8.30. SIP Keywords

The SIP keywords are implemented as sticky buffers and can be used to match on fields in SIP messages.

8.30.1. sip.method

This keyword matches on the method found in a SIP request.

sip.method; content:<method>;

Examples of methods are:

sip.method; content:"INVITE";

This keyword matches on the uri found in a SIP request.

sip.uri; content:<uri>;

Where <uri> is an uri that follows the SIP URI scheme.

sip.uri; content:"sip:sip.url.org";

This keyword forces the whole SIP request line to be inspected.

sip.request_line; content:<request_line>;

Where <request_line> is a partial or full line.

sip.request_line; content:"REGISTER sip:sip.url.org SIP/2.0"

This keyword matches on the status code found in a SIP response.

sip.stat_code; content:<stat_code>

Where <status_code> belongs to one of the following groups of codes:

sip.stat_code; content:"100";

This keyword matches on the status message found in a SIP response.

sip.stat_msg; content:<stat_msg>

Where <stat_msg> is a reason phrase associated to a status code.

sip.stat_msg; content:"Trying";

This keyword forces the whole SIP response line to be inspected.

sip.response_line; content:<response_line>;

Where <response_line> is a partial or full line.

sip.response_line; content:"SIP/2.0 100 OK"

This keyword matches the protocol field from a SIP request or response line.

If the response line is 'SIP/2.0 100 OK', then this buffer will contain 'SIP/2.0'

sip.protocol; content:<protocol>

Where <protocol> is the SIP protocol version.

sip.protocol; content:"SIP/2.0"