main.zeek

SIP

Implements base functionality for SIP analysis. The logging model is to log request/response pairs and all relevant metadata together in a single record.

Namespace: SIP
Imports: base/protocols/conn/removal-hooks.zeek, base/utils/files.zeek, base/utils/numbers.zeek

Summary

Runtime Options

SIP::sip_methods: set &redef

A list of SIP methods.

Types

`SIP::Info`: `record`	The record type which contains the fields of the SIP log.
`SIP::State`: `record`

Redefinitions

`Log::ID`: `enum`	`SIP::LOG`
`connection`: `record`	New Fields `connection` sip: `SIP::Info` `&optional` sip_state: `SIP::State` `&optional`
`likely_server_ports`: `set` `&redef`

Events

SIP::log_sip: event

Event that can be handled to access the SIP record as it is sent on to the logging framework.

Hooks

`SIP::finalize_sip`: `Conn::RemovalHook`	SIP finalization hook.
`SIP::log_policy`: `Log::PolicyHook`

Detailed Interface

Runtime Options

SIP::sip_methods 

Type

set [string]

Attributes

&redef

Default

{
   "BYE",
   "SUBSCRIBE",
   "NOTIFY",
   "REGISTER",
   "INVITE",
   "CANCEL",
   "OPTIONS",
   "ACK"
}

A list of SIP methods. Other methods will generate a weird. Note that the SIP analyzer will only accept methods consisting solely of letters [A-Za-z].

Types

SIP::Info 

Type

record

ts: time &log: Timestamp for when the request happened.
uid: string &log: Unique ID for the connection.
id: conn_id &log: The connection’s 4-tuple of endpoint addresses/ports.
trans_depth: count &log: Represents the pipelined depth into the connection of this request/response transaction.
method: string &log &optional: Verb used in the SIP request (INVITE, REGISTER etc.).
uri: string &log &optional: URI used in the request.
date: string &log &optional: Contents of the Date: header from the client
request_from: string &log &optional: Contents of the request From: header Note: The tag= value that’s usually appended to the sender is stripped off and not logged.
request_to: string &log &optional: Contents of the To: header
response_from: string &log &optional: Contents of the response From: header Note: The tag= value that’s usually appended to the sender is stripped off and not logged.
response_to: string &log &optional: Contents of the response To: header
reply_to: string &log &optional: Contents of the Reply-To: header
call_id: string &log &optional: Contents of the Call-ID: header from the client
seq: string &log &optional: Contents of the CSeq: header from the client
subject: string &log &optional: Contents of the Subject: header from the client
request_path: vector of string &log &optional: The client message transmission path, as extracted from the headers.
response_path: vector of string &log &optional: The server message transmission path, as extracted from the headers.
user_agent: string &log &optional: Contents of the User-Agent: header from the client
status_code: count &log &optional: Status code returned by the server.
status_msg: string &log &optional: Status message returned by the server.
warning: string &log &optional: Contents of the Warning: header
request_body_len: count &log &optional: Contents of the Content-Length: header from the client
response_body_len: count &log &optional: Contents of the Content-Length: header from the server
content_type: string &log &optional: Contents of the Content-Type: header from the server

The record type which contains the fields of the SIP log.

SIP::State 

Type

record

pending: table [count] of SIP::Info: Pending requests.
current_request: count &default = 0 &optional: Current request in the pending queue.
current_response: count &default = 0 &optional: Current response in the pending queue.

Events

SIP::log_sip 

Type: event (rec: SIP::Info)

Event that can be handled to access the SIP record as it is sent on to the logging framework.

Hooks

SIP::finalize_sip 

Type: Conn::RemovalHook

SIP finalization hook. Remaining SIP info may get logged when it’s called.

SIP::log_policy 

Type: Log::PolicyHook