hub icon indicating copy to clipboard operation
hub copied to clipboard
verified publisher icon crowdsecurity

Update FreeSWitch Parser for Version Compatibility

Open danlomeli opened this issue 3 months ago • 3 comments

Summary

Updates the FreeSWitch parser to handle log format changes across versions and removes unreliable filename dependency.

Changes Made

Parser Updates (parsers/s01-parse/crowdsecurity/freeswitch.yaml)

  • Removed filename dependency: Changed from sofia_reg.c specific matching to sofia(?:_reg)?\.c pattern
  • Added version support: Handles 3 log formats across FreeSWitch versions:
    • v1.8.x: Basic timestamp format
    • v1.9.x: Added CPU percentage
    • v1.10.12: Added UUID prefix + sofia.c migration
  • Enhanced ACL parsing: Updated regex to handle ACL messages with/without domain names
  • Improved maintainability: Used YAML anchors to reduce code duplication

Test Updates

  • Expanded log coverage: Updated .tests/freeswitch/freeswitch.log with 10 examples covering all 3 versions
  • Realistic test data: Uses sanitized IPs and usernames reflecting real-world usage patterns
  • Streamlined assertions: Reduced from 155 to essential assertions focusing on core functionality

Problem Solved

  1. Filename brittleness: FreeSWitch team moved logging from sofia_reg.c to sofia.c in recent versions
  2. Version compatibility: Parser only handled old log format with CPU percentage
  3. Test maintainability: 156 assertions for 5 log entries created maintenance burden
  4. Limited coverage: Original tests didn't reflect modern FreeSWitch deployments with important security fixes

Testing

All tests pass with the updated parser handling:

  • User enumeration attempts
  • SIP authentication failures
  • ACL rejections
  • Multiple IP formats and log structures

Rationale

FreeSWitch's evolution across versions makes filename-based parsing fragile. This update ensures the parser works across deployments regardless of version while maintaining detection accuracy. The streamlined tests focus on essential parsing functionality rather than exhaustive field validation.

This is intended to bring better balance between comprehensive coverage (multiple log formats) and maintainability (targeted assertions).

danlomeli avatar Sep 18 '25 22:09 danlomeli

/kind enhancement

danlomeli avatar Sep 18 '25 22:09 danlomeli

/area agent

danlomeli avatar Sep 18 '25 22:09 danlomeli

Thanks for your PR, please avoid the use of YAML anchors .

buixor avatar Sep 30 '25 08:09 buixor