Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Packetbeat] New SIP protocol #21221

Merged
merged 10 commits into from
Oct 6, 2020
Merged

[Packetbeat] New SIP protocol #21221

merged 10 commits into from
Oct 6, 2020

Conversation

marc-gr
Copy link
Contributor

@marc-gr marc-gr commented Sep 22, 2020

This is a re-opening of #7181 to fix merge issues.

TODO:

  • Parse VIA
  • Parse Contact
  • Parse Auth
  • Parse SDP body

Thanks to @tj8000rpm for the original work.

From the original PR:

Hi all. I implemented a new protocol SIP to packetbeat. #152
The SIP(Session Initiation Protocol) is a communications protocol for signaling and controlling multimedia communication sessions. SIP is used many VoIP applications at not only enterprise uses but also telecom careers.

SIP is text-base protocol like HTTP. But SIP has various unique features like :

  • SIP is server-client model, but it roles may changes call by call.
  • SIP is request-response model, but server may (usualy) reply many responses for one request.
  • There many requests and responses in one call.
  • It is not know when the call will end.

Therefore, I implemented with following plans.

  • Published for each SIP message(request or response)
  • Additional timestamp to make it possible to keep message order
  • Parse and store each header field and SDP body(option)
  • Received raw message is stored as text value(option)

More detail is writen in README.md

@marc-gr marc-gr requested a review from a team as a code owner September 22, 2020 14:02
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@botelastic botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Sep 22, 2020
@elasticmachine
Copy link
Collaborator

elasticmachine commented Sep 22, 2020

💚 Build Succeeded

Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: [Pull request #21221 updated]

  • Start Time: 2020-10-06T09:39:55.819+0000

  • Duration: 44 min 20 sec

Test stats 🧪

Test Results
Failed 0
Passed 1079
Skipped 10
Total 1089

@ebeahan ebeahan mentioned this pull request Sep 22, 2020
@tj8000rpm
Copy link
Contributor

@marc-gr
I apologize my late reply.🙇
And Thank you for take over my Pull Request.I'll leave it to you. ❤️

@dainperkins
Copy link

@marc-gr - is the json in the readme the planned final output? (just wondering if ECS normalization is handled later, or if it should be worked in at this level?)

@marc-gr
Copy link
Contributor Author

marc-gr commented Sep 28, 2020

@marc-gr - is the json in the readme the planned final output? (just wondering if ECS normalization is handled later, or if it should be worked in at this level?)

This is the documentation coming from the original contribution, I will update all of it once we decide on mappings at elastic/ecs#420 and changes are done. Also will add some test pcaps to have some examples.

Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for helping more the SIP PR along.

packetbeat/protos/sip/sip_message.go Outdated Show resolved Hide resolved
return headers, firstLines
}

// TODO:The procedure with Content-Encoding(RFC3261).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After merging this implementation let's create issues for the remaining TODOs and possibly document any limitations if they are likely to be encountered.

packetbeat/protos/sip/sip_message.go Outdated Show resolved Hide resolved
packetbeat/protos/sip/sip_plugin.go Outdated Show resolved Hide resolved
packetbeat/protos/sip/_meta/fields.yml Outdated Show resolved Hide resolved
packetbeat/_meta/sample_outputs/sip.json Outdated Show resolved Hide resolved
@andrewkroh
Copy link
Member

For releasing this as beta, the code itself should log a notice about the use of beta software. We have the cfgwarn package that we normally use for this.

"sip.version": "2.0",
"source.ip": "192.168.1.2",
"source.port": 5060,
"status": "OK",
Copy link

@dainperkins dainperkins Oct 2, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

status should only be for sip.type "response", and I think should be sip.status?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Those are used by packetbeat and checked by system tests, we also have the sip specific ones.

"source.ip": "192.168.1.2",
"source.port": 5060,
"status": "OK",
"type": "sip"

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does this need to be renamed or removed?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as previous one

@marc-gr
Copy link
Contributor Author

marc-gr commented Oct 5, 2020

After talking with @jamiehynds and since it is not very clear yet how we will want to deal with the multiple Via headers and the multiple SDP media types and attributes, for now I just added them as via.original and sdp.body.original to make them queryable, and to have some time to think about how we plan to deal with them once people starts using the proto more.

@webmat
Copy link
Contributor

webmat commented Oct 5, 2020

@marc-gr I haven't been able to follow all of @dainperkins' work on the SIP proposal for fields. I just skimmed it now.

The one thing that jumped out to me, that I'd like addressed in this PR is that all version fields should be keyword, not long/integer. I think even the event samples you have wouldn't work, since they have 2.0 in there. Also, we will soon transition all version fields to version (in the keyword family) which will enable other cool stuff.

@marc-gr
Copy link
Contributor Author

marc-gr commented Oct 5, 2020

Yeah I noticed that in the doc, but could not fix it because lack of permissions, in my code they are keywords already 👍

Copy link

@andrewstucki andrewstucki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have some general questions/comments, don't know enough about the protocol itself to opine too much there, but overall looks fairly solid to me.

packetbeat/tests/system/golden/sip-expected.json Outdated Show resolved Hide resolved
packetbeat/tests/system/golden/sip-expected.json Outdated Show resolved Hide resolved
packetbeat/protos/sip/parser.go Outdated Show resolved Hide resolved
packetbeat/protos/sip/parser.go Outdated Show resolved Hide resolved
tj8000rpm and others added 3 commits October 5, 2020 18:27
new protocol:sip:update include list

new protocol:sip:initial blank file

DNSをベースとしてまずはDNSでやっている内容を解析開始・・・コメント付け中。

読み進めた分更新

パーサの実装を開始

パーサをのデコーダをsipPlugin内に移設もろもろ

リクエスト、レスポンス判定を追加

SIPのパース, SDPのパース追加、パーサをいろいろばらばらに。醜い・・・

ヘッダパース系メソッドをsipMessageのメンバに変更

バッファリングの仕組みのプロトタイプ作成

ファイル分割、オブジェクト毎にファイルを分割。その他実装を進めているところ。とちゅう

publish methodの実装

一部エラーハンドリングを追加

TODO更新とデータ構造を追加

ヘッダ処理諸々追加,途中

README TODO更新
'

実働確認用に追加

フィールド名にsip.を付与、unixtimenanoをフィールドに追加(デフォルトのtimestampだとSIP信号を並び替えるのに精度不足なため。)

フィールド命名規則を更新

Added english description

change field name

align the indents

fields.yml update about timestamp

テストケース追加

added testcase

add testcases

add testcases and fixed some bug cases

add test cases

add testcase parseSIPHeaders

fixed bug cases.

comment and refactoring

update testcases

add monitoring element named 'sip.message_ignored'

move publish function call from expireBuffer to callback function when buffer expired.

add testcase, bufferExpire

remove unnecessary pkg

add testcase at publish method

add, edit and migrate test cases

modify time duration

change timer code

remove fragmneted process

translate comments

add linux amd64 binary

Comments translated

update informations

add windows bin

update TODO list

add no mandantory header parse check

Add compact-form test case

Add compact-form test case

Add compact-form test case

Add compact-form test case

support compact form

TODO list update

add sip uri parser

add detail mode

add binary

remove unnecessary file

bug fix:broken when response parse in detail mode

bug fix:detail mode

modify detail mode

modify detail mode

Update Readme about compact form and parse detail sip header and request-uri

Update Readme about compact form and parse detail sip header and request-uri

Update Readme about compact form and parse detail sip header and request-uri

Update Readme about compact form and parse detail sip header and request-uri

expand config parsing options

edit variable names

arrangement and add text README file

refine Readme message

update Readme text

update Readme on Configuration

Go coding style was checked with golint

Erase duplicate field in field.yml, move src and dst fields into sip filed

Update docs, fields.asciidoc

Update docs, fields.asciidoc
@marc-gr marc-gr force-pushed the sip_protocol branch 2 times, most recently from ccb0029 to b9e4bb7 Compare October 5, 2020 16:33
@marc-gr marc-gr requested a review from andrewstucki October 6, 2020 09:35
CHANGELOG.next.asciidoc Outdated Show resolved Hide resolved
@marc-gr marc-gr merged commit 0dd2428 into elastic:master Oct 6, 2020
@marc-gr marc-gr deleted the sip_protocol branch October 6, 2020 10:24
marc-gr added a commit to marc-gr/beats that referenced this pull request Oct 6, 2020
* new protocol:sip:Make a directory and Readme file.

new protocol:sip:update include list

new protocol:sip:initial blank file

DNSをベースとしてまずはDNSでやっている内容を解析開始・・・コメント付け中。

読み進めた分更新

パーサの実装を開始

パーサをのデコーダをsipPlugin内に移設もろもろ

リクエスト、レスポンス判定を追加

SIPのパース, SDPのパース追加、パーサをいろいろばらばらに。醜い・・・

ヘッダパース系メソッドをsipMessageのメンバに変更

バッファリングの仕組みのプロトタイプ作成

ファイル分割、オブジェクト毎にファイルを分割。その他実装を進めているところ。とちゅう

publish methodの実装

一部エラーハンドリングを追加

TODO更新とデータ構造を追加

ヘッダ処理諸々追加,途中

README TODO更新
'

実働確認用に追加

フィールド名にsip.を付与、unixtimenanoをフィールドに追加(デフォルトのtimestampだとSIP信号を並び替えるのに精度不足なため。)

フィールド命名規則を更新

Added english description

change field name

align the indents

fields.yml update about timestamp

テストケース追加

added testcase

add testcases

add testcases and fixed some bug cases

add test cases

add testcase parseSIPHeaders

fixed bug cases.

comment and refactoring

update testcases

add monitoring element named 'sip.message_ignored'

move publish function call from expireBuffer to callback function when buffer expired.

add testcase, bufferExpire

remove unnecessary pkg

add testcase at publish method

add, edit and migrate test cases

modify time duration

change timer code

remove fragmneted process

translate comments

add linux amd64 binary

Comments translated

update informations

add windows bin

update TODO list

add no mandantory header parse check

Add compact-form test case

Add compact-form test case

Add compact-form test case

Add compact-form test case

support compact form

TODO list update

add sip uri parser

add detail mode

add binary

remove unnecessary file

bug fix:broken when response parse in detail mode

bug fix:detail mode

modify detail mode

modify detail mode

Update Readme about compact form and parse detail sip header and request-uri

Update Readme about compact form and parse detail sip header and request-uri

Update Readme about compact form and parse detail sip header and request-uri

Update Readme about compact form and parse detail sip header and request-uri

expand config parsing options

edit variable names

arrangement and add text README file

refine Readme message

update Readme text

update Readme on Configuration

Go coding style was checked with golint

Erase duplicate field in field.yml, move src and dst fields into sip filed

Update docs, fields.asciidoc

Update docs, fields.asciidoc

* Fixes and style changes

* Refactor to be more similar to http parser and add system tests

* Add event action

* Add related fields

* Update fields and docs

* Add sip to docs

* Add beta warning

* Parse SDP, Contact, Via and auth

* Add suggestions

Co-authored-by: tj8000rpm <t.j.8000rpm@gmail.com>
(cherry picked from commit 0dd2428)
marc-gr added a commit that referenced this pull request Oct 6, 2020
* new protocol:sip:Make a directory and Readme file.

new protocol:sip:update include list

new protocol:sip:initial blank file

DNSをベースとしてまずはDNSでやっている内容を解析開始・・・コメント付け中。

読み進めた分更新

パーサの実装を開始

パーサをのデコーダをsipPlugin内に移設もろもろ

リクエスト、レスポンス判定を追加

SIPのパース, SDPのパース追加、パーサをいろいろばらばらに。醜い・・・

ヘッダパース系メソッドをsipMessageのメンバに変更

バッファリングの仕組みのプロトタイプ作成

ファイル分割、オブジェクト毎にファイルを分割。その他実装を進めているところ。とちゅう

publish methodの実装

一部エラーハンドリングを追加

TODO更新とデータ構造を追加

ヘッダ処理諸々追加,途中

README TODO更新
'

実働確認用に追加

フィールド名にsip.を付与、unixtimenanoをフィールドに追加(デフォルトのtimestampだとSIP信号を並び替えるのに精度不足なため。)

フィールド命名規則を更新

Added english description

change field name

align the indents

fields.yml update about timestamp

テストケース追加

added testcase

add testcases

add testcases and fixed some bug cases

add test cases

add testcase parseSIPHeaders

fixed bug cases.

comment and refactoring

update testcases

add monitoring element named 'sip.message_ignored'

move publish function call from expireBuffer to callback function when buffer expired.

add testcase, bufferExpire

remove unnecessary pkg

add testcase at publish method

add, edit and migrate test cases

modify time duration

change timer code

remove fragmneted process

translate comments

add linux amd64 binary

Comments translated

update informations

add windows bin

update TODO list

add no mandantory header parse check

Add compact-form test case

Add compact-form test case

Add compact-form test case

Add compact-form test case

support compact form

TODO list update

add sip uri parser

add detail mode

add binary

remove unnecessary file

bug fix:broken when response parse in detail mode

bug fix:detail mode

modify detail mode

modify detail mode

Update Readme about compact form and parse detail sip header and request-uri

Update Readme about compact form and parse detail sip header and request-uri

Update Readme about compact form and parse detail sip header and request-uri

Update Readme about compact form and parse detail sip header and request-uri

expand config parsing options

edit variable names

arrangement and add text README file

refine Readme message

update Readme text

update Readme on Configuration

Go coding style was checked with golint

Erase duplicate field in field.yml, move src and dst fields into sip filed

Update docs, fields.asciidoc

Update docs, fields.asciidoc

* Fixes and style changes

* Refactor to be more similar to http parser and add system tests

* Add event action

* Add related fields

* Update fields and docs

* Add sip to docs

* Add beta warning

* Parse SDP, Contact, Via and auth

* Add suggestions

Co-authored-by: tj8000rpm <t.j.8000rpm@gmail.com>
(cherry picked from commit 0dd2428)
v1v added a commit to v1v/beats that referenced this pull request Oct 6, 2020
* upstream/master:
  [CI] Setup git config globally (elastic#21562)
  docs: update generate_fields_docs.py (elastic#21359)
  Add support for additional fields from V2 ALB logs (elastic#21540)
  Move Prometheus query & remote_write to GA (elastic#21507)
  feat: add a new step to run the e2e tests for certain parts of Beats (elastic#21100)
  [Elastic Agent] Add elastic agent ID and version to events from filebeat and metricbeat. (elastic#21543)
  Release cloudfoundry input and processor as GA (elastic#21525)
  [Packetbeat] New SIP protocol (elastic#21221)
  [Filebeat][New Module] Add support for Microsoft MTP / 365 Defender (elastic#21446)
  [Beats][pytest] Asserting if filebeat logs include errors (elastic#20999)
  junipersrx-module initial release (elastic#20017)
  Add a persistent cache for cloudfoundry metadata based on badger (elastic#20775)
  Add missing changelog entry for cisco umbrella (elastic#21550)
  [Elastic Agent] Add upgrade CLI to initiate upgrade of Agent locally (elastic#21425)
  Enable filestream input (elastic#21533)
  Add filestream input reader (elastic#21481)
  [CI] fix 'no matches found within 10000' (elastic#21466)
  Fix billing.go aws.GetStartTimeEndTime (elastic#21531)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement in progress Pull request is currently in progress. Packetbeat v7.10.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants