6.25. SIP Keywords¶
The SIP keywords are implemented as sticky buffers and can be used to match on fields in SIP messages.
| Keyword | Direction |
|---|---|
| sip.method | Request |
| sip.uri | Request |
| sip.request_line | Request |
| sip.stat_code | Response |
| sip.stat_msg | Response |
| sip.response_line | Response |
| sip.protocol | Both |
6.25.1. sip.method¶
This keyword matches on the method found in a SIP request.
6.25.1.1. Syntax¶
sip.method; content:<method>;
Examples of methods are:
- INVITE
- BYE
- REGISTER
- CANCEL
- ACK
- OPTIONS
6.25.1.2. Examples¶
sip.method; content:"INVITE";
6.25.2. sip.uri¶
This keyword matches on the uri found in a SIP request.
6.25.2.2. Examples¶
sip.uri; content:"sip:sip.url.org";
6.25.3. sip.request_line¶
This keyword forces the whole SIP request line to be inspected.
6.25.3.1. Syntax¶
sip.request_line; content:<request_line>;
Where <request_line> is a partial or full line.
6.25.3.2. Examples¶
sip.request_line; content:"REGISTER sip:sip.url.org SIP/2.0"
6.25.4. sip.stat_code¶
This keyword matches on the status code found in a SIP response.
6.25.4.1. Syntax¶
sip.stat_code; content:<stat_code>
Where <status_code> belongs to one of the following groups of codes:
- 1xx - Provisional Responses
- 2xx - Successful Responses
- 3xx - Redirection Responses
- 4xx - Client Failure Responses
- 5xx - Server Failure Responses
- 6xx - Global Failure Responses
6.25.4.2. Examples¶
sip.stat_code; content:"100";
6.25.5. sip.stat_msg¶
This keyword matches on the status message found in a SIP response.
6.25.5.1. Syntax¶
sip.stat_msg; content:<stat_msg>
Where <stat_msg> is a reason phrase associated to a status code.
6.25.5.2. Examples¶
sip.stat_msg; content:"Trying";
6.25.6. sip.response_line¶
This keyword forces the whole SIP response line to be inspected.
6.25.6.1. Syntax¶
sip.response_line; content:<response_line>;
Where <response_line> is a partial or full line.
6.25.6.2. Examples¶
sip.response_line; content:"SIP/2.0 100 OK"