main.zeek¶

SIP¶

Implements base functionality for SIP analysis. The logging model is to log request/response pairs and all relevant metadata together in a single record.

Namespace:	SIP
Imports:	base/protocols/conn/removal-hooks.zeek, base/utils/files.zeek, base/utils/numbers.zeek

Summary¶

Runtime Options¶

SIP::sip_methods: set &redef A list of SIP methods.

Types¶

`SIP::Info`: `record`	The record type which contains the fields of the SIP log.
`SIP::State`: `record`

Redefinitions¶

Log::ID: enum

SIP::LOG

connection: record

New Fields:

connection

sip: SIP::Info &optional

sip_state: SIP::State &optional

likely_server_ports: set &redef

Events¶

SIP::log_sip: event Event that can be handled to access the SIP record as it is sent on to the logging framework.

Hooks¶

`SIP::finalize_sip`: `Conn::RemovalHook`	SIP finalization hook.
`SIP::log_policy`: `Log::PolicyHook`

Detailed Interface¶

Runtime Options¶

SIP::sip_methods¶

Type:	`set` [`string`]
Attributes:	`&redef`
Default:	{ "BYE", "SUBSCRIBE", "NOTIFY", "REGISTER", "INVITE", "CANCEL", "OPTIONS", "ACK" }

A list of SIP methods. Other methods will generate a weird. Note that the SIP analyzer will only accept methods consisting solely of letters [A-Za-z].

Types¶

SIP::Info¶

Type:

record

ts: time &log: Timestamp for when the request happened.
uid: string &log: Unique ID for the connection.
id: conn_id &log: The connection’s 4-tuple of endpoint addresses/ports.
trans_depth: count &log: Represents the pipelined depth into the connection of this request/response transaction.
method: string &log &optional: Verb used in the SIP request (INVITE, REGISTER etc.).
uri: string &log &optional: URI used in the request.
date: string &log &optional: Contents of the Date: header from the client
request_from: string &log &optional: Contents of the request From: header Note: The tag= value that’s usually appended to the sender is stripped off and not logged.
request_to: string &log &optional: Contents of the To: header
response_from: string &log &optional: Contents of the response From: header Note: The tag= value that’s usually appended to the sender is stripped off and not logged.
response_to: string &log &optional: Contents of the response To: header
reply_to: string &log &optional: Contents of the Reply-To: header
call_id: string &log &optional: Contents of the Call-ID: header from the client
seq: string &log &optional: Contents of the CSeq: header from the client
subject: string &log &optional: Contents of the Subject: header from the client
request_path: vector of string &log &optional: The client message transmission path, as extracted from the headers.
response_path: vector of string &log &optional: The server message transmission path, as extracted from the headers.
user_agent: string &log &optional: Contents of the User-Agent: header from the client
status_code: count &log &optional: Status code returned by the server.
status_msg: string &log &optional: Status message returned by the server.
warning: string &log &optional: Contents of the Warning: header
request_body_len: count &log &optional: Contents of the Content-Length: header from the client
response_body_len: count &log &optional: Contents of the Content-Length: header from the server
content_type: string &log &optional: Contents of the Content-Type: header from the server

The record type which contains the fields of the SIP log.

SIP::State¶

Type:

record

pending: table [count] of SIP::Info: Pending requests.
current_request: count &default = 0 &optional: Current request in the pending queue.
current_response: count &default = 0 &optional: Current response in the pending queue.

Events¶

SIP::log_sip¶

Type:	`event` (rec: `SIP::Info`)

Event that can be handled to access the SIP record as it is sent on to the logging framework.

Hooks¶

SIP::finalize_sip¶

Type:	`Conn::RemovalHook`

SIP finalization hook. Remaining SIP info may get logged when it’s called.

SIP::log_policy¶

Type:	`Log::PolicyHook`