Project

General

Profile

Actions
Copy link

Feature #6374

open

Sticky buffers for sip headers

Added by Giuseppe Longo 10 months ago. Updated 2 months ago.

Status:
In Review
Priority:
Normal
Assignee:
Giuseppe Longo
Target version:
8.0.0-beta1
Effort:
Difficulty:
Label:

Description

A common attack on sip servers consists of putting SQL injection or JS code into request headers.
Implementing sticky buffers that inspects on headers will permit to detect those attacks.

I propose to start adding keywords for the following fields:

- Via
- From
- To
- User-agent
- Content-type
- Content-length

Actions
Copy link
 #1

Updated by Victor Julien 9 months ago

  • Target version changed from 8.0.0 to 8.0.0-beta1
Actions
Copy link
 #2

Updated by Philippe Antoine 3 months ago

  • Status changed from New to In Progress

https://github.com/OISF/suricata/pull/10839

Why not a generic sip.request_header keyword ? whose buffer would be name+value like http.request_header

Actions
Copy link
 #3

Updated by Philippe Antoine 2 months ago

  • Status changed from In Progress to In Review
Actions
Copy link
 #4

Updated by Brandon Murphy 2 months ago

Philippe Antoine wrote in #note-2:

Why not a generic sip.request_header keyword ? whose buffer would be name+value like http.request_header

Sometimes the inclusion of the header name requires different content logic that is cumbersome. Perhaps sip would be a good target for initial implementation of dynamic sticky buffers as mentioned in #5775?

Actions
Copy link

Also available in: Atom PDF