mirror of https://github.com/OISF/suricata
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
180 lines
2.7 KiB
ReStructuredText
180 lines
2.7 KiB
ReStructuredText
SIP Keywords
|
|
============
|
|
|
|
The SIP keywords are implemented as sticky buffers and can be used to match on fields in SIP messages.
|
|
|
|
============================== ==================
|
|
Keyword Direction
|
|
============================== ==================
|
|
sip.method Request
|
|
sip.uri Request
|
|
sip.request_line Request
|
|
sip.stat_code Response
|
|
sip.stat_msg Response
|
|
sip.response_line Response
|
|
sip.protocol Both
|
|
============================== ==================
|
|
|
|
sip.method
|
|
----------
|
|
|
|
This keyword matches on the method found in a SIP request.
|
|
|
|
Syntax
|
|
~~~~~~
|
|
|
|
::
|
|
|
|
sip.method; content:<method>;
|
|
|
|
Examples of methods are:
|
|
|
|
* INVITE
|
|
* BYE
|
|
* REGISTER
|
|
* CANCEL
|
|
* ACK
|
|
* OPTIONS
|
|
|
|
Examples
|
|
~~~~~~~~
|
|
|
|
::
|
|
|
|
sip.method; content:"INVITE";
|
|
|
|
sip.uri
|
|
-------
|
|
|
|
This keyword matches on the uri found in a SIP request.
|
|
|
|
Syntax
|
|
~~~~~~
|
|
|
|
::
|
|
|
|
sip.uri; content:<uri>;
|
|
|
|
Where <uri> is an uri that follows the SIP URI scheme.
|
|
|
|
Examples
|
|
~~~~~~~~
|
|
|
|
::
|
|
|
|
sip.uri; content:"sip:sip.url.org";
|
|
|
|
sip.request_line
|
|
----------------
|
|
|
|
This keyword forces the whole SIP request line to be inspected.
|
|
|
|
Syntax
|
|
~~~~~~
|
|
|
|
::
|
|
|
|
sip.request_line; content:<request_line>;
|
|
|
|
Where <request_line> is a partial or full line.
|
|
|
|
Examples
|
|
~~~~~~~~
|
|
|
|
::
|
|
|
|
sip.request_line; content:"REGISTER sip:sip.url.org SIP/2.0"
|
|
|
|
sip.stat_code
|
|
-------------
|
|
|
|
This keyword matches on the status code found in a SIP response.
|
|
|
|
Syntax
|
|
~~~~~~
|
|
|
|
::
|
|
|
|
sip.stat_code; content:<stat_code>
|
|
|
|
Where <status_code> belongs to one of the following groups of codes:
|
|
|
|
* 1xx - Provisional Responses
|
|
* 2xx - Successful Responses
|
|
* 3xx - Redirection Responses
|
|
* 4xx - Client Failure Responses
|
|
* 5xx - Server Failure Responses
|
|
* 6xx - Global Failure Responses
|
|
|
|
Examples
|
|
~~~~~~~~
|
|
|
|
::
|
|
|
|
sip.stat_code; content:"100";
|
|
|
|
sip.stat_msg
|
|
------------
|
|
|
|
This keyword matches on the status message found in a SIP response.
|
|
|
|
Syntax
|
|
~~~~~~
|
|
|
|
::
|
|
|
|
sip.stat_msg; content:<stat_msg>
|
|
|
|
Where <stat_msg> is a reason phrase associated to a status code.
|
|
|
|
Examples
|
|
~~~~~~~~
|
|
|
|
::
|
|
|
|
sip.stat_msg; content:"Trying";
|
|
|
|
sip.response_line
|
|
-----------------
|
|
|
|
This keyword forces the whole SIP response line to be inspected.
|
|
|
|
Syntax
|
|
~~~~~~
|
|
|
|
::
|
|
|
|
sip.response_line; content:<response_line>;
|
|
|
|
Where <response_line> is a partial or full line.
|
|
|
|
Examples
|
|
~~~~~~~~
|
|
|
|
::
|
|
|
|
sip.response_line; content:"SIP/2.0 100 OK"
|
|
|
|
sip.protocol
|
|
------------
|
|
|
|
This keyword matches the protocol field from a SIP request or response line.
|
|
|
|
If the response line is 'SIP/2.0 100 OK', then this buffer will contain 'SIP/2.0'
|
|
|
|
Syntax
|
|
~~~~~~
|
|
|
|
::
|
|
|
|
sip.protocol; content:<protocol>
|
|
|
|
Where <protocol> is the SIP protocol version.
|
|
|
|
Example
|
|
~~~~~~~
|
|
|
|
::
|
|
|
|
sip.protocol; content:"SIP/2.0"
|