|
|
@ -3,6 +3,10 @@ SIP Keywords
|
|
|
|
|
|
|
|
|
|
|
|
The SIP keywords are implemented as sticky buffers and can be used to match on fields in SIP messages.
|
|
|
|
The SIP keywords are implemented as sticky buffers and can be used to match on fields in SIP messages.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
As described in RFC3261, common header field names can be represented in a short form.
|
|
|
|
|
|
|
|
In such cases, the header name is normalized to its regular form to be matched by its
|
|
|
|
|
|
|
|
corresponding sticky buffer.
|
|
|
|
|
|
|
|
|
|
|
|
============================== ==================
|
|
|
|
============================== ==================
|
|
|
|
Keyword Direction
|
|
|
|
Keyword Direction
|
|
|
|
============================== ==================
|
|
|
|
============================== ==================
|
|
|
@ -13,6 +17,12 @@ sip.stat_code Response
|
|
|
|
sip.stat_msg Response
|
|
|
|
sip.stat_msg Response
|
|
|
|
sip.response_line Response
|
|
|
|
sip.response_line Response
|
|
|
|
sip.protocol Both
|
|
|
|
sip.protocol Both
|
|
|
|
|
|
|
|
sip.from Both
|
|
|
|
|
|
|
|
sip.to Both
|
|
|
|
|
|
|
|
sip.via Both
|
|
|
|
|
|
|
|
sip.user_agent Both
|
|
|
|
|
|
|
|
sip.content_type Both
|
|
|
|
|
|
|
|
sip.content_length Both
|
|
|
|
============================== ==================
|
|
|
|
============================== ==================
|
|
|
|
|
|
|
|
|
|
|
|
sip.method
|
|
|
|
sip.method
|
|
|
@ -177,3 +187,134 @@ Example
|
|
|
|
::
|
|
|
|
::
|
|
|
|
|
|
|
|
|
|
|
|
sip.protocol; content:"SIP/2.0"
|
|
|
|
sip.protocol; content:"SIP/2.0"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
sip.from
|
|
|
|
|
|
|
|
--------
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This keyword matches on the From field that can be present in SIP headers.
|
|
|
|
|
|
|
|
It matches both the regular and short forms, though it cannot distinguish between them.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Syntax
|
|
|
|
|
|
|
|
~~~~~~
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
sip.from; content:<from>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Where <from> is the value of the From header.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Example
|
|
|
|
|
|
|
|
~~~~~~~
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
sip.from; content:"user"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
sip.to
|
|
|
|
|
|
|
|
------
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This keyword matches on the To field that can be present in SIP headers.
|
|
|
|
|
|
|
|
It matches both the regular and short forms, though it cannot distinguish between them.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Syntax
|
|
|
|
|
|
|
|
~~~~~~
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
sip.to; content:<to>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Where <to> is the value of the To header.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Example
|
|
|
|
|
|
|
|
~~~~~~~
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
sip.to; content:"user"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
sip.via
|
|
|
|
|
|
|
|
--------
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This keyword matches on the Via field that can be present in SIP headers.
|
|
|
|
|
|
|
|
It matches both the regular and short forms, though it cannot distinguish between them.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Syntax
|
|
|
|
|
|
|
|
~~~~~~
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
sip.via; content:<via>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Where <via> is the value of the Via header.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Example
|
|
|
|
|
|
|
|
~~~~~~~
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
sip.via; content:"SIP/2.0/UDP"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
sip.user_agent
|
|
|
|
|
|
|
|
--------------
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This keyword matches on the User-Agent field that can be present in SIP headers.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Syntax
|
|
|
|
|
|
|
|
~~~~~~
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
sip.user_agent; content:<user_agent>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Where <user_agent> is the value of the User-Agent header.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Example
|
|
|
|
|
|
|
|
~~~~~~~
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
sip.user_agent; content:"Asterisk"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
sip.content_type
|
|
|
|
|
|
|
|
----------------
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This keyword matches on the Content-Type field that can be present in SIP headers.
|
|
|
|
|
|
|
|
It matches both the regular and short forms, though it cannot distinguish between them.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Syntax
|
|
|
|
|
|
|
|
~~~~~~
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
sip.content_type; content:<content_type>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Where <content_type> is the value of the Content-Type header.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Example
|
|
|
|
|
|
|
|
~~~~~~~
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
sip.content_type; content:"application/sdp"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
sip.content_length
|
|
|
|
|
|
|
|
------------------
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This keyword matches on the Content-Length field that can be present in SIP headers.
|
|
|
|
|
|
|
|
It matches both the regular and short forms, though it cannot distinguish between them.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Syntax
|
|
|
|
|
|
|
|
~~~~~~
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
sip.content_length; content:<content_length>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Where <content_length> is the value of the Content-Length header.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Example
|
|
|
|
|
|
|
|
~~~~~~~
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
sip.content_length; content:"200"
|
|
|
|