base/protocols/sip/main.zeek

SIP

Implements base functionality for SIP analysis. The logging model is to log request/response pairs and all relevant metadata together in a single record.

Namespace:SIP
Imports:base/utils/files.zeek, base/utils/numbers.zeek

Summary

Runtime Options

SIP::sip_methods: set &redef A list of SIP methods.

Types

SIP::Info: record The record type which contains the fields of the SIP log.
SIP::State: record  

Events

SIP::log_sip: event Event that can be handled to access the SIP record as it is sent on to the logging framework.

Detailed Interface

Runtime Options

SIP::sip_methods
Type:

set [string]

Attributes:

&redef

Default:
{
   "NOTIFY",
   "ACK",
   "SUBSCRIBE",
   "CANCEL",
   "OPTIONS",
   "REGISTER",
   "INVITE",
   "BYE"
}

A list of SIP methods. Other methods will generate a weird. Note that the SIP analyzer will only accept methods consisting solely of letters [A-Za-z].

Types

SIP::Info
Type:

record

ts: time &log

Timestamp for when the request happened.

uid: string &log

Unique ID for the connection.

id: conn_id &log

The connection’s 4-tuple of endpoint addresses/ports.

trans_depth: count &log

Represents the pipelined depth into the connection of this request/response transaction.

method: string &log &optional

Verb used in the SIP request (INVITE, REGISTER etc.).

uri: string &log &optional

URI used in the request.

date: string &log &optional

Contents of the Date: header from the client

request_from: string &log &optional

Contents of the request From: header Note: The tag= value that’s usually appended to the sender is stripped off and not logged.

request_to: string &log &optional

Contents of the To: header

response_from: string &log &optional

Contents of the response From: header Note: The tag= value that’s usually appended to the sender is stripped off and not logged.

response_to: string &log &optional

Contents of the response To: header

reply_to: string &log &optional

Contents of the Reply-To: header

call_id: string &log &optional

Contents of the Call-ID: header from the client

seq: string &log &optional

Contents of the CSeq: header from the client

subject: string &log &optional

Contents of the Subject: header from the client

request_path: vector of string &log &optional

The client message transmission path, as extracted from the headers.

response_path: vector of string &log &optional

The server message transmission path, as extracted from the headers.

user_agent: string &log &optional

Contents of the User-Agent: header from the client

status_code: count &log &optional

Status code returned by the server.

status_msg: string &log &optional

Status message returned by the server.

warning: string &log &optional

Contents of the Warning: header

request_body_len: count &log &optional

Contents of the Content-Length: header from the client

response_body_len: count &log &optional

Contents of the Content-Length: header from the server

content_type: string &log &optional

Contents of the Content-Type: header from the server

The record type which contains the fields of the SIP log.

SIP::State
Type:

record

pending: table [count] of SIP::Info

Pending requests.

current_request: count &default = 0 &optional

Current request in the pending queue.

current_response: count &default = 0 &optional

Current response in the pending queue.

Events

SIP::log_sip
Type:event (rec: SIP::Info)

Event that can be handled to access the SIP record as it is sent on to the logging framework.