mirror of https://github.com/OISF/suricata
				
				
				
			doc: add SIP keywords
							parent
							
								
									e06291922f
								
							
						
					
					
						commit
						dd5d0afd79
					
				| @ -0,0 +1,179 @@ | ||||
| SIP Keywords | ||||
| ============ | ||||
| 
 | ||||
| The SIP keywords are implemented as sticky buffers and can be used to match on fields in SIP messages. | ||||
| 
 | ||||
| ============================== ================== | ||||
| Keyword                        Direction | ||||
| ============================== ================== | ||||
| sip.method                     Request | ||||
| sip.uri                        Request | ||||
| sip.request_line               Request | ||||
| sip.stat_code                  Response | ||||
| sip.stat_msg                   Response | ||||
| sip.response_line              Response | ||||
| sip.protocol                   Both | ||||
| ============================== ================== | ||||
| 
 | ||||
| sip.method | ||||
| ---------- | ||||
| 
 | ||||
| This keyword matches on the method found in a SIP request. | ||||
| 
 | ||||
| Syntax | ||||
| ~~~~~~ | ||||
| 
 | ||||
| :: | ||||
| 
 | ||||
|   sip.method; content:<method>; | ||||
| 
 | ||||
| Examples of methods are: | ||||
| 
 | ||||
| * INVITE | ||||
| * BYE | ||||
| * REGISTER | ||||
| * CANCEL | ||||
| * ACK | ||||
| * OPTIONS | ||||
| 
 | ||||
| Examples | ||||
| ~~~~~~~~ | ||||
| 
 | ||||
| :: | ||||
| 
 | ||||
|   sip.method; content:"INVITE"; | ||||
| 
 | ||||
| sip.uri | ||||
| ------- | ||||
| 
 | ||||
| This keyword matches on the uri found in a SIP request. | ||||
| 
 | ||||
| Syntax | ||||
| ~~~~~~ | ||||
| 
 | ||||
| :: | ||||
| 
 | ||||
|   sip.uri; content:<uri>; | ||||
| 
 | ||||
| Where <uri> is an uri that follows the SIP URI scheme. | ||||
| 
 | ||||
| Examples | ||||
| ~~~~~~~~ | ||||
| 
 | ||||
| :: | ||||
| 
 | ||||
|   sip.uri; content:"sip:sip.url.org"; | ||||
| 
 | ||||
| sip.request_line | ||||
| ---------------- | ||||
| 
 | ||||
| This keyword forces the whole SIP request line to be inspected. | ||||
| 
 | ||||
| Syntax | ||||
| ~~~~~~ | ||||
| 
 | ||||
| :: | ||||
| 
 | ||||
|   sip.request_line; content:<request_line>; | ||||
| 
 | ||||
| Where <request_line> is a partial or full line. | ||||
| 
 | ||||
| Examples | ||||
| ~~~~~~~~ | ||||
| 
 | ||||
| :: | ||||
| 
 | ||||
|   sip.request_line; content:"REGISTER sip:sip.url.org SIP/2.0" | ||||
| 
 | ||||
| sip.stat_code | ||||
| ------------- | ||||
| 
 | ||||
| This keyword matches on the status code found in a SIP response. | ||||
| 
 | ||||
| Syntax | ||||
| ~~~~~~ | ||||
| 
 | ||||
| :: | ||||
| 
 | ||||
|   sip.stat_code; content:<stat_code> | ||||
| 
 | ||||
| Where <status_code> belongs to one of the following groups of codes: | ||||
| 
 | ||||
| * 1xx - Provisional Responses | ||||
| * 2xx - Successful Responses | ||||
| * 3xx - Redirection Responses | ||||
| * 4xx - Client Failure Responses | ||||
| * 5xx - Server Failure Responses | ||||
| * 6xx - Global Failure Responses | ||||
| 
 | ||||
| Examples | ||||
| ~~~~~~~~ | ||||
| 
 | ||||
| :: | ||||
| 
 | ||||
|   sip.stat_code; content:"100"; | ||||
| 
 | ||||
| sip.stat_msg | ||||
| ------------ | ||||
| 
 | ||||
| This keyword matches on the status message found in a SIP response. | ||||
| 
 | ||||
| Syntax | ||||
| ~~~~~~ | ||||
| 
 | ||||
| :: | ||||
| 
 | ||||
|   sip.stat_msg; content:<stat_msg> | ||||
| 
 | ||||
| Where <stat_msg> is a reason phrase associated to a status code. | ||||
| 
 | ||||
| Examples | ||||
| ~~~~~~~~ | ||||
| 
 | ||||
| :: | ||||
| 
 | ||||
|   sip.stat_msg; content:"Trying"; | ||||
| 
 | ||||
| sip.response_line | ||||
| ----------------- | ||||
| 
 | ||||
| This keyword forces the whole SIP response line to be inspected. | ||||
| 
 | ||||
| Syntax | ||||
| ~~~~~~ | ||||
| 
 | ||||
| :: | ||||
| 
 | ||||
|   sip.response_line; content:<response_line>; | ||||
| 
 | ||||
| Where <response_line> is a partial or full line. | ||||
| 
 | ||||
| Examples | ||||
| ~~~~~~~~ | ||||
| 
 | ||||
| :: | ||||
| 
 | ||||
|   sip.response_line; content:"SIP/2.0 100 OK" | ||||
| 
 | ||||
| sip.protocol | ||||
| ------------ | ||||
| 
 | ||||
| This keyword matches the protocol field from a SIP request or response line. | ||||
| 
 | ||||
| If the response line is 'SIP/2.0 100 OK', then this buffer will contain 'SIP/2.0' | ||||
| 
 | ||||
| Syntax | ||||
| ~~~~~~ | ||||
| 
 | ||||
| :: | ||||
| 
 | ||||
|   sip.protocol; content:<protocol> | ||||
| 
 | ||||
| Where <protocol> is the SIP protocol version. | ||||
| 
 | ||||
| Example | ||||
| ~~~~~~~ | ||||
| 
 | ||||
| :: | ||||
| 
 | ||||
|   sip.protocol; content:"SIP/2.0" | ||||
					Loading…
					
					
				
		Reference in New Issue