doc: add sdp sticky buffers

doc/userguide/rules/index.rst

@@ -29,6 +29,7 @@ Suricata Rules
    snmp-keywords
    base64-keywords
    sip-keywords
+   sdp-keywords
    rfb-keywords
    mqtt-keywords
    ike-keywords

doc/userguide/rules/sdp-keywords.rst

@@ -0,0 +1,382 @@
+SDP Keywords
+============
+
+The SDP keywords are implemented as sticky buffers and can be used to match on fields in SDP messages.
+
+======================================== ==================
+Keyword                                  Direction
+======================================== ==================
+sdp.origin                               Both
+sdp.session_name                         Both
+sdp.session_info                         Both
+sdp.uri                                  Both
+sdp.email                                Both
+sdp.connection_data                      Both
+sdp.bandwidth                            Both
+sdp.time                                 Both
+sdp.repeat_time                          Both
+sdp.timezone                             Both
+sdp.encryption_key                       Both
+sdp.attribute                            Both
+sdp.media_description.media              Both
+sdp.media_description.session_info       Both
+sdp.media_description.connection_data    Both
+sdp.media_description.encryption_key     Both
+======================================== ==================
+
+sdp.origin
+----------
+
+This keyword matches on the originator found in an SDP request or response.
+
+Syntax
+~~~~~~
+
+::
+
+  sdp.origin; content:<origin>;
+
+Where <origin> is an originator that follows the SDP Origin (o=) scheme.
+
+Examples
+~~~~~~~~
+
+::
+
+  sdp.origin; content:"SIPPS 105015165 105015162 IN IP4 192.168.1.2";
+
+sdp.session_name
+----------------
+
+This keyword matches on the session name found in an SDP request or response.
+
+Syntax
+~~~~~~
+
+::
+
+  sdp.session_name; content:<session_name>;
+
+Where <session_name> is a name that follows the SDP Session name (s=) scheme.
+
+Examples
+~~~~~~~~
+
+::
+
+  sdp.session_name; content:"SIP call";
+
+sdp.session_info
+----------------
+
+This keyword matches on the session information found in an SDP request or response.
+
+Syntax
+~~~~~~
+
+::
+
+  sdp.session_info; content:<session_info>;
+
+Where <session_info> is a description that follows the SDP Session information (i=) scheme.
+
+Examples
+~~~~~~~~
+
+::
+
+  sdp.session_info; content:"Session Description Protocol";
+
+sdp.uri
+-------
+
+This keyword matches on the URI found in an SDP request or response.
+
+Syntax
+~~~~~~
+
+::
+
+  sdp.uri; content:<uri>;
+
+Where <uri> is a URI (u=) that the follows the SDP scheme.
+
+Examples
+~~~~~~~~
+
+::
+
+  sdp.uri; content:"https://www.sdp.proto"
+
+sdp.email
+---------
+
+This keyword matches on the email found in an SDP request or response.
+
+Syntax
+~~~~~~
+
+::
+
+  sdp.email; content:<email>
+
+Where <email> is an email address (e=) that follows the SDP scheme.
+
+Examples
+~~~~~~~~
+
+::
+
+  sdp.email; content:"[email protected] (Jane Doe)";
+
+sdp.phone_number
+----------------
+
+This keyword matches on the phone number found in an SDP request or response.
+
+Syntax
+~~~~~~
+
+::
+
+  sdp.phone_number; content:<phone_number>
+
+Where <phone_number> is a phone number (p=) that follows the SDP scheme.
+
+Examples
+~~~~~~~~
+
+::
+
+  sdp.phone_number; content:"+1 617 555-6011 (Jane Doe)";
+
+sdp.connection_data
+-------------------
+
+This keyword matches on the connection found in an SDP request or response.
+
+Syntax
+~~~~~~
+
+::
+
+  sdp.connection_data; content:<connection_data>;
+
+Where <connection_data> is a connection (c=) that follows the SDP scheme.
+
+Examples
+~~~~~~~~
+
+::
+
+  sdp.connection_data; content:"IN IP4 192.168.1.2"
+
+sdp.bandwidth
+-------------
+
+This keyword matches on the bandwidths found in an SDP request or response. 
+
+Syntax
+~~~~~~
+
+::
+
+  sdp.bandwidth; content:<bandwidth>
+
+Where <bandwidth> is a bandwidth (b=) that follows the SDP scheme.
+
+Example
+~~~~~~~
+
+::
+
+  sdp.bandwidth; content:"AS:64"
+
+sdp.time
+--------
+
+This keyword matches on the time found in an SDP request or response. 
+
+Syntax
+~~~~~~
+
+::
+
+  sdp.time; content:<time>
+
+Where <time> is a time (t=) that follows the SDP scheme.
+
+Example
+~~~~~~~
+
+::
+
+  sdp.time; content:"3034423619 3042462419"
+
+sdp.repeat_time
+---------------
+
+This keyword matches on the repeat time found in an SDP request or response.
+
+Syntax
+~~~~~~
+
+::
+
+  sdp.repeat_time; content:<repeat_time>
+
+Where <repeat_time> is a repeat time (r=) that follows the SDP scheme.
+
+Example
+~~~~~~~
+
+::
+
+  sdp.repeat_time; content:"604800 3600 0 90000"
+
+sdp.timezone
+------------
+
+This keyword matches on the timezone found in an SDP request or response.
+
+Syntax
+~~~~~~
+
+::
+
+  sdp.timezone; content:<timezone>
+
+Where <timezone> is a timezone (z=) that follows the SDP scheme.
+
+Example
+~~~~~~~
+
+::
+
+  sdp.timezone; content:"2882844526 -1h 2898848070 0"
+
+sdp.encryption_key
+------------------
+
+This keyword matches on the encryption key found in an SDP request or response.
+
+Syntax
+~~~~~~
+
+::
+
+  sdp.encryption_key; content:<encryption_key>
+
+Where <encryption_key> is a key (k=) that follows the SDP scheme.
+
+Example
+~~~~~~~
+
+::
+
+  sdp.encryption_key; content:"prompt"
+
+sdp.attribute
+----------------
+
+This keyword matches on the attributes found in an SDP request or response.
+
+Syntax
+~~~~~~
+
+::
+
+  sdp.attribute; content:<attribute>
+
+Where <attribute> is an attribute (a=) that follows the SDP scheme.
+
+Example
+~~~~~~~
+
+::
+
+  sdp.attribute; content:"sendrecv"
+
+sdp.media_description.media
+---------------------------
+
+This keyword matches on the Media subfield of a Media description field found in an SDP request or response.
+
+Syntax
+~~~~~~
+
+::
+
+  sdp.media_description.media; content:<media>
+
+Where <media> is a media (m=) that follows the SDP scheme.
+
+Example
+~~~~~~~
+
+::
+
+  sdp.media_description.media; content:"audio 30000 RTP/AVP 0 8 97 2 3"
+
+sdp.media_description.session_info
+----------------------------------
+
+This keyword matches on the Session information subfield of a Media description field found in an SDP request or response.
+
+Syntax
+~~~~~~
+
+::
+
+  sdp.media_description.session_info; content:<session_info>
+
+Where <session_info> is a description (i=) that follows the SDP scheme.
+
+Example
+~~~~~~~
+
+::
+
+  sdp.media_description.session_info; content:"Session Description Protocol"
+
+sdp.media_description.connection_data
+-------------------------------------
+
+This keyword matches on the Connection data subfield of a Media description field found in an SDP request or response.
+
+Syntax
+~~~~~~
+
+::
+
+  sdp.media_description.connection_data; content:<connection_data>
+
+Where <connection_data> is a connection (c=) that follows the SDP scheme.
+
+Example
+~~~~~~~
+
+::
+
+  sdp.media_description.connection_data; content:"IN IP4 192.168.1.2"
+
+sdp.media_description.encryption_key
+------------------------------------
+
+This keyword matches on the Encryption key subfield of a Media description field found in an SDP request or response.
+
+Syntax
+~~~~~~
+
+::
+
+  sdp.media_description.encryption_key; content:<encryption_key>
+
+Where <encryption_key> is a key (k=) that follows the SDP scheme.
+
+Example
+~~~~~~~
+
+::
+
+  sdp.media_description.encryption_key; content:"prompt"

doc/userguide/upgrade.rst

@@ -52,7 +52,7 @@ Major changes
   for the ``stats`` event.
 - Stats counters that are 0 can now be hidden from EVE logs. Default behavior
   still logs those (see :ref:`EVE Output - Stats <eve-json-output-stats>` for configuration setting).
-- SDP parser and logger have been introduced.
+- SDP parser, logger and sticky buffers have been introduced.
   Due to SDP being encapsulated within other protocols, such as SIP, they cannot be directly enabled or disabled.
   Instead, both the SDP parser and logger depend on being invoked by another parser (or logger).
 - ARP decoder and logger have been introduced.