rules: add sip-events.rules

Ticket #8524
1 month ago · ae58cc6491
parent 695b4f4a3d
commit ae58cc6491
3 changed files with 7 additions and 0 deletions
--- a/rules/Makefile.am
+++ b/rules/Makefile.am
@ -25,6 +25,7 @@ pop3-events.rules \
 quic-events.rules \
 rfb-events.rules \
 sctp-events.rules \
+sip-events.rules \
 smb-events.rules \
 smtp-events.rules \
 snmp-events.rules \
--- a/rules/README.md
+++ b/rules/README.md
@ -41,4 +41,5 @@ signature IDs.
 | Bittorent| 2243000 | 2243999 |
 | MODBUS   | 2250000 | 2250999 |
 | DNP3     | 2270000 | 2270999 |
+| SIP      | 2280000 | 2280999 |
 | HTTP2    | 2290000 | 2290999 |
--- a/rules/sip-events.rules
+++ b/rules/sip-events.rules
@ -0,0 +1,5 @@
+# SIP app layer event rules
+#
+# SID's fall in the 2280000-2280999 range.
+#
+alert sip any any -> any any (msg:"SURICATA SIP invalid data"; app-layer-event:sip.invalid_data; classtype:protocol-command-decode; sid:2280001; rev:1;)