-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Packetbeat] New SIP protocol #21221
Conversation
Pinging @elastic/siem (Team:SIEM) |
9489092
to
eb64515
Compare
@marc-gr |
@marc-gr - is the json in the readme the planned final output? (just wondering if ECS normalization is handled later, or if it should be worked in at this level?) |
This is the documentation coming from the original contribution, I will update all of it once we decide on mappings at elastic/ecs#420 and changes are done. Also will add some test pcaps to have some examples. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for helping more the SIP PR along.
- There's a PCAP file in the PR. Is there a test that uses it? If not, can we add a "system test" that uses the file.
- This will need an asciidoc file. And SIP will need added in a few places.
- SIP should be added to packetbeat config files.
packetbeat/protos/sip/sip_message.go
Outdated
return headers, firstLines | ||
} | ||
|
||
// TODO:The procedure with Content-Encoding(RFC3261). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After merging this implementation let's create issues for the remaining TODOs and possibly document any limitations if they are likely to be encountered.
For releasing this as beta, the code itself should log a notice about the use of beta software. We have the cfgwarn package that we normally use for this. |
"sip.version": "2.0", | ||
"source.ip": "192.168.1.2", | ||
"source.port": 5060, | ||
"status": "OK", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
status should only be for sip.type "response", and I think should be sip.status?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Those are used by packetbeat and checked by system tests, we also have the sip specific ones.
"source.ip": "192.168.1.2", | ||
"source.port": 5060, | ||
"status": "OK", | ||
"type": "sip" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
does this need to be renamed or removed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same as previous one
After talking with @jamiehynds and since it is not very clear yet how we will want to deal with the multiple |
@marc-gr I haven't been able to follow all of @dainperkins' work on the SIP proposal for fields. I just skimmed it now. The one thing that jumped out to me, that I'd like addressed in this PR is that all version fields should be keyword, not long/integer. I think even the event samples you have wouldn't work, since they have |
Yeah I noticed that in the doc, but could not fix it because lack of permissions, in my code they are keywords already 👍 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have some general questions/comments, don't know enough about the protocol itself to opine too much there, but overall looks fairly solid to me.
new protocol:sip:update include list new protocol:sip:initial blank file DNSをベースとしてまずはDNSでやっている内容を解析開始・・・コメント付け中。 読み進めた分更新 パーサの実装を開始 パーサをのデコーダをsipPlugin内に移設もろもろ リクエスト、レスポンス判定を追加 SIPのパース, SDPのパース追加、パーサをいろいろばらばらに。醜い・・・ ヘッダパース系メソッドをsipMessageのメンバに変更 バッファリングの仕組みのプロトタイプ作成 ファイル分割、オブジェクト毎にファイルを分割。その他実装を進めているところ。とちゅう publish methodの実装 一部エラーハンドリングを追加 TODO更新とデータ構造を追加 ヘッダ処理諸々追加,途中 README TODO更新 ' 実働確認用に追加 フィールド名にsip.を付与、unixtimenanoをフィールドに追加(デフォルトのtimestampだとSIP信号を並び替えるのに精度不足なため。) フィールド命名規則を更新 Added english description change field name align the indents fields.yml update about timestamp テストケース追加 added testcase add testcases add testcases and fixed some bug cases add test cases add testcase parseSIPHeaders fixed bug cases. comment and refactoring update testcases add monitoring element named 'sip.message_ignored' move publish function call from expireBuffer to callback function when buffer expired. add testcase, bufferExpire remove unnecessary pkg add testcase at publish method add, edit and migrate test cases modify time duration change timer code remove fragmneted process translate comments add linux amd64 binary Comments translated update informations add windows bin update TODO list add no mandantory header parse check Add compact-form test case Add compact-form test case Add compact-form test case Add compact-form test case support compact form TODO list update add sip uri parser add detail mode add binary remove unnecessary file bug fix:broken when response parse in detail mode bug fix:detail mode modify detail mode modify detail mode Update Readme about compact form and parse detail sip header and request-uri Update Readme about compact form and parse detail sip header and request-uri Update Readme about compact form and parse detail sip header and request-uri Update Readme about compact form and parse detail sip header and request-uri expand config parsing options edit variable names arrangement and add text README file refine Readme message update Readme text update Readme on Configuration Go coding style was checked with golint Erase duplicate field in field.yml, move src and dst fields into sip filed Update docs, fields.asciidoc Update docs, fields.asciidoc
ccb0029
to
b9e4bb7
Compare
* new protocol:sip:Make a directory and Readme file. new protocol:sip:update include list new protocol:sip:initial blank file DNSをベースとしてまずはDNSでやっている内容を解析開始・・・コメント付け中。 読み進めた分更新 パーサの実装を開始 パーサをのデコーダをsipPlugin内に移設もろもろ リクエスト、レスポンス判定を追加 SIPのパース, SDPのパース追加、パーサをいろいろばらばらに。醜い・・・ ヘッダパース系メソッドをsipMessageのメンバに変更 バッファリングの仕組みのプロトタイプ作成 ファイル分割、オブジェクト毎にファイルを分割。その他実装を進めているところ。とちゅう publish methodの実装 一部エラーハンドリングを追加 TODO更新とデータ構造を追加 ヘッダ処理諸々追加,途中 README TODO更新 ' 実働確認用に追加 フィールド名にsip.を付与、unixtimenanoをフィールドに追加(デフォルトのtimestampだとSIP信号を並び替えるのに精度不足なため。) フィールド命名規則を更新 Added english description change field name align the indents fields.yml update about timestamp テストケース追加 added testcase add testcases add testcases and fixed some bug cases add test cases add testcase parseSIPHeaders fixed bug cases. comment and refactoring update testcases add monitoring element named 'sip.message_ignored' move publish function call from expireBuffer to callback function when buffer expired. add testcase, bufferExpire remove unnecessary pkg add testcase at publish method add, edit and migrate test cases modify time duration change timer code remove fragmneted process translate comments add linux amd64 binary Comments translated update informations add windows bin update TODO list add no mandantory header parse check Add compact-form test case Add compact-form test case Add compact-form test case Add compact-form test case support compact form TODO list update add sip uri parser add detail mode add binary remove unnecessary file bug fix:broken when response parse in detail mode bug fix:detail mode modify detail mode modify detail mode Update Readme about compact form and parse detail sip header and request-uri Update Readme about compact form and parse detail sip header and request-uri Update Readme about compact form and parse detail sip header and request-uri Update Readme about compact form and parse detail sip header and request-uri expand config parsing options edit variable names arrangement and add text README file refine Readme message update Readme text update Readme on Configuration Go coding style was checked with golint Erase duplicate field in field.yml, move src and dst fields into sip filed Update docs, fields.asciidoc Update docs, fields.asciidoc * Fixes and style changes * Refactor to be more similar to http parser and add system tests * Add event action * Add related fields * Update fields and docs * Add sip to docs * Add beta warning * Parse SDP, Contact, Via and auth * Add suggestions Co-authored-by: tj8000rpm <t.j.8000rpm@gmail.com> (cherry picked from commit 0dd2428)
* new protocol:sip:Make a directory and Readme file. new protocol:sip:update include list new protocol:sip:initial blank file DNSをベースとしてまずはDNSでやっている内容を解析開始・・・コメント付け中。 読み進めた分更新 パーサの実装を開始 パーサをのデコーダをsipPlugin内に移設もろもろ リクエスト、レスポンス判定を追加 SIPのパース, SDPのパース追加、パーサをいろいろばらばらに。醜い・・・ ヘッダパース系メソッドをsipMessageのメンバに変更 バッファリングの仕組みのプロトタイプ作成 ファイル分割、オブジェクト毎にファイルを分割。その他実装を進めているところ。とちゅう publish methodの実装 一部エラーハンドリングを追加 TODO更新とデータ構造を追加 ヘッダ処理諸々追加,途中 README TODO更新 ' 実働確認用に追加 フィールド名にsip.を付与、unixtimenanoをフィールドに追加(デフォルトのtimestampだとSIP信号を並び替えるのに精度不足なため。) フィールド命名規則を更新 Added english description change field name align the indents fields.yml update about timestamp テストケース追加 added testcase add testcases add testcases and fixed some bug cases add test cases add testcase parseSIPHeaders fixed bug cases. comment and refactoring update testcases add monitoring element named 'sip.message_ignored' move publish function call from expireBuffer to callback function when buffer expired. add testcase, bufferExpire remove unnecessary pkg add testcase at publish method add, edit and migrate test cases modify time duration change timer code remove fragmneted process translate comments add linux amd64 binary Comments translated update informations add windows bin update TODO list add no mandantory header parse check Add compact-form test case Add compact-form test case Add compact-form test case Add compact-form test case support compact form TODO list update add sip uri parser add detail mode add binary remove unnecessary file bug fix:broken when response parse in detail mode bug fix:detail mode modify detail mode modify detail mode Update Readme about compact form and parse detail sip header and request-uri Update Readme about compact form and parse detail sip header and request-uri Update Readme about compact form and parse detail sip header and request-uri Update Readme about compact form and parse detail sip header and request-uri expand config parsing options edit variable names arrangement and add text README file refine Readme message update Readme text update Readme on Configuration Go coding style was checked with golint Erase duplicate field in field.yml, move src and dst fields into sip filed Update docs, fields.asciidoc Update docs, fields.asciidoc * Fixes and style changes * Refactor to be more similar to http parser and add system tests * Add event action * Add related fields * Update fields and docs * Add sip to docs * Add beta warning * Parse SDP, Contact, Via and auth * Add suggestions Co-authored-by: tj8000rpm <t.j.8000rpm@gmail.com> (cherry picked from commit 0dd2428)
* upstream/master: [CI] Setup git config globally (elastic#21562) docs: update generate_fields_docs.py (elastic#21359) Add support for additional fields from V2 ALB logs (elastic#21540) Move Prometheus query & remote_write to GA (elastic#21507) feat: add a new step to run the e2e tests for certain parts of Beats (elastic#21100) [Elastic Agent] Add elastic agent ID and version to events from filebeat and metricbeat. (elastic#21543) Release cloudfoundry input and processor as GA (elastic#21525) [Packetbeat] New SIP protocol (elastic#21221) [Filebeat][New Module] Add support for Microsoft MTP / 365 Defender (elastic#21446) [Beats][pytest] Asserting if filebeat logs include errors (elastic#20999) junipersrx-module initial release (elastic#20017) Add a persistent cache for cloudfoundry metadata based on badger (elastic#20775) Add missing changelog entry for cisco umbrella (elastic#21550) [Elastic Agent] Add upgrade CLI to initiate upgrade of Agent locally (elastic#21425) Enable filestream input (elastic#21533) Add filestream input reader (elastic#21481) [CI] fix 'no matches found within 10000' (elastic#21466) Fix billing.go aws.GetStartTimeEndTime (elastic#21531)
This is a re-opening of #7181 to fix merge issues.
TODO:
Thanks to @tj8000rpm for the original work.
From the original PR:
Hi all. I implemented a new protocol SIP to packetbeat. #152
The SIP(Session Initiation Protocol) is a communications protocol for signaling and controlling multimedia communication sessions. SIP is used many VoIP applications at not only enterprise uses but also telecom careers.
SIP is text-base protocol like HTTP. But SIP has various unique features like :
Therefore, I implemented with following plans.
More detail is writen in README.md