caddy-sip-guardian

rsp2k/caddy-sip-guardian

Fork 0

Commit Graph

Author	SHA1	Message	Date
Ryan Malloy	976fdf53a5	Add SIP message validation feature Implements RFC 3261 compliance checking and security validation: - Three validation modes: permissive (default), strict, paranoid - Critical checks: null bytes, binary injection (immediate ban) - RFC compliance: required headers (Via, From, To, Call-ID, CSeq, Max-Forwards) - Format validation: CSeq range, Content-Length, Via branch format - Paranoid mode: SQL injection patterns, excessive headers, long values - Compact header form support (v, f, t, i, l, etc.) Caddyfile configuration: validation { enabled true mode permissive max_message_size 65535 ban_on_null_bytes true ban_on_binary_injection true disabled_rules via_invalid_branch } New Prometheus metrics: - sip_guardian_validation_violations_total{rule} - sip_guardian_validation_results_total{result} - sip_guardian_message_size_bytes (histogram) Includes comprehensive unit tests covering all validation scenarios.	2025-12-07 15:57:26 -07:00
Ryan Malloy	c73fa9d3d1	Add extension enumeration detection and comprehensive SIP protection Major features: - Extension enumeration detection with 3 detection algorithms: - Max unique extensions threshold (default: 20 in 5 min) - Sequential pattern detection (e.g., 100,101,102...) - Rapid-fire detection (many extensions in short window) - Prometheus metrics for all SIP Guardian operations - SQLite persistent storage for bans and attack history - Webhook notifications for ban/unban/suspicious events - GeoIP-based country blocking with continent shortcuts - Per-method rate limiting with token bucket algorithm Bug fixes: - Fix whitelist count always reporting zero in stats - Fix whitelisted connections metric never incrementing - Fix Caddyfile config not being applied to shared guardian New files: - enumeration.go: Extension enumeration detector - enumeration_test.go: 14 comprehensive unit tests - metrics.go: Prometheus metrics handler - storage.go: SQLite persistence layer - webhooks.go: Webhook notification system - geoip.go: MaxMind GeoIP integration - ratelimit.go: Per-method rate limiting Testing: - sandbox/ contains complete Docker Compose test environment - All 14 enumeration tests pass	2025-12-07 15:22:28 -07:00

Author

SHA1

Message

Date

Ryan Malloy

976fdf53a5

Add SIP message validation feature

Implements RFC 3261 compliance checking and security validation:

- Three validation modes: permissive (default), strict, paranoid
- Critical checks: null bytes, binary injection (immediate ban)
- RFC compliance: required headers (Via, From, To, Call-ID, CSeq, Max-Forwards)
- Format validation: CSeq range, Content-Length, Via branch format
- Paranoid mode: SQL injection patterns, excessive headers, long values
- Compact header form support (v, f, t, i, l, etc.)

Caddyfile configuration:
  validation {
      enabled true
      mode permissive
      max_message_size 65535
      ban_on_null_bytes true
      ban_on_binary_injection true
      disabled_rules via_invalid_branch
  }

New Prometheus metrics:
- sip_guardian_validation_violations_total{rule}
- sip_guardian_validation_results_total{result}
- sip_guardian_message_size_bytes (histogram)

Includes comprehensive unit tests covering all validation scenarios.

2025-12-07 15:57:26 -07:00

Ryan Malloy

c73fa9d3d1

Add extension enumeration detection and comprehensive SIP protection

Major features:
- Extension enumeration detection with 3 detection algorithms:
  - Max unique extensions threshold (default: 20 in 5 min)
  - Sequential pattern detection (e.g., 100,101,102...)
  - Rapid-fire detection (many extensions in short window)
- Prometheus metrics for all SIP Guardian operations
- SQLite persistent storage for bans and attack history
- Webhook notifications for ban/unban/suspicious events
- GeoIP-based country blocking with continent shortcuts
- Per-method rate limiting with token bucket algorithm

Bug fixes:
- Fix whitelist count always reporting zero in stats
- Fix whitelisted connections metric never incrementing
- Fix Caddyfile config not being applied to shared guardian

New files:
- enumeration.go: Extension enumeration detector
- enumeration_test.go: 14 comprehensive unit tests
- metrics.go: Prometheus metrics handler
- storage.go: SQLite persistence layer
- webhooks.go: Webhook notification system
- geoip.go: MaxMind GeoIP integration
- ratelimit.go: Per-method rate limiting

Testing:
- sandbox/ contains complete Docker Compose test environment
- All 14 enumeration tests pass

2025-12-07 15:22:28 -07:00

2 Commits