diff --git a/doc/userguide/rules/sip-keywords.rst b/doc/userguide/rules/sip-keywords.rst index be3662b1a5..92085c749f 100644 --- a/doc/userguide/rules/sip-keywords.rst +++ b/doc/userguide/rules/sip-keywords.rst @@ -3,6 +3,10 @@ SIP Keywords The SIP keywords are implemented as sticky buffers and can be used to match on fields in SIP messages. +As described in RFC3261, common header field names can be represented in a short form. +In such cases, the header name is normalized to its regular form to be matched by its +corresponding sticky buffer. + ============================== ================== Keyword Direction ============================== ================== @@ -13,6 +17,12 @@ sip.stat_code Response sip.stat_msg Response sip.response_line Response sip.protocol Both +sip.from Both +sip.to Both +sip.via Both +sip.user_agent Both +sip.content_type Both +sip.content_length Both ============================== ================== sip.method @@ -177,3 +187,134 @@ Example :: sip.protocol; content:"SIP/2.0" + +sip.from +-------- + +This keyword matches on the From field that can be present in SIP headers. +It matches both the regular and short forms, though it cannot distinguish between them. + +Syntax +~~~~~~ + +:: + + sip.from; content: + +Where is the value of the From header. + +Example +~~~~~~~ + +:: + + sip.from; content:"user" + +sip.to +------ + +This keyword matches on the To field that can be present in SIP headers. +It matches both the regular and short forms, though it cannot distinguish between them. + +Syntax +~~~~~~ + +:: + + sip.to; content: + +Where is the value of the To header. + +Example +~~~~~~~ + +:: + + sip.to; content:"user" + +sip.via +-------- + +This keyword matches on the Via field that can be present in SIP headers. +It matches both the regular and short forms, though it cannot distinguish between them. + +Syntax +~~~~~~ + +:: + + sip.via; content: + +Where is the value of the Via header. + +Example +~~~~~~~ + +:: + + sip.via; content:"SIP/2.0/UDP" + +sip.user_agent +-------------- + +This keyword matches on the User-Agent field that can be present in SIP headers. + +Syntax +~~~~~~ + +:: + + sip.user_agent; content: + +Where is the value of the User-Agent header. + +Example +~~~~~~~ + +:: + + sip.user_agent; content:"Asterisk" + +sip.content_type +---------------- + +This keyword matches on the Content-Type field that can be present in SIP headers. +It matches both the regular and short forms, though it cannot distinguish between them. + +Syntax +~~~~~~ + +:: + + sip.content_type; content: + +Where is the value of the Content-Type header. + +Example +~~~~~~~ + +:: + + sip.content_type; content:"application/sdp" + +sip.content_length +------------------ + +This keyword matches on the Content-Length field that can be present in SIP headers. +It matches both the regular and short forms, though it cannot distinguish between them. + +Syntax +~~~~~~ + +:: + + sip.content_length; content: + +Where is the value of the Content-Length header. + +Example +~~~~~~~ + +:: + + sip.content_length; content:"200" diff --git a/doc/userguide/upgrade.rst b/doc/userguide/upgrade.rst index a4fda32a00..df2a923c79 100644 --- a/doc/userguide/upgrade.rst +++ b/doc/userguide/upgrade.rst @@ -71,6 +71,12 @@ Major changes - PF_RING support has been moved to a plugin. See :doc:`PF_RING plugin `. - LDAP parser and logger have been introduced. +- The following sticky buffers for matching SIP headers have been implemented: + - sip.via + - sip.from + - sip.to + - sip.content_type + - sip.content_length Removals ~~~~~~~~