Project

General

Profile

Actions

Feature #6374

closed

Sticky buffers for sip headers

Added by Giuseppe Longo about 1 year ago. Updated about 1 month ago.

Status:
Closed
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

A common attack on sip servers consists of putting SQL injection or JS code into request headers.
Implementing sticky buffers that inspects on headers will permit to detect those attacks.

I propose to start adding keywords for the following fields:

- Via
- From
- To
- User-agent
- Content-type
- Content-length

Actions #1

Updated by Victor Julien 12 months ago

  • Target version changed from 8.0.0 to 8.0.0-beta1
Actions #2

Updated by Philippe Antoine 7 months ago

  • Status changed from New to In Progress

https://github.com/OISF/suricata/pull/10839

Why not a generic sip.request_header keyword ? whose buffer would be name+value like http.request_header

Actions #3

Updated by Philippe Antoine 6 months ago

  • Status changed from In Progress to In Review
Actions #4

Updated by Brandon Murphy 6 months ago

Philippe Antoine wrote in #note-2:

Why not a generic sip.request_header keyword ? whose buffer would be name+value like http.request_header

Sometimes the inclusion of the header name requires different content logic that is cumbersome. Perhaps sip would be a good target for initial implementation of dynamic sticky buffers as mentioned in #5775?

Actions #5

Updated by Giuseppe Longo about 1 month ago

  • Status changed from In Review to Closed
Actions

Also available in: Atom PDF