sip: add tests for headers sticky buffers

Ticket #6374
OISF · Sep 22, 2024 · 8f04776 · 8f04776
1 parent 83bda40
commit 8f04776
Show file tree

Hide file tree

Showing 30 changed files with 268 additions and 0 deletions.
diff --git a/tests/sip-compact-form/Makefile b/tests/sip-compact-form/Makefile
@@ -0,0 +1,2 @@
+sip_compact_form.pcap: sip_compact_form.syn
+	flowsynth.py -f pcap -w $@ $^
diff --git a/tests/sip-compact-form/README.md b/tests/sip-compact-form/README.md
@@ -0,0 +1,7 @@
+# Test Purpose
+
+Test that SIP headers with compact form are matched.
+
+## PCAP
+
+This PCAP was generated with flowsynth.
diff --git a/tests/sip-compact-form/sip_compact_form.pcap b/tests/sip-compact-form/sip_compact_form.pcap
diff --git a/tests/sip-compact-form/sip_compact_form.syn b/tests/sip-compact-form/sip_compact_form.syn
@@ -0,0 +1,33 @@
+flow default udp 1.1.1.1:5555 > 2.2.2.2:5060;
+default > (content:"INVITE sip:97239287044@voip.brujula.net SIP/2.0\x0d
+v: SIP/2.0/UDP 192.168.1.2:5060;branch=z9hG4bKnp104984053-44ce4a41192.168.1.2;rport\x0d
+f: \"arik\" <sip:816666@voip.brurjula.net>;tag=6433ef9\x0d
+t: <sip:97239287044@voip.brujula.net>\x0d
+Call-ID: 105090259-446faf7a@192.168.1.2\x0d
+CSeq: 1 INVITE\x0d
+User-Agent: Nero SIPPS IP Phone Version 2.0.51.16\x0d
+Expires: 120\x0d
+Accept: application/sdp\x0d
+c: application/sdp\x0d
+l: 272\x0d
+Contact: <sip:816666@192.168.1.2>\x0d
+Max-Forwards: 70\x0d
+Allow: INVITE, ACK, CANCEL, BYE, REFER, OPTIONS, NOTIFY, INFO\x0d
+\x0d
+v=0\x0d
+o=SIPPS 105015165 105015162 IN IP4 192.168.1.2\x0d
+s=SIP call\x0d
+i=Session Description Protocol\x0d
+u=https://www.sdp.proto\x0d
+e=j.doe@example.com (Jane Doe)\x0d
+p=+1 617 555-6011 (Jane Doe)\x0d
+c=IN IP4 192.168.1.2\x0d
+b=AS:64\x0d
+t=3034423619 3042462419\x0d
+r=604800 3600 0 90000\x0d
+z=2882844526 -1h 2898848070 0\x0d
+k=prompt\x0d
+a=sendrecv\x0d
+m=audio 30000 RTP/AVP 0 8 97 2 3\x0d
+a=rtpmap:0 pcmu/8000\x0d\x0a";);
+
diff --git a/tests/sip-compact-form/test.rules b/tests/sip-compact-form/test.rules
@@ -0,0 +1,6 @@
+alert sip any any -> any any (sip.from; content:"arik"; sid:1;)
+alert sip any any -> any any (sip.to; content:"sip:"; sid:2;)
+alert sip any any -> any any (sip.via; content:"SIP/2.0/UDP"; sid:3;)
+alert sip any any -> any any (sip.content_type; content:"application/sdp"; sid:4;)
+alert sip any any -> any any (sip.content_length; content:"272"; sid:5;)
+
diff --git a/tests/sip-compact-form/test.yaml b/tests/sip-compact-form/test.yaml
@@ -0,0 +1,34 @@
+pcap: sip_compact_form.pcap
+
+args:
+- -k none
+
+requires:
+  min-version: 8.0.0
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 5
diff --git a/tests/sip-content-length/README.md b/tests/sip-content-length/README.md
@@ -0,0 +1 @@
+Match on SIP Content-Length header field.
diff --git a/tests/sip-content-length/test.rules b/tests/sip-content-length/test.rules
@@ -0,0 +1,2 @@
+alert sip any any -> any any (flow:to_server; sip.content_length; content:"270"; sid:1;)
+alert sip any any -> any any (flow:to_client; sip.content_length; content:"199"; sid:2;)
diff --git a/tests/sip-content-length/test.yaml b/tests/sip-content-length/test.yaml
@@ -0,0 +1,19 @@
+pcap: ../sip-method/sip.pcap
+
+args:
+- -k none
+
+requires:
+  min-version: 8.0.0
+
+checks:
+  - filter:
+      count: 8
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
diff --git a/tests/sip-content-type/README.md b/tests/sip-content-type/README.md
@@ -0,0 +1 @@
+Match on SIP Content-Type header field.
diff --git a/tests/sip-content-type/test.rules b/tests/sip-content-type/test.rules
@@ -0,0 +1,2 @@
+alert sip any any -> any any (flow:to_server; sip.content_type; content:"application/sdp"; sid:1;)
+alert sip any any -> any any (flow:to_client; sip.content_type; content:"application/sdp"; sid:2;)
diff --git a/tests/sip-content-type/test.yaml b/tests/sip-content-type/test.yaml
@@ -0,0 +1,19 @@
+pcap: ../sip-method/sip.pcap
+
+args:
+- -k none
+
+requires:
+  min-version: 8.0.0
+
+checks:
+  - filter:
+      count: 11
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
diff --git a/tests/sip-from/README.md b/tests/sip-from/README.md
@@ -0,0 +1 @@
+Match on SIP From header field.
diff --git a/tests/sip-from/test.rules b/tests/sip-from/test.rules
@@ -0,0 +1,2 @@
+alert sip any any -> any any (flow:to_server; sip.from; content:"sip:"; sid:1;)
+alert sip any any -> any any (flow:to_client; sip.from; content:"sip:"; sid:2;)
diff --git a/tests/sip-from/test.yaml b/tests/sip-from/test.yaml
@@ -0,0 +1,19 @@
+pcap: ../sip-method/sip.pcap
+
+args:
+- -k none
+
+requires:
+  min-version: 8.0.0
+
+checks:
+  - filter:
+      count: 47
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 34
+      match:
+        event_type: alert
+        alert.signature_id: 2
diff --git a/tests/sip-header-multi-value/Makefile b/tests/sip-header-multi-value/Makefile
@@ -0,0 +1,2 @@
+sip_header_multi_val.pcap: sip_header_multi_val.syn
+	flowsynth.py -f pcap -w $@ $^
diff --git a/tests/sip-header-multi-value/README.md b/tests/sip-header-multi-value/README.md
@@ -0,0 +1,7 @@
+# Test Purpose
+
+Test that SIP header with multiple values are matched.
+
+## PCAP
+
+This PCAP was generated with flowsynth.
diff --git a/tests/sip-header-multi-value/sip_header_multi_val.pcap b/tests/sip-header-multi-value/sip_header_multi_val.pcap
diff --git a/tests/sip-header-multi-value/sip_header_multi_val.syn b/tests/sip-header-multi-value/sip_header_multi_val.syn
@@ -0,0 +1,34 @@
+flow default udp 1.1.1.1:5555 > 2.2.2.2:5060;
+default > (content:"INVITE sip:97239287044@voip.brujula.net SIP/2.0\x0d
+v: SIP/2.0/UDP 192.168.1.2:5060;branch=z9hG4bKnp104984053-44ce4a41192.168.1.2;rport\x0d
+f: \"arik\" <sip:816666@voip.brurjula.net>;tag=6433ef9\x0d
+t: <sip:97239287044@voip.brujula.net>\x0d
+To: <sip:12345@voip.brujula.net>\x0d
+Call-ID: 105090259-446faf7a@192.168.1.2\x0d
+CSeq: 1 INVITE\x0d
+User-Agent: Nero SIPPS IP Phone Version 2.0.51.16\x0d
+Expires: 120\x0d
+Accept: application/sdp\x0d
+c: application/sdp\x0d
+l: 272\x0d
+Contact: <sip:816666@192.168.1.2>\x0d
+Max-Forwards: 70\x0d
+Allow: INVITE, ACK, CANCEL, BYE, REFER, OPTIONS, NOTIFY, INFO\x0d
+\x0d
+v=0\x0d
+o=SIPPS 105015165 105015162 IN IP4 192.168.1.2\x0d
+s=SIP call\x0d
+i=Session Description Protocol\x0d
+u=https://www.sdp.proto\x0d
+e=j.doe@example.com (Jane Doe)\x0d
+p=+1 617 555-6011 (Jane Doe)\x0d
+c=IN IP4 192.168.1.2\x0d
+b=AS:64\x0d
+t=3034423619 3042462419\x0d
+r=604800 3600 0 90000\x0d
+z=2882844526 -1h 2898848070 0\x0d
+k=prompt\x0d
+a=sendrecv\x0d
+m=audio 30000 RTP/AVP 0 8 97 2 3\x0d
+a=rtpmap:0 pcmu/8000\x0d\x0a";);
+
diff --git a/tests/sip-header-multi-value/test.rules b/tests/sip-header-multi-value/test.rules
@@ -0,0 +1,3 @@
+alert sip any any -> any any (sip.to; content:"sip:97239287044"; sid:1;)
+alert sip any any -> any any (sip.to; content:"sip:12345"; sid:2;)
+
diff --git a/tests/sip-header-multi-value/test.yaml b/tests/sip-header-multi-value/test.yaml
@@ -0,0 +1,14 @@
+pcap: sip_header_multi_val.pcap
+
+args:
+- -k none
+
+requires:
+  min-version: 8.0.0
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
diff --git a/tests/sip-to/README.md b/tests/sip-to/README.md
@@ -0,0 +1 @@
+Match on SIP To header field.
diff --git a/tests/sip-to/test.rules b/tests/sip-to/test.rules
@@ -0,0 +1,2 @@
+alert sip any any -> any any (flow:to_server; sip.to; content:"sip:97239287044"; sid:1;)
+alert sip any any -> any any (flow:to_client; sip.to; content:"sip:97239287044"; sid:2;)
diff --git a/tests/sip-to/test.yaml b/tests/sip-to/test.yaml
@@ -0,0 +1,19 @@
+pcap: ../sip-method/sip.pcap
+
+args:
+- -k none
+
+requires:
+  min-version: 8.0.0
+
+checks:
+  - filter:
+      count: 15
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 3
+      match:
+        event_type: alert
+        alert.signature_id: 2
diff --git a/tests/sip-user-agent/README.md b/tests/sip-user-agent/README.md
@@ -0,0 +1 @@
+Match on SIP User-Agent header field.
diff --git a/tests/sip-user-agent/test.rules b/tests/sip-user-agent/test.rules
@@ -0,0 +1 @@
+alert sip any any -> any any (flow:to_server; sip.user_agent; content:"Nero"; sid:1;)
diff --git a/tests/sip-user-agent/test.yaml b/tests/sip-user-agent/test.yaml
@@ -0,0 +1,14 @@
+pcap: ../sip-method/sip.pcap
+
+args:
+- -k none
+
+requires:
+  min-version: 8.0.0
+
+checks:
+  - filter:
+      count: 40
+      match:
+        event_type: alert
+        alert.signature_id: 1
diff --git a/tests/sip-via/README.md b/tests/sip-via/README.md
@@ -0,0 +1 @@
+Match on SIP Via header field.
diff --git a/tests/sip-via/test.rules b/tests/sip-via/test.rules
@@ -0,0 +1,2 @@
+alert sip any any -> any any (flow:to_server; sip.via; content:"SIP/2.0/UDP"; sid:1;)
+alert sip any any -> any any (flow:to_client; sip.via; content:"SIP/2.0/UDP"; sid:2;)
diff --git a/tests/sip-via/test.yaml b/tests/sip-via/test.yaml
@@ -0,0 +1,19 @@
+pcap: ../sip-method/sip.pcap
+
+args:
+- -k none
+
+requires:
+  min-version: 8.0.0
+
+checks:
+  - filter:
+      count: 47
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 34
+      match:
+        event_type: alert
+        alert.signature_id: 2