 0x54,
+		0x43, 0x50, 0x3e, 0x0d, 0x0a, 0x46, 0x72, 0x6f,
+		0x6d, 0x3a, 0x20, 0x3c, 0x73, 0x69, 0x70, 0x3a,
+		0x39, 0x38, 0x37, 0x36, 0x35, 0x34, 0x40, 0x31,
+		0x39, 0x32, 0x2e, 0x31, 0x36, 0x38, 0x2e, 0x34,
+		0x33, 0x2e, 0x31, 0x30, 0x30, 0x3b, 0x74, 0x72,
+		0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x3d,
+		0x54, 0x43, 0x50, 0x3e, 0x3b, 0x74, 0x61, 0x67,
+		0x3d, 0x39, 0x62, 0x39, 0x39, 0x31, 0x36, 0x37,
+		0x66, 0x0d, 0x0a, 0x43, 0x61, 0x6c, 0x6c, 0x2d,
+		0x49, 0x44, 0x3a, 0x20, 0x38, 0x4f, 0x6d, 0x74,
+		0x59, 0x55, 0x55, 0x38, 0x45, 0x64, 0x6c, 0x61,
+		0x66, 0x55, 0x68, 0x34, 0x67, 0x34, 0x6a, 0x69,
+		0x41, 0x77, 0x2e, 0x2e, 0x0d, 0x0a, 0x43, 0x53,
+		0x65, 0x71, 0x3a, 0x20, 0x31, 0x20, 0x52, 0x45,
+		0x47, 0x49, 0x53, 0x54, 0x45, 0x52, 0x0d, 0x0a
+	};
+
+	char msg2[] = {
+		0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x3a,
+		0x20, 0x36, 0x30, 0x30, 0x0d, 0x0a, 0x41, 0x6c,
+		0x6c, 0x6f, 0x77, 0x3a, 0x20, 0x49, 0x4e, 0x56,
+		0x49, 0x54, 0x45, 0x2c, 0x20, 0x41, 0x43, 0x4b,
+		0x2c, 0x20, 0x43, 0x41, 0x4e, 0x43, 0x45, 0x4c,
+		0x2c, 0x20, 0x42, 0x59, 0x45, 0x2c, 0x20, 0x4e,
+		0x4f, 0x54, 0x49, 0x46, 0x59, 0x2c, 0x20, 0x52,
+		0x45, 0x46, 0x45, 0x52, 0x2c, 0x20, 0x4d, 0x45,
+		0x53, 0x53, 0x41, 0x47, 0x45, 0x2c, 0x20, 0x4f,
+		0x50, 0x54, 0x49, 0x4f, 0x4e, 0x53, 0x2c, 0x20,
+		0x49, 0x4e, 0x46, 0x4f, 0x2c, 0x20, 0x53, 0x55,
+		0x42, 0x53, 0x43, 0x52, 0x49, 0x42, 0x45, 0x0d,
+		0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d, 0x41, 0x67,
+		0x65, 0x6e, 0x74, 0x3a, 0x20, 0x5a, 0x6f, 0x69,
+		0x70, 0x65, 0x72, 0x20, 0x72, 0x76, 0x32, 0x2e,
+		0x31, 0x30, 0x2e, 0x33, 0x2e, 0x32, 0x0d, 0x0a,
+		0x41, 0x6c, 0x6c, 0x6f, 0x77, 0x2d, 0x45, 0x76,
+		0x65, 0x6e, 0x74, 0x73, 0x3a, 0x20, 0x70, 0x72,
+		0x65, 0x73, 0x65, 0x6e, 0x63, 0x65, 0x2c, 0x20,
+		0x6b, 0x70, 0x6d, 0x6c, 0x2c, 0x20, 0x74, 0x61,
+		0x6c, 0x6b, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x74,
+		0x65, 0x6e, 0x74, 0x2d, 0x4c, 0x65, 0x6e, 0x67,
+		0x74, 0x68, 0x3a, 0x20, 0x30, 0x0d, 0x0a, 0x0d,
+		0x0a
+	};
+
+	char buff[MAX];
+
+    write(sockfd, msg1, sizeof(msg1));
+    write(sockfd, msg2, sizeof(msg2));
+    bzero(buff, sizeof(buff));
+    read(sockfd, buff, sizeof(buff));
+
+}
+
+int main()
+{
+	int sockfd, connfd;
+	struct sockaddr_in servaddr, cli;
+
+	// socket create and verification
+	sockfd = socket(AF_INET, SOCK_STREAM, 0);
+	if (sockfd == -1) {
+		printf("socket creation failed...\n");
+		exit(0);
+	}
+	else
+		printf("Socket successfully created..\n");
+	bzero(&servaddr, sizeof(servaddr));
+
+	// assign IP, PORT
+	servaddr.sin_family = AF_INET;
+	servaddr.sin_addr.s_addr = inet_addr("127.0.0.1");
+	servaddr.sin_port = htons(PORT);
+
+	// connect the client socket to server socket
+	if (connect(sockfd, (SA*)&servaddr, sizeof(servaddr))
+		!= 0) {
+		printf("connection with the server failed...\n");
+		exit(0);
+	}
+	else
+		printf("connected to the server..\n");
+
+	func(sockfd);
+
+	close(sockfd);
+}
+

tests/sip-tcp-method/sip_server.c

@@ -0,0 +1,140 @@
+#include <stdio.h>
+#include <netdb.h>
+#include <netinet/in.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <unistd.h> // read(), write(), close()
+#define MAX 1024
+#define PORT 5060
+#define SA struct sockaddr
+
+void func(int connfd)
+{
+	char msg[] = {
+		0x53, 0x49, 0x50, 0x2f, 0x32, 0x2e, 0x30, 0x20,
+		0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d, 0x0a,
+		0x56, 0x69, 0x61, 0x3a, 0x20, 0x53, 0x49, 0x50,
+		0x2f, 0x32, 0x2e, 0x30, 0x2f, 0x54, 0x43, 0x50,
+		0x20, 0x31, 0x39, 0x32, 0x2e, 0x31, 0x36, 0x38,
+		0x2e, 0x34, 0x33, 0x2e, 0x31, 0x3a, 0x34, 0x38,
+		0x33, 0x37, 0x36, 0x3b, 0x62, 0x72, 0x61, 0x6e,
+		0x63, 0x68, 0x3d, 0x7a, 0x39, 0x68, 0x47, 0x34,
+		0x62, 0x4b, 0x2d, 0x35, 0x32, 0x34, 0x32, 0x38,
+		0x37, 0x2d, 0x31, 0x2d, 0x2d, 0x2d, 0x64, 0x63,
+		0x66, 0x34, 0x65, 0x64, 0x64, 0x66, 0x61, 0x66,
+		0x39, 0x66, 0x31, 0x32, 0x33, 0x39, 0x3b, 0x72,
+		0x70, 0x6f, 0x72, 0x74, 0x3d, 0x34, 0x33, 0x31,
+		0x36, 0x38, 0x3b, 0x72, 0x65, 0x63, 0x65, 0x69,
+		0x76, 0x65, 0x64, 0x3d, 0x31, 0x39, 0x32, 0x2e,
+		0x31, 0x36, 0x38, 0x2e, 0x34, 0x33, 0x2e, 0x31,
+		0x0d, 0x0a, 0x54, 0x6f, 0x3a, 0x20, 0x3c, 0x73,
+		0x69, 0x70, 0x3a, 0x39, 0x38, 0x37, 0x36, 0x35,
+		0x34, 0x40, 0x31, 0x39, 0x32, 0x2e, 0x31, 0x36,
+		0x38, 0x2e, 0x34, 0x33, 0x2e, 0x31, 0x30, 0x30,
+		0x3b, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f,
+		0x72, 0x74, 0x3d, 0x54, 0x43, 0x50, 0x3e, 0x3b,
+		0x74, 0x61, 0x67, 0x3d, 0x39, 0x64, 0x64, 0x36,
+		0x31, 0x66, 0x66, 0x36, 0x31, 0x65, 0x38, 0x30,
+		0x32, 0x64, 0x38, 0x65, 0x32, 0x62, 0x65, 0x66,
+		0x35, 0x66, 0x31, 0x34, 0x36, 0x32, 0x31, 0x65,
+		0x66, 0x33, 0x63, 0x32, 0x2e, 0x35, 0x63, 0x31,
+		0x62, 0x0d, 0x0a, 0x46, 0x72, 0x6f, 0x6d, 0x3a,
+		0x20, 0x3c, 0x73, 0x69, 0x70, 0x3a, 0x39, 0x38,
+		0x37, 0x36, 0x35, 0x34, 0x40, 0x31, 0x39, 0x32,
+		0x2e, 0x31, 0x36, 0x38, 0x2e, 0x34, 0x33, 0x2e,
+		0x31, 0x30, 0x30, 0x3b, 0x74, 0x72, 0x61, 0x6e,
+		0x73, 0x70, 0x6f, 0x72, 0x74, 0x3d, 0x54, 0x43,
+		0x50, 0x3e, 0x3b, 0x74, 0x61, 0x67, 0x3d, 0x39,
+		0x62, 0x39, 0x39, 0x31, 0x36, 0x37, 0x66, 0x0d,
+		0x0a, 0x43, 0x61, 0x6c, 0x6c, 0x2d, 0x49, 0x44,
+		0x3a, 0x20, 0x38, 0x4f, 0x6d, 0x74, 0x59, 0x55,
+		0x55, 0x38, 0x45, 0x64, 0x6c, 0x61, 0x66, 0x55,
+		0x68, 0x34, 0x67, 0x34, 0x6a, 0x69, 0x41, 0x77,
+		0x2e, 0x2e, 0x0d, 0x0a, 0x43, 0x53, 0x65, 0x71,
+		0x3a, 0x20, 0x31, 0x20, 0x52, 0x45, 0x47, 0x49,
+		0x53, 0x54, 0x45, 0x52, 0x0d, 0x0a, 0x43, 0x6f,
+		0x6e, 0x74, 0x61, 0x63, 0x74, 0x3a, 0x20, 0x3c,
+		0x73, 0x69, 0x70, 0x3a, 0x39, 0x38, 0x37, 0x36,
+		0x35, 0x34, 0x40, 0x31, 0x39, 0x32, 0x2e, 0x31,
+		0x36, 0x38, 0x2e, 0x34, 0x33, 0x2e, 0x31, 0x3a,
+		0x34, 0x38, 0x33, 0x37, 0x36, 0x3b, 0x72, 0x69,
+		0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x3d,
+		0x62, 0x65, 0x32, 0x65, 0x63, 0x39, 0x38, 0x64,
+		0x30, 0x66, 0x34, 0x33, 0x65, 0x37, 0x30, 0x63,
+		0x3b, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f,
+		0x72, 0x74, 0x3d, 0x74, 0x63, 0x70, 0x3e, 0x3b,
+		0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x3d,
+		0x36, 0x30, 0x30, 0x0d, 0x0a, 0x53, 0x65, 0x72,
+		0x76, 0x65, 0x72, 0x3a, 0x20, 0x6b, 0x61, 0x6d,
+		0x61, 0x69, 0x6c, 0x69, 0x6f, 0x20, 0x28, 0x35,
+		0x2e, 0x32, 0x2e, 0x31, 0x20, 0x28, 0x78, 0x38,
+		0x36, 0x5f, 0x36, 0x34, 0x2f, 0x6c, 0x69, 0x6e,
+		0x75, 0x78, 0x29, 0x29, 0x0d, 0x0a, 0x43, 0x6f,
+		0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c, 0x65,
+		0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x30, 0x0d,
+		0x0a, 0x0d, 0x0a
+	};
+
+	char buff[MAX];
+
+	bzero(buff, sizeof(buff));
+	read(connfd, buff, sizeof(buff));
+	read(connfd, buff, sizeof(buff));
+	write(connfd, msg, sizeof(msg));
+}
+
+int main()
+{
+	int sockfd, connfd, len;
+	struct sockaddr_in servaddr, cli;
+
+	sockfd = socket(AF_INET, SOCK_STREAM, 0);
+	if (sockfd == -1) {
+		printf("socket creation failed...\n");
+		exit(0);
+	}
+	else
+		printf("Socket successfully created..\n");
+	bzero(&servaddr, sizeof(servaddr));
+
+	// assign IP, PORT
+	servaddr.sin_family = AF_INET;
+	servaddr.sin_addr.s_addr = htonl(INADDR_ANY);
+	servaddr.sin_port = htons(PORT);
+
+	// Binding newly created socket to given IP and verification
+	if ((bind(sockfd, (SA*)&servaddr, sizeof(servaddr))) != 0) {
+		printf("socket bind failed...\n");
+		exit(0);
+	}
+	else
+		printf("Socket successfully binded..\n");
+
+	// Now server is ready to listen and verification
+	if ((listen(sockfd, 5)) != 0) {
+		printf("Listen failed...\n");
+		exit(0);
+	}
+	else
+		printf("Server listening..\n");
+	len = sizeof(cli);
+
+	// Accept the data packet from client and verification
+	connfd = accept(sockfd, (SA*)&cli, &len);
+	if (connfd < 0) {
+		printf("server accept failed...\n");
+		exit(0);
+	}
+	else
+		printf("server accept the client...\n");
+
+	// Function for chatting between client and server
+	//func(connfd);
+	func(connfd);
+
+	// After chatting close the socket
+	close(sockfd);
+}
+

tests/sip-tcp-method/test.rules

@@ -0,0 +1 @@
+alert sip any any -> any any (flow:to_server; sip.method; content:"REGISTER"; sid:1;)

tests/sip-tcp-method/test.yaml

@@ -0,0 +1,14 @@
+requires:
+  min-version: 7
+
+args:
+  - -k none
+  - --set app-layer.protocols.sip.enabled=yes
+
+pcap: sip-tcp.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert

tests/sip-tcp-protocol/README.md

@@ -0,0 +1 @@
+Match on SIP version field.

tests/sip-tcp-protocol/test.rules

@@ -0,0 +1,2 @@
+alert sip any any -> any any (flow:to_server; sip.protocol; content:"SIP/2.0"; sid:1;)
+alert sip any any -> any any (flow:to_client; sip.protocol; content:"SIP/2.0"; sid:2;)

tests/sip-tcp-protocol/test.yaml

@@ -0,0 +1,24 @@
+requires:
+  min-version: 7.0
+
+args:
+  - -k none
+  - --set app-layer.protocols.sip.enabled=yes
+
+pcap: ../sip-tcp-method/sip-tcp.pcap
+
+checks:
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2

tests/sip-tcp-request-line/README.md

@@ -0,0 +1 @@
+Match on the whole SIP request line.

tests/sip-tcp-request-line/test.rules

@@ -0,0 +1 @@
+alert sip any any -> any any (flow:to_server; sip.request_line; content:"REGISTER sip:192.168.43.100\;transport=TCP SIP/2.0"; sid:1;)