SIP: extract some basic metadata

author: Ivan Nardi <nardi.ivan@gmail.com> 2024-11-12 10:01:57 +0100
committer: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> 2024-11-12 13:34:25 +0100
commit: 1bda2bf414b22ce2e983e9c9a849698ccdbb1bf1 (patch)
tree: 2df250b2808f43030ecb5ba7971e5afd8be46e2d /src/lib
parent: 6ff71aa6be12361cd012290980d05dc2659db0bb (diff)
3 files changed, 133 insertions, 1 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index f722cca0e..e086d6f01 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -6806,6 +6806,13 @@ void ndpi_free_flow_data(struct ndpi_flow_struct* flow) {
 	ndpi_free(flow->protos.tls_quic.ja4_client_raw);
    }
 
+    if(flow_is_proto(flow, NDPI_PROTOCOL_SIP)) {
+      if(flow->protos.sip.from)
+        ndpi_free(flow->protos.sip.from);
+      if(flow->protos.sip.to)
+        ndpi_free(flow->protos.sip.to);
+    }
+
     if(flow->tls_quic.message[0].buffer)
       ndpi_free(flow->tls_quic.message[0].buffer);
     if(flow->tls_quic.message[1].buffer)
@@ -11498,6 +11505,11 @@ static const struct cfg_param {
 
   { "ftp",           "tls_dissection",                          "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(ftp_opportunistic_tls_enabled), NULL },
 
+  { "sip",           "metadata.attribute.from",                 "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(sip_attribute_from_enabled), NULL },
+  { "sip",           "metadata.attribute.from_imsi",            "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(sip_attribute_from_imsi_enabled), NULL },
+  { "sip",           "metadata.attribute.to",                   "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(sip_attribute_to_enabled), NULL },
+  { "sip",           "metadata.attribute.to_imsi",              "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(sip_attribute_to_imsi_enabled), NULL },
+
   { "stun",          "tls_dissection",                          "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(stun_opportunistic_tls_enabled), NULL },
   { "stun",          "max_packets_extra_dissection",            "6", "0", "255", CFG_PARAM_INT, __OFF(stun_max_packets_extra_dissection), NULL },
   { "stun",          "metadata.attribute.mapped_address",       "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(stun_mapped_address_enabled), NULL },
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index 6aefc20e2..fc9ad8624 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -3902,3 +3902,25 @@ char* ndpi_strndup(const char *s, size_t size) {
 
   return(ret);
 }
+
+/* ************************************************************** */
+
+char *ndpi_strip_leading_trailing_spaces(char *ptr, int *ptr_len) {
+
+  /* Stripping leading spaces */
+  while(*ptr_len > 0 && ptr[0] == ' ') {
+    (*ptr_len)--;
+    ptr++;
+  }
+  if(*ptr_len == 0)
+    return NULL;
+
+  /* Stripping trailing spaces */
+  while(*ptr_len > 0 && ptr[*ptr_len - 1] == ' ') {
+    (*ptr_len)--;
+  }
+  if(*ptr_len == 0)
+    return NULL;
+
+  return ptr;
+}
diff --git a/src/lib/protocols/sip.c b/src/lib/protocols/sip.c
index 6a21489ed..31166a175 100644
--- a/src/lib/protocols/sip.c
+++ b/src/lib/protocols/sip.c
@@ -29,9 +29,13 @@
 #include "ndpi_api.h"
 #include "ndpi_private.h"
 
+static void search_metadata(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow);
+
 static void ndpi_int_sip_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
 					struct ndpi_flow_struct *flow) {
   ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SIP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
+
+  search_metadata(ndpi_struct, flow);
 }
 
 /* ********************************************************** */
@@ -128,9 +132,103 @@ static int search_cmd(struct ndpi_detection_module_struct *ndpi_struct)
   return 0;
 }
 
+/* ********************************************************** */
+
+static char *get_imsi(const char *str, int *imsi_len)
+{
+  char *s, *e, *c;
+
+  /* Format: <sip:XXXXXXXXXXXXXXX@ims.mncYYY.mccZZZ.3gppnetwork.org>;tag=YpUNxYCzz0dMHM */
+
+  s = ndpi_strnstr(str, "<sip:", strlen(str));
+  if(!s)
+    return NULL;
+  e = ndpi_strnstr(s, "@", strlen(s));
+  if(!e)
+    return NULL;
+  *imsi_len = e - s - 5;
+  /* IMSI is 14 or 15 digit length */
+  if(*imsi_len != 14 && *imsi_len != 15)
+    return NULL;
+  for(c = s + 5; c != e; c++)
+    if(!isdigit(*c))
+      return NULL;
+  return s + 5;
+}
+
+/* ********************************************************** */
+
+static int metadata_enabled(struct ndpi_detection_module_struct *ndpi_struct)
+{
+  /* At least one */
+  return ndpi_struct->cfg.sip_attribute_from_enabled ||
+         ndpi_struct->cfg.sip_attribute_from_imsi_enabled ||
+         ndpi_struct->cfg.sip_attribute_to_enabled ||
+         ndpi_struct->cfg.sip_attribute_to_imsi_enabled;
+}
+
+/* ********************************************************** */
+
+static void search_metadata(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
+{
+  struct ndpi_packet_struct *packet = &ndpi_struct->packet;
+  u_int16_t a;
+  int str_len, imsi_len;
+  char *str, *imsi;
+
+  if(!metadata_enabled(ndpi_struct))
+    return;
+
+  NDPI_PARSE_PACKET_LINE_INFO(ndpi_struct, flow, packet);
 
+  for(a = 0; a < packet->parsed_lines; a++) {
+    /* From */
+    if(ndpi_struct->cfg.sip_attribute_from_enabled &&
+       flow->protos.sip.from == NULL &&
+       packet->line[a].len >= 5 &&
+       memcmp(packet->line[a].ptr, "From:", 5) == 0) {
+      str_len = packet->line[a].len - 5;
+      str = ndpi_strip_leading_trailing_spaces((char *)packet->line[a].ptr + 5, &str_len);
+      if(str) {
+        NDPI_LOG_DBG2(ndpi_struct, "Found From: %.*s\n", str_len, str);
+        flow->protos.sip.from = ndpi_strndup(str, str_len);
+        if(ndpi_struct->cfg.sip_attribute_from_imsi_enabled &&
+           flow->protos.sip.from) {
+          imsi = get_imsi(flow->protos.sip.from, &imsi_len);
+          if(imsi) {
+            NDPI_LOG_DBG2(ndpi_struct, "Found From IMSI: %.*s\n", imsi_len, imsi);
+            memcpy(flow->protos.sip.from_imsi, imsi, imsi_len);
+          }
+        }
+      }
+    }
+
+    /* To */
+    if(ndpi_struct->cfg.sip_attribute_to_enabled &&
+       flow->protos.sip.to == NULL &&
+       packet->line[a].len >= 3 &&
+       memcmp(packet->line[a].ptr, "To:", 3) == 0) {
+      str_len = packet->line[a].len - 3;
+      str = ndpi_strip_leading_trailing_spaces((char *)packet->line[a].ptr + 3, &str_len);
+      if(str) {
+        NDPI_LOG_DBG2(ndpi_struct, "Found To: %.*s\n", str_len, str);
+        flow->protos.sip.to = ndpi_strndup(str, str_len);
+        if(ndpi_struct->cfg.sip_attribute_to_imsi_enabled &&
+           flow->protos.sip.to) {
+          imsi = get_imsi(flow->protos.sip.to, &imsi_len);
+          if(imsi) {
+            NDPI_LOG_DBG2(ndpi_struct, "Found To IMSI: %.*s\n", imsi_len, imsi);
+            memcpy(flow->protos.sip.to_imsi, imsi, imsi_len);
+          }
+        }
+      }
+    }
+  }
+}
+
+/* ********************************************************** */
 
-void ndpi_search_sip(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
+static void ndpi_search_sip(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
   struct ndpi_packet_struct *packet = &ndpi_struct->packet;
   const u_int8_t *packet_payload = packet->payload;
   u_int32_t payload_len = packet->payload_packet_len;
author	Ivan Nardi <nardi.ivan@gmail.com>	2024-11-12 10:01:57 +0100
committer	Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>	2024-11-12 13:34:25 +0100
commit	1bda2bf414b22ce2e983e9c9a849698ccdbb1bf1 (patch)
tree	2df250b2808f43030ecb5ba7971e5afd8be46e2d /src/lib
parent	6ff71aa6be12361cd012290980d05dc2659db0bb (diff)