8.28. SIP Keywords
The SIP keywords are implemented as sticky buffers and can be used to match on fields in SIP messages.
Keyword |
Direction |
---|---|
sip.method |
Request |
sip.uri |
Request |
sip.request_line |
Request |
sip.stat_code |
Response |
sip.stat_msg |
Response |
sip.response_line |
Response |
sip.protocol |
Both |
8.28.1. sip.method
This keyword matches on the method found in a SIP request.
8.28.1.1. Syntax
sip.method; content:<method>;
Examples of methods are:
INVITE
BYE
REGISTER
CANCEL
ACK
OPTIONS
8.28.1.2. Examples
sip.method; content:"INVITE";
8.28.2. sip.uri
This keyword matches on the uri found in a SIP request.
8.28.2.1. Syntax
sip.uri; content:<uri>;
Where <uri> is an uri that follows the SIP URI scheme.
8.28.2.2. Examples
sip.uri; content:"sip:sip.url.org";
8.28.3. sip.request_line
This keyword forces the whole SIP request line to be inspected.
8.28.3.1. Syntax
sip.request_line; content:<request_line>;
Where <request_line> is a partial or full line.
8.28.3.2. Examples
sip.request_line; content:"REGISTER sip:sip.url.org SIP/2.0"
8.28.4. sip.stat_code
This keyword matches on the status code found in a SIP response.
8.28.4.1. Syntax
sip.stat_code; content:<stat_code>
Where <status_code> belongs to one of the following groups of codes:
1xx - Provisional Responses
2xx - Successful Responses
3xx - Redirection Responses
4xx - Client Failure Responses
5xx - Server Failure Responses
6xx - Global Failure Responses
8.28.4.2. Examples
sip.stat_code; content:"100";
8.28.5. sip.stat_msg
This keyword matches on the status message found in a SIP response.
8.28.5.1. Syntax
sip.stat_msg; content:<stat_msg>
Where <stat_msg> is a reason phrase associated to a status code.
8.28.5.2. Examples
sip.stat_msg; content:"Trying";
8.28.6. sip.response_line
This keyword forces the whole SIP response line to be inspected.
8.28.6.1. Syntax
sip.response_line; content:<response_line>;
Where <response_line> is a partial or full line.
8.28.6.2. Examples
sip.response_line; content:"SIP/2.0 100 OK"
8.28.7. sip.protocol
This keyword matches the protocol field from a SIP request or response line.
If the response line is 'SIP/2.0 100 OK', then this buffer will contain 'SIP/2.0'
8.28.7.1. Syntax
sip.protocol; content:<protocol>
Where <protocol> is the SIP protocol version.
8.28.7.2. Example
sip.protocol; content:"SIP/2.0"