SDP: implements sticky buffers #11877
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The encryption key subfield of the media description field is not logged when it should be. Ticket OISF#7305
The current parser implementations take a field, such as connection data, and split it into subfields for a specific structure (e.g., struct ConnectionData). However, following this approach requires several sticky buffers to match the whole field, which can make a rule a bit verbose and doesn't offer any advantage for matching specific parts of a field. With this patch, a single line is still split into pieces if it makes sense for parsing purposes, but these pieces are then reassembled into a single string. This way, only one sticky buffer is needed to match the entire field. Ticket OISF#7291
This adds a sticky buffer to match the "Session name" field in both requests and responses. Ticket OISF#7291
This adds a sticky buffer to match the "Session information" field in both requests and responses. Ticket OISF#7291
This adds a sticky buffer to match the "Origin" field in both requests and responses. Ticket OISF#7291
This adds a sticky buffer to match the "Uri" field in both requests and responses. Ticket OISF#7291
This adds a sticky buffer to match the "Email" field in both requests and responses. Ticket OISF#7291
This adds a sticky buffer to match the "Phone number" field in both requests and responses. Ticket OISF#7291
This adds a sticky buffer to match the "Connection data" field in both requests and responses. Ticket OISF#7291
This adds a sticky (multi) buffer to match the "Bandwidth" field in both requests and responses. Ticket OISF#7291
This adds a sticky buffer to match the "Time" field in both requests and responses. Ticket OISF#7291
This adds a sticky buffer to match the "Repeat time" field in both requests and responses. Ticket OISF#7291
This adds a sticky bufffer to match the "Timezone" field in both requests and responses. Ticket OISF#7291
This adds a sticky buffer to match the "Encryption key" field in both requests and responses. Ticket OISF#7291
This adds a sticky (multi) buffer to match the "Attribute" field in both requests and responses. Ticket OISF#7291
This adds a sticky (multi) buffer to match the "Media" subfield of the "Media description" field in both requests and responses. Ticket OISF#7291
This adds a stick (multi) buffer to match the "Session information" subfield of the "Media description" field in both requests and responses. Ticket OISF#7291
This adds a sticky (multi) buffer to match the "Connection data" subfield of the "Media description" field in both requests and responses. Ticket OISF#7291
This adds a sticky (multi) buffer to match the "Encryption key" subfield of the "Media description" field in both requests and responses. Ticket OISF#7291
glongo
requested review from
jasonish,
jufajardini,
victorjulien and
a team
as code owners
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #11877 +/- ##
==========================================
+ Coverage 82.56% 82.65% +0.08%
==========================================
Files 912 913 +1
Lines 249354 250254 +900
==========================================
+ Hits 205880 206835 +955
+ Misses 43474 43419 -55
Flags with carried forward coverage won't be shown. Click here to find out more. |
victorjulien
reviewed
Oct 4, 2024
| }; | ||
| if let Some(sdp) = sdp_message { | ||
| let session_name = &sdp.session_name; | ||
| if !session_name.is_empty() { |
There was a problem hiding this comment.
should we return an empty buffer so we can match on sdp.session_name; bsize:0;?
There was a problem hiding this comment.
This field is mandatory, the parser will fail if it's not found. However, this approach might make sense for optional fields, such as session information.
There was a problem hiding this comment.
I think this code should suggest it can be empty then.
There was a problem hiding this comment.
Should a rule like sdp.session_info; bsize:0 trigger an alert if the session_info field is not present at all?
There was a problem hiding this comment.
No, cf #11906 which adds absent keyword to match when the field is not present
|
Replaced with #11961 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Make sure these boxes are checked accordingly before submitting your Pull Request -- thank you.
Contribution style:
https://docs.suricata.io/en/latest/devguide/contributing/contribution-process.html
Our Contribution agreements:
https://suricata.io/about/contribution-agreement/ (note: this is only required once)
Changes (if applicable):
(including schema descriptions)
https://redmine.openinfosecfoundation.org/projects/suricata/issues
Link to ticket: https://redmine.openinfosecfoundation.org/issues/
Describe changes:
sdp.media.bandwidthandsdp.media.attributesticky buffers have not been implemented yet because the media field is a vector ofMediaDescription, and both thebandwidthandattributefields are vectors as well.I believe the multi-buffer API cannot handle such a situation.
If I'm not mistaken, a simple solution could be to "stringify" these fields like this:
Personal considerations:
sdp.media.*sticky buffers were initially meant to be namedsdp.media_descriptions.*, but I realized the names were too long. I wonder if I should rename themedia_descriptionfield tomediafor consistency.sdp.media.media; I would prefer to rename it tosdp.media.name, or justsdp.media, and adjust the logged field name if necessary.SV_BRANCH=OISF/suricata-verify#2076