Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SDP: implements sticky buffers v3 #12327

Open
wants to merge 21 commits into
base: master
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions doc/userguide/rules/index.rst
Original file line number Diff line number Diff line change
@@ -29,6 +29,7 @@ Suricata Rules
snmp-keywords
base64-keywords
sip-keywords
sdp-keywords
rfb-keywords
mqtt-keywords
ike-keywords
382 changes: 382 additions & 0 deletions doc/userguide/rules/sdp-keywords.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,382 @@
SDP Keywords
============

The SDP keywords are implemented as sticky buffers and can be used to match on fields in SDP messages.

======================================== ==================
Keyword Direction
======================================== ==================
sdp.origin Both
sdp.session_name Both
sdp.session_info Both
sdp.uri Both
sdp.email Both
sdp.connection_data Both
sdp.bandwidth Both
sdp.time Both
sdp.repeat_time Both
sdp.timezone Both
sdp.encryption_key Both
sdp.attribute Both
sdp.media_description.media Both
sdp.media_description.session_info Both
sdp.media_description.connection_data Both
sdp.media_description.encryption_key Both
======================================== ==================

sdp.origin
----------

This keyword matches on the originator found in an SDP request or response.

Syntax
~~~~~~

::

sdp.origin; content:<origin>;

Where <origin> is an originator that follows the SDP Origin (o=) scheme.

Examples
~~~~~~~~

::

sdp.origin; content:"SIPPS 105015165 105015162 IN IP4 192.168.1.2";

sdp.session_name
----------------

This keyword matches on the session name found in an SDP request or response.

Syntax
~~~~~~

::

sdp.session_name; content:<session_name>;

Where <session_name> is a name that follows the SDP Session name (s=) scheme.

Examples
~~~~~~~~

::

sdp.session_name; content:"SIP call";

sdp.session_info
----------------

This keyword matches on the session information found in an SDP request or response.

Syntax
~~~~~~

::

sdp.session_info; content:<session_info>;

Where <session_info> is a description that follows the SDP Session information (i=) scheme.

Examples
~~~~~~~~

::

sdp.session_info; content:"Session Description Protocol";

sdp.uri
-------

This keyword matches on the URI found in an SDP request or response.

Syntax
~~~~~~

::

sdp.uri; content:<uri>;

Where <uri> is a URI (u=) that the follows the SDP scheme.

Examples
~~~~~~~~

::

sdp.uri; content:"https://www.sdp.proto"

sdp.email
---------

This keyword matches on the email found in an SDP request or response.

Syntax
~~~~~~

::

sdp.email; content:<email>

Where <email> is an email address (e=) that follows the SDP scheme.

Examples
~~~~~~~~

::

sdp.email; content:"j.doe@example.com (Jane Doe)";

sdp.phone_number
----------------

This keyword matches on the phone number found in an SDP request or response.

Syntax
~~~~~~

::

sdp.phone_number; content:<phone_number>

Where <phone_number> is a phone number (p=) that follows the SDP scheme.

Examples
~~~~~~~~

::

sdp.phone_number; content:"+1 617 555-6011 (Jane Doe)";

sdp.connection_data
-------------------

This keyword matches on the connection found in an SDP request or response.

Syntax
~~~~~~

::

sdp.connection_data; content:<connection_data>;

Where <connection_data> is a connection (c=) that follows the SDP scheme.

Examples
~~~~~~~~

::

sdp.connection_data; content:"IN IP4 192.168.1.2"

sdp.bandwidth
-------------

This keyword matches on the bandwidths found in an SDP request or response.

Syntax
~~~~~~

::

sdp.bandwidth; content:<bandwidth>

Where <bandwidth> is a bandwidth (b=) that follows the SDP scheme.

Example
~~~~~~~

::

sdp.bandwidth; content:"AS:64"

sdp.time
--------

This keyword matches on the time found in an SDP request or response.

Syntax
~~~~~~

::

sdp.time; content:<time>

Where <time> is a time (t=) that follows the SDP scheme.

Example
~~~~~~~

::

sdp.time; content:"3034423619 3042462419"

sdp.repeat_time
---------------

This keyword matches on the repeat time found in an SDP request or response.

Syntax
~~~~~~

::

sdp.repeat_time; content:<repeat_time>

Where <repeat_time> is a repeat time (r=) that follows the SDP scheme.

Example
~~~~~~~

::

sdp.repeat_time; content:"604800 3600 0 90000"

sdp.timezone
------------

This keyword matches on the timezone found in an SDP request or response.

Syntax
~~~~~~

::

sdp.timezone; content:<timezone>

Where <timezone> is a timezone (z=) that follows the SDP scheme.

Example
~~~~~~~

::

sdp.timezone; content:"2882844526 -1h 2898848070 0"

sdp.encryption_key
------------------

This keyword matches on the encryption key found in an SDP request or response.

Syntax
~~~~~~

::

sdp.encryption_key; content:<encryption_key>

Where <encryption_key> is a key (k=) that follows the SDP scheme.

Example
~~~~~~~

::

sdp.encryption_key; content:"prompt"

sdp.attribute
----------------

This keyword matches on the attributes found in an SDP request or response.

Syntax
~~~~~~

::

sdp.attribute; content:<attribute>

Where <attribute> is an attribute (a=) that follows the SDP scheme.

Example
~~~~~~~

::

sdp.attribute; content:"sendrecv"

sdp.media_description.media
---------------------------

This keyword matches on the Media subfield of a Media description field found in an SDP request or response.

Syntax
~~~~~~

::

sdp.media_description.media; content:<media>

Where <media> is a media (m=) that follows the SDP scheme.

Example
~~~~~~~

::

sdp.media_description.media; content:"audio 30000 RTP/AVP 0 8 97 2 3"

sdp.media_description.session_info
----------------------------------

This keyword matches on the Session information subfield of a Media description field found in an SDP request or response.

Syntax
~~~~~~

::

sdp.media_description.session_info; content:<session_info>

Where <session_info> is a description (i=) that follows the SDP scheme.

Example
~~~~~~~

::

sdp.media_description.session_info; content:"Session Description Protocol"

sdp.media_description.connection_data
-------------------------------------

This keyword matches on the Connection data subfield of a Media description field found in an SDP request or response.

Syntax
~~~~~~

::

sdp.media_description.connection_data; content:<connection_data>

Where <connection_data> is a connection (c=) that follows the SDP scheme.

Example
~~~~~~~

::

sdp.media_description.connection_data; content:"IN IP4 192.168.1.2"

sdp.media_description.encryption_key
------------------------------------

This keyword matches on the Encryption key subfield of a Media description field found in an SDP request or response.

Syntax
~~~~~~

::

sdp.media_description.encryption_key; content:<encryption_key>

Where <encryption_key> is a key (k=) that follows the SDP scheme.

Example
~~~~~~~

::

sdp.media_description.encryption_key; content:"prompt"
2 changes: 1 addition & 1 deletion doc/userguide/upgrade.rst
Original file line number Diff line number Diff line change
@@ -52,7 +52,7 @@ Major changes
for the ``stats`` event.
- Stats counters that are 0 can now be hidden from EVE logs. Default behavior
still logs those (see :ref:`EVE Output - Stats <eve-json-output-stats>` for configuration setting).
- SDP parser and logger have been introduced.
- SDP parser, logger and sticky buffers have been introduced.
Due to SDP being encapsulated within other protocols, such as SIP, they cannot be directly enabled or disabled.
Instead, both the SDP parser and logger depend on being invoked by another parser (or logger).
- ARP decoder and logger have been introduced.
Loading