Feature #6374
closedSticky buffers for sip headers
Description
A common attack on sip servers consists of putting SQL injection or JS code into request headers.
Implementing sticky buffers that inspects on headers will permit to detect those attacks.
I propose to start adding keywords for the following fields:
- Via
- From
- To
- User-agent
- Content-type
- Content-length
Updated by Victor Julien about 1 year ago
- Target version changed from 8.0.0 to 8.0.0-beta1
Updated by Philippe Antoine 8 months ago
- Status changed from New to In Progress
https://github.com/OISF/suricata/pull/10839
Why not a generic sip.request_header keyword ? whose buffer would be name+value like http.request_header
Updated by Philippe Antoine 7 months ago
- Status changed from In Progress to In Review
Updated by Brandon Murphy 7 months ago
Philippe Antoine wrote in #note-2:
Why not a generic sip.request_header keyword ? whose buffer would be name+value like http.request_header
Sometimes the inclusion of the header name requires different content logic that is cumbersome. Perhaps sip would be a good target for initial implementation of dynamic sticky buffers as mentioned in #5775?
Updated by Giuseppe Longo 3 months ago
- Status changed from In Review to Closed
Merged with https://github.com/OISF/suricata/pull/11809