aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
dependabot/github_actions/actions/checkout-4.2.1
dependabot/github_actions/github/codeql-action-3.26.12
dependabot/github_actions/actions/upload-artifact-4.4.3
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '15c4eb3d16'
${ noResults }
suricata/doc/userguide/rules/sip-keywords.rst

321 lines
5.1 KiB
ReStructuredText
Raw Blame History

SIP Keywords
============
The SIP keywords are implemented as sticky buffers and can be used to match on fields in SIP messages.
As described in RFC3261, common header field names can be represented in a short form.
In such cases, the header name is normalized to its regular form to be matched by its
corresponding sticky buffer.
============================== ==================
Keyword Direction
============================== ==================
sip.method Request
sip.uri Request
sip.request_line Request
sip.stat_code Response
sip.stat_msg Response
sip.response_line Response
sip.protocol Both
sip.from Both
sip.to Both
sip.via Both
sip.user_agent Both
sip.content_type Both
sip.content_length Both
============================== ==================
sip.method
----------
This keyword matches on the method found in a SIP request.
Syntax
~~~~~~
::
sip.method; content:<method>;
Examples of methods are:
* INVITE
* BYE
* REGISTER
* CANCEL
* ACK
* OPTIONS
Examples
~~~~~~~~
::
sip.method; content:"INVITE";
sip.uri
-------
This keyword matches on the uri found in a SIP request.
Syntax
~~~~~~
::
sip.uri; content:<uri>;
Where <uri> is an uri that follows the SIP URI scheme.
Examples
~~~~~~~~
::
sip.uri; content:"sip:sip.url.org";
sip.request_line
----------------
This keyword forces the whole SIP request line to be inspected.
Syntax
~~~~~~
::
sip.request_line; content:<request_line>;
Where <request_line> is a partial or full line.
Examples
~~~~~~~~
::
sip.request_line; content:"REGISTER sip:sip.url.org SIP/2.0"
sip.stat_code
-------------
This keyword matches on the status code found in a SIP response.
Syntax
~~~~~~
::
sip.stat_code; content:<stat_code>
Where <status_code> belongs to one of the following groups of codes:
* 1xx - Provisional Responses
* 2xx - Successful Responses
* 3xx - Redirection Responses
* 4xx - Client Failure Responses
* 5xx - Server Failure Responses
* 6xx - Global Failure Responses
Examples
~~~~~~~~
::
sip.stat_code; content:"100";
sip.stat_msg
------------
This keyword matches on the status message found in a SIP response.
Syntax
~~~~~~
::
sip.stat_msg; content:<stat_msg>
Where <stat_msg> is a reason phrase associated to a status code.
Examples
~~~~~~~~
::
sip.stat_msg; content:"Trying";
sip.response_line
-----------------
This keyword forces the whole SIP response line to be inspected.
Syntax
~~~~~~
::
sip.response_line; content:<response_line>;
Where <response_line> is a partial or full line.
Examples
~~~~~~~~
::
sip.response_line; content:"SIP/2.0 100 OK"
sip.protocol
------------
This keyword matches the protocol field from a SIP request or response line.
If the response line is 'SIP/2.0 100 OK', then this buffer will contain 'SIP/2.0'
Syntax
~~~~~~
::
sip.protocol; content:<protocol>
Where <protocol> is the SIP protocol version.
Example
~~~~~~~
::
sip.protocol; content:"SIP/2.0"
sip.from
--------
This keyword matches on the From field that can be present in SIP headers.
It matches both the regular and short forms, though it cannot distinguish between them.
Syntax
~~~~~~
::
sip.from; content:<from>
Where <from> is the value of the From header.
Example
~~~~~~~
::
sip.from; content:"user"
sip.to
------
This keyword matches on the To field that can be present in SIP headers.
It matches both the regular and short forms, though it cannot distinguish between them.
Syntax
~~~~~~
::
sip.to; content:<to>
Where <to> is the value of the To header.
Example
~~~~~~~
::
sip.to; content:"user"
sip.via
--------
This keyword matches on the Via field that can be present in SIP headers.
It matches both the regular and short forms, though it cannot distinguish between them.
Syntax
~~~~~~
::
sip.via; content:<via>
Where <via> is the value of the Via header.
Example
~~~~~~~
::
sip.via; content:"SIP/2.0/UDP"
sip.user_agent
--------------
This keyword matches on the User-Agent field that can be present in SIP headers.
Syntax
~~~~~~
::
sip.user_agent; content:<user_agent>
Where <user_agent> is the value of the User-Agent header.
Example
~~~~~~~
::
sip.user_agent; content:"Asterisk"
sip.content_type
----------------
This keyword matches on the Content-Type field that can be present in SIP headers.
It matches both the regular and short forms, though it cannot distinguish between them.
Syntax
~~~~~~
::
sip.content_type; content:<content_type>
Where <content_type> is the value of the Content-Type header.
Example
~~~~~~~
::
sip.content_type; content:"application/sdp"
sip.content_length
------------------
This keyword matches on the Content-Length field that can be present in SIP headers.
It matches both the regular and short forms, though it cannot distinguish between them.
Syntax
~~~~~~
::
sip.content_length; content:<content_length>
Where <content_length> is the value of the Content-Length header.
Example
~~~~~~~
::
sip.content_length; content:"200"
Reference in New Issue View Git Blame Copy Permalink