main.zeek

SIP

Implements base functionality for SIP analysis. The logging model is to log request/response pairs and all relevant metadata together in a single record.

Namespace:: SIP
Imports:: base/protocols/conn/removal-hooks.zeek, base/utils/files.zeek, base/utils/numbers.zeek

Summary

Runtime Options

SIP::sip_methods: set &redef

A list of SIP methods.

Types

`SIP::Info`: `record`	The record type which contains the fields of the SIP log.
`SIP::State`: `record`

Redefinitions

`Log::ID`: `enum`	`SIP::LOG`
`connection`: `record`	New Fields: `connection` sip: `SIP::Info` `&optional` sip_state: `SIP::State` `&optional`
`likely_server_ports`: `set` `&redef`

Events

SIP::log_sip: event

Event that can be handled to access the SIP record as it is sent on to the logging framework.

Hooks

`SIP::finalize_sip`: `Conn::RemovalHook`	SIP finalization hook.
`SIP::log_policy`: `Log::PolicyHook`

Detailed Interface

Runtime Options

SIP::sip_methods 

Type:

set [string]

Attributes:

&redef

Default:

{
   "BYE",
   "SUBSCRIBE",
   "NOTIFY",
   "REGISTER",
   "INVITE",
   "CANCEL",
   "OPTIONS",
   "ACK"
}

A list of SIP methods. Other methods will generate a weird. Note that the SIP analyzer will only accept methods consisting solely of letters [A-Za-z].

Types

SIP::Info 

Type:

record

Fields:

ts: time &log: Timestamp for when the request happened.

uid: string &log: Unique ID for the connection.

id: conn_id &log: The connection’s 4-tuple of endpoint addresses/ports.

trans_depth: count &log: Represents the pipelined depth into the connection of this request/response transaction.

method: string &log &optional: Verb used in the SIP request (INVITE, REGISTER etc.).

uri: string &log &optional: URI used in the request.

date: string &log &optional: Contents of the Date: header from the client

request_from: string &log &optional: Contents of the request From: header Note: The tag= value that’s usually appended to the sender is stripped off and not logged.

request_to: string &log &optional: Contents of the To: header

response_from: string &log &optional: Contents of the response From: header Note: The tag= value that’s usually appended to the sender is stripped off and not logged.

response_to: string &log &optional: Contents of the response To: header

reply_to: string &log &optional: Contents of the Reply-To: header

call_id: string &log &optional: Contents of the Call-ID: header from the client

seq: string &log &optional: Contents of the CSeq: header from the client

subject: string &log &optional: Contents of the Subject: header from the client

request_path: vector of string &log &optional: The client message transmission path, as extracted from the headers.

response_path: vector of string &log &optional: The server message transmission path, as extracted from the headers.

user_agent: string &log &optional: Contents of the User-Agent: header from the client

status_code: count &log &optional: Status code returned by the server.

status_msg: string &log &optional: Status message returned by the server.

warning: string &log &optional: Contents of the Warning: header

request_body_len: count &log &optional: Contents of the Content-Length: header from the client

response_body_len: count &log &optional: Contents of the Content-Length: header from the server

content_type: string &log &optional: Contents of the Content-Type: header from the server

The record type which contains the fields of the SIP log.

SIP::State 

Type:

record

Fields:

pending: table [count] of SIP::Info: Pending requests.

current_request: count &default = 0 &optional: Current request in the pending queue.

current_response: count &default = 0 &optional: Current response in the pending queue.

Events

SIP::log_sip 

Type:: event (rec: SIP::Info)

Event that can be handled to access the SIP record as it is sent on to the logging framework.

Hooks

SIP::finalize_sip 

Type:: Conn::RemovalHook

SIP finalization hook. Remaining SIP info may get logged when it’s called.

SIP::log_policy 

Type:: Log::PolicyHook