From 997dce0f04816b4d8440f1cfa924a89e7cee4846 Mon Sep 17 00:00:00 2001
From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>
Date: Sat, 9 Jul 2022 05:45:42 +0200
Subject: SIP: improve detection (#1654)

---
 src/lib/protocols/sip.c           |  29 +++++++++++++++++------------
 tests/pcap/sip_hello.pcapng       | Bin 0 -> 6680 bytes
 tests/result/sip_hello.pcapng.out |   8 ++++++++
 3 files changed, 25 insertions(+), 12 deletions(-)
 create mode 100644 tests/pcap/sip_hello.pcapng
 create mode 100644 tests/result/sip_hello.pcapng.out

diff --git a/src/lib/protocols/sip.c b/src/lib/protocols/sip.c
index ad9c65a68..9862c5c1e 100644
--- a/src/lib/protocols/sip.c
+++ b/src/lib/protocols/sip.c
@@ -109,14 +109,16 @@ void ndpi_search_sip_handshake(struct ndpi_detection_module_struct
     }
 
     if((memcmp(packet_payload, "ACK ", 4) == 0 || memcmp(packet_payload, "ack ", 4) == 0)
-       && (memcmp(&packet_payload[4], "SIP:", 4) == 0 || memcmp(&packet_payload[4], "sip:", 4) == 0)) {
+       && ((memcmp(&packet_payload[4], "SIP:", 4) == 0 || memcmp(&packet_payload[4], "sip:", 4) == 0) ||
+           (memcmp(&packet_payload[4], "TEL:", 4) == 0 || memcmp(&packet_payload[4], "tel:", 4) == 0))) {
       NDPI_LOG_INFO(ndpi_struct, "found sip ACK\n");
       ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
       return;
     }
 
     if((memcmp(packet_payload, "CANCEL ", 7) == 0 || memcmp(packet_payload, "cancel ", 7) == 0)
-       && (memcmp(&packet_payload[7], "SIP:", 4) == 0 || memcmp(&packet_payload[7], "sip:", 4) == 0)) {
+       && ((memcmp(&packet_payload[7], "SIP:", 4) == 0 || memcmp(&packet_payload[7], "sip:", 4) == 0) ||
+           (memcmp(&packet_payload[7], "TEL:", 4) == 0 || memcmp(&packet_payload[7], "tel:", 4) == 0))) {
       NDPI_LOG_INFO(ndpi_struct, "found sip CANCEL\n");
       ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
       return;
@@ -147,8 +149,8 @@ void ndpi_search_sip_handshake(struct ndpi_detection_module_struct
     /* Courtesy of Miguel Quesada <mquesadab@gmail.com> */
     if((memcmp(packet_payload, "OPTIONS ", 8) == 0
 	|| memcmp(packet_payload, "options ", 8) == 0)
-       && (memcmp(&packet_payload[8], "SIP:", 4) == 0
-	   || memcmp(&packet_payload[8], "sip:", 4) == 0)) {
+       && ((memcmp(&packet_payload[8], "SIP:", 4) == 0 || memcmp(&packet_payload[8], "sip:", 4) == 0) ||
+           (memcmp(&packet_payload[8], "TEL:", 4) == 0 || memcmp(&packet_payload[8], "tel:", 4) == 0))) {
       NDPI_LOG_INFO(ndpi_struct, "found sip OPTIONS\n");
       ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
       return;
@@ -163,7 +165,14 @@ void ndpi_search_sip_handshake(struct ndpi_detection_module_struct
 
     if((memcmp(packet_payload, "PRACK ", 6) == 0 || memcmp(packet_payload, "prack ", 6) == 0)
        && (memcmp(&packet_payload[6], "SIP:", 4) == 0 || memcmp(&packet_payload[6], "sip:", 4) == 0)) {
-      NDPI_LOG_INFO(ndpi_struct, "found sip REFER\n");
+      NDPI_LOG_INFO(ndpi_struct, "found sip PRACK\n");
+      ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
+      return;
+    }
+
+    if((memcmp(packet_payload, "INFO ", 5) == 0 || memcmp(packet_payload, "info ", 5) == 0)
+       && (memcmp(&packet_payload[5], "SIP:", 4) == 0 || memcmp(&packet_payload[5], "sip:", 4) == 0)) {
+      NDPI_LOG_INFO(ndpi_struct, "found sip INFO\n");
       ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
       return;
     }
@@ -194,13 +203,9 @@ void ndpi_search_sip(struct ndpi_detection_module_struct *ndpi_struct, struct nd
 {
   NDPI_LOG_DBG(ndpi_struct, "search sip\n");
 
-  if(flow->packet_counter > 5)
-    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
-  else {
-    /* skip marked packets */
-    if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_SIP) {
-      ndpi_search_sip_handshake(ndpi_struct, flow);
-    }
+  /* skip marked packets */
+  if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_SIP) {
+    ndpi_search_sip_handshake(ndpi_struct, flow);
   }
 }
 
diff --git a/tests/pcap/sip_hello.pcapng b/tests/pcap/sip_hello.pcapng
new file mode 100644
index 000000000..a2518f621
Binary files /dev/null and b/tests/pcap/sip_hello.pcapng differ
diff --git a/tests/result/sip_hello.pcapng.out b/tests/result/sip_hello.pcapng.out
new file mode 100644
index 000000000..45c1830d5
--- /dev/null
+++ b/tests/result/sip_hello.pcapng.out
@@ -0,0 +1,8 @@
+Guessed flow protos:	0
+
+DPI Packets (UDP):	9	(9.00 pkts/flow)
+Confidence DPI              : 1 (flows)
+
+SIP	30	5592	1
+
+	1	UDP 10.239.156.235:5060 <-> 172.29.38.91:5060 [proto: 100/SIP][ClearText][Confidence: DPI][cat: VoIP/10][15 pkts/2691 bytes <-> 15 pkts/2901 bytes][Goodput ratio: 73/75][491.56 sec][bytes ratio: -0.038 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 67/59 36861/36861 49155/49155 16718/16727][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 179/193 555/661 205/233][PLAIN TEXT (oREGISTER sip)][Plen Bins: 74,0,0,0,0,0,0,0,0,0,0,0,0,13,0,0,6,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-- 
cgit v1.2.3