OISF · glongo · Oct 4, 2024 · Oct 15, 2024 · catenacyber · Jan 28, 2025
diff --git a/tests/sip-sdp/sdp.pcap b/tests/sip-sdp/sdp.pcap
diff --git a/tests/sip-sdp/sdp.syn b/tests/sip-sdp/sdp.syn
@@ -29,5 +29,44 @@ z=2882844526 -1h 2898848070 0\x0d
 k=prompt\x0d
 a=sendrecv\x0d
 m=audio 30000 RTP/AVP 0 8 97 2 3\x0d
+i=media info\x0d
+c=IN IP4 192.168.1.2\x0d
+k=prompt\x0d
+a=rtpmap:0 pcmu/8000\x0d\x0a";);
+default < (content:"SIP/2.0 200 Ok\x0d
+Via: SIP/2.0/UDP 192.168.1.2:5060;branch=z9hG4bKnp104984053-44ce4a41192.168.1.2;rport\x0d
+From: \"arik\" <sip:[email protected]>;tag=6433ef9\x0d
+To: <sip:[email protected]>\x0d
+Call-ID: [email protected]\x0d
+CSeq: 1 INVITE\x0d
+User-Agent: Nero SIPPS IP Phone Version 2.0.51.16\x0d
+Expires: 120\x0d
+Accept: application/sdp\x0d
+Content-Type: application/sdp\x0d
+Content-Length: 272\x0d
+Contact: <sip:[email protected]>\x0d
+Max-Forwards: 70\x0d
+Allow: INVITE, ACK, CANCEL, BYE, REFER, OPTIONS, NOTIFY, INFO\x0d
+\x0d
+v=0\x0d
+o=SIPPS 105015165 105015162 IN IP4 192.168.1.2\x0d
+s=SIP call\x0d
+i=Session Description Protocol\x0d
+u=https://www.sdp.proto\x0d
+[email protected] (Jane Doe)\x0d
+p=+1 617 555-6011 (Jane Doe)\x0d
+c=IN IP4 192.168.1.2\x0d
+b=AS:64\x0d
+t=3034423619 3042462419\x0d
+r=604800 3600 0 90000\x0d
+z=2882844526 -1h 2898848070 0\x0d
+k=prompt\x0d
+a=sendrecv\x0d
+m=audio 30000 RTP/AVP 0 8 97 2 3\x0d
+i=media info\x0d
+c=IN IP4 192.168.1.2\x0d
+k=prompt\x0d
+a=rtpmap:0 pcmu/8000\x0d
+m=audio 20000 RTP/AVP 0 8 97 2 3\x0d
 a=rtpmap:0 pcmu/8000\x0d\x0a";);
 
diff --git a/tests/sip-sdp/test.rules b/tests/sip-sdp/test.rules
@@ -0,0 +1,20 @@
+alert sip any any -> any any (flow:to_server; sdp.origin; content:"SIPPS 105015165 105015162 IN IP4 192.168.1.2"; sdp.session_name; content:"SIP call"; \
+	sdp.session_info; content:"Session Description Protocol"; sid:1;)
+alert sip any any -> any any (flow:to_server; sdp.uri; content:"https://www.sdp.proto"; sdp.email; content:"[email protected] (Jane Doe)"; \
+	sdp.phone_number; content:"+1 617 555-6011 (Jane Doe)"; sid:2;)
+alert sip any any -> any any (flow:to_server; sdp.connection_data; content:"IN IP4 192.168.1.2"; sdp.bandwidth; content:"AS:64"; sid:3;)
+alert sip any any -> any any (flow:to_server; sdp.time; content:"3034423619 3042462419"; sdp.repeat_time; content:"604800 3600 0 90000"; \
+	sdp.timezone; content:"2882844526 -1h 2898848070 0"; sid:4;)
+alert sip any any -> any any (flow:to_server; sdp.encryption_key; content:"prompt"; sdp.attribute; content:"sendrecv"; sid:5;)
+alert sip any any -> any any (flow:to_server; sdp.media.media; content:"audio 30000 RTP/AVP 0 8 97 2 3"; sdp.media.encryption_key; content:"prompt"; \
+	sdp.media.connection_data; content:"IN IP4 192.168.1.2"; sdp.media.media_info; content:"media info"; sid:6;)
+alert sip any any -> any any (flow:to_client; sdp.origin; content:"SIPPS 105015165 105015162 IN IP4 192.168.1.2"; sdp.session_name; content:"SIP call"; \
+	sdp.session_info; content:"Session Description Protocol"; sid:7;)
+alert sip any any -> any any (flow:to_client; sdp.uri; content:"https://www.sdp.proto"; sdp.email; content:"[email protected] (Jane Doe)"; \
+	sdp.phone_number; content:"+1 617 555-6011 (Jane Doe)"; sid:8;)
+alert sip any any -> any any (flow:to_client; sdp.connection_data; content:"IN IP4 192.168.1.2"; sdp.bandwidth; content:"AS:64"; sid:9;)
+alert sip any any -> any any (flow:to_client; sdp.time; content:"3034423619 3042462419"; sdp.repeat_time; content:"604800 3600 0 90000"; \
+	sdp.timezone; content:"2882844526 -1h 2898848070 0"; sid:10;)
+alert sip any any -> any any (flow:to_client; sdp.encryption_key; content:"prompt"; sdp.attribute; content:"sendrecv"; sid:11;)
+alert sip any any -> any any (flow:to_client; sdp.media.media; content:"audio 30000 RTP/AVP 0 8 97 2 3"; sdp.media.encryption_key; content:"prompt"; \
+	sdp.media.connection_data; content:"IN IP4 192.168.1.2"; sdp.media.media_info; content:"media info"; sid:12;)
diff --git a/tests/sip-sdp/test.yaml b/tests/sip-sdp/test.yaml
@@ -20,11 +20,73 @@ checks:
         sip.sdp.phone_number: +1 617 555-6011 (Jane Doe)
         sip.sdp.connection_data: IN IP4 192.168.1.2
         sip.sdp.bandwidths[0]: AS:64
-        sip.sdp.time: 3034423619 3042462419
-        sip.sdp.repeat_time: 604800 3600 0 90000
+        sip.sdp.time_descriptions[0].time: 3034423619 3042462419
+        sip.sdp.time_descriptions[0].repeat_time: 604800 3600 0 90000
         sip.sdp.timezone: 2882844526 -1h 2898848070 0
         sip.sdp.encryption_key: prompt
         sip.sdp.attributes[0]: sendrecv
         sip.sdp.media_descriptions[0].media: audio 30000 RTP/AVP 0 8 97 2 3
+        sip.sdp.media_descriptions[0].media_info: media info
+        sip.sdp.media_descriptions[0].connection_data: IN IP4 192.168.1.2
+        sip.sdp.media_descriptions[0].encryption_key: prompt
         sip.sdp.media_descriptions[0].attributes[0]: rtpmap:0 pcmu/8000
-
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 5
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 6
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 7
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 8
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 9
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 10
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 11
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 12