base/protocols/sip/main.zeek

SIP

Implements base functionality for SIP analysis. The logging model is to log request/response pairs and all relevant metadata together in a single record.

Namespace:SIP Imports:base/protocols/conn/removal-hooks.zeek, base/utils/files.zeek, base/utils/numbers.zeek

Summary

Runtime Options

SIP::sip_methods: set &redef

A list of SIP methods.

Types

SIP::Info: record	The record type which contains the fields of the SIP log.
SIP::State: record

Redefinitions

Log::ID: enum
connection: record
likely_server_ports: set &redef

Events

SIP::log_sip: event

Event that can be handled to access the SIP record as it is sent on to the logging framework.

Hooks

SIP::finalize_sip: Conn::RemovalHook

SIP finalization hook.

Detailed Interface

Runtime Options

SIP::sip_methods

Type:

set [string]

Attributes:

&redef

Default:

{
   "BYE",
   "SUBSCRIBE",
   "NOTIFY",
   "REGISTER",
   "INVITE",
   "CANCEL",
   "OPTIONS",
   "ACK"
}

A list of SIP methods. Other methods will generate a weird. Note that the SIP analyzer will only accept methods consisting solely of letters [A-Za-z].

Types

SIP::Info

Type:

record

ts: time &log

Timestamp for when the request happened.

uid: string &log

Unique ID for the connection.

id: conn_id &log

The connection’s 4-tuple of endpoint addresses/ports.

trans_depth: count &log

Represents the pipelined depth into the connection of this request/response transaction.

method: string &log &optional

Verb used in the SIP request (INVITE, REGISTER etc.).

uri: string &log &optional

URI used in the request.

date: string &log &optional

Contents of the Date: header from the client

request_from: string &log &optional

Contents of the request From: header Note: The tag= value that’s usually appended to the sender is stripped off and not logged.

request_to: string &log &optional

Contents of the To: header

response_from: string &log &optional

Contents of the response From: header Note: The tag= value that’s usually appended to the sender is stripped off and not logged.

response_to: string &log &optional

Contents of the response To: header

reply_to: string &log &optional

Contents of the Reply-To: header

call_id: string &log &optional

Contents of the Call-ID: header from the client

seq: string &log &optional

Contents of the CSeq: header from the client

subject: string &log &optional

Contents of the Subject: header from the client

request_path: vector of string &log &optional

The client message transmission path, as extracted from the headers.

response_path: vector of string &log &optional

The server message transmission path, as extracted from the headers.

user_agent: string &log &optional

Contents of the User-Agent: header from the client

status_code: count &log &optional

Status code returned by the server.

status_msg: string &log &optional

Status message returned by the server.

warning: string &log &optional

Contents of the Warning: header

request_body_len: count &log &optional

Contents of the Content-Length: header from the client

response_body_len: count &log &optional

Contents of the Content-Length: header from the server

content_type: string &log &optional

Contents of the Content-Type: header from the server

The record type which contains the fields of the SIP log.

SIP::State

Type:

record

pending: table [count] of SIP::Info

Pending requests.

current_request: count &default = 0 &optional

Current request in the pending queue.

current_response: count &default = 0 &optional

Current response in the pending queue.

Events

SIP::log_sip

Type:event (rec: SIP::Info)

Event that can be handled to access the SIP record as it is sent on to the logging framework.

Hooks

SIP::finalize_sip

Type:Conn::RemovalHook

SIP finalization hook. Remaining SIP info may get logged when it’s called.