Skip to content

Update FreeSWitch Parser for Version Compatibility #1474

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Update FreeSWitch Parser for Version Compatibility #1474

wants to merge 2 commits into from

Conversation

danlomeli
Copy link

Summary

Updates the FreeSWitch parser to handle log format changes across versions and removes unreliable filename dependency.

Changes Made

Parser Updates (parsers/s01-parse/crowdsecurity/freeswitch.yaml)

  • Removed filename dependency: Changed from sofia_reg.c specific matching to sofia(?:_reg)?\.c pattern
  • Added version support: Handles 3 log formats across FreeSWitch versions:
    • v1.8.x: Basic timestamp format
    • v1.9.x: Added CPU percentage
    • v1.10.12: Added UUID prefix + sofia.c migration
  • Enhanced ACL parsing: Updated regex to handle ACL messages with/without domain names
  • Improved maintainability: Used YAML anchors to reduce code duplication

Test Updates

  • Expanded log coverage: Updated .tests/freeswitch/freeswitch.log with 10 examples covering all 3 versions
  • Realistic test data: Uses sanitized IPs and usernames reflecting real-world usage patterns
  • Streamlined assertions: Reduced from 155 to essential assertions focusing on core functionality

Problem Solved

  1. Filename brittleness: FreeSWitch team moved logging from sofia_reg.c to sofia.c in recent versions
  2. Version compatibility: Parser only handled old log format with CPU percentage
  3. Test maintainability: 156 assertions for 5 log entries created maintenance burden
  4. Limited coverage: Original tests didn't reflect modern FreeSWitch deployments with important security fixes

Testing

All tests pass with the updated parser handling:

  • User enumeration attempts
  • SIP authentication failures
  • ACL rejections
  • Multiple IP formats and log structures

Rationale

FreeSWitch's evolution across versions makes filename-based parsing fragile. This update ensures the parser works across deployments regardless of version while maintaining detection accuracy. The streamlined tests focus on essential parsing functionality rather than exhaustive field validation.

This is intended to bring better balance between comprehensive coverage (multiple log formats) and maintainability (targeted assertions).

@danlomeli
Parses more FreeSWITCH log formats
01909bf 
Extends the FreeSWITCH parser to handle logs with UUID, CPU percentage, and timestamp formats, as well as logs with just timestamp and CPU percentage.

Uses anchors to reduce duplication of message parsing logic.
@danlomeli
Copy link
Author

/kind enhancement

@danlomeli
Copy link
Author

/area agent

@buixor buixor self-assigned this Sep 30, 2025
@buixor
Copy link
Contributor

buixor commented Sep 30, 2025

Thanks for your PR, please avoid the use of YAML anchors .

@buixor buixor added the waiting-for-user Waiting for submitter answer regarding specific points in the PR label Sep 30, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@buixor buixor

Labels

waiting-for-user Waiting for submitter answer regarding specific points in the PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@danlomeli @buixor @LaurenceJJones