The SIP keywords are implemented as sticky buffers and can be used to match on fields in SIP messages.
+As described in RFC3261, common header field names can be represented in a short form.
+In such cases, the header name is normalized to its regular form to be matched by its
+corresponding sticky buffer.
+
============================== ==================
Keyword Direction
============================== ==================
sip.stat_msg Response
sip.response_line Response
sip.protocol Both
+sip.from Both
+sip.to Both
+sip.via Both
+sip.user_agent Both
+sip.content_type Both
+sip.content_length Both
============================== ==================
sip.method
::
sip.protocol; content:"SIP/2.0"
+
+sip.from
+--------
+
+This keyword matches on the From field that can be present in SIP headers.
+It matches both the regular and short forms, though it cannot distinguish between them.
+
+Syntax
+~~~~~~
+
+::
+
+ sip.from; content:<from>
+
+Where <from> is the value of the From header.
+
+Example
+~~~~~~~
+
+::
+
+ sip.from; content:"user"
+
+sip.to
+------
+
+This keyword matches on the To field that can be present in SIP headers.
+It matches both the regular and short forms, though it cannot distinguish between them.
+
+Syntax
+~~~~~~
+
+::
+
+ sip.to; content:<to>
+
+Where <to> is the value of the To header.
+
+Example
+~~~~~~~
+
+::
+
+ sip.to; content:"user"
+
+sip.via
+--------
+
+This keyword matches on the Via field that can be present in SIP headers.
+It matches both the regular and short forms, though it cannot distinguish between them.
+
+Syntax
+~~~~~~
+
+::
+
+ sip.via; content:<via>
+
+Where <via> is the value of the Via header.
+
+Example
+~~~~~~~
+
+::
+
+ sip.via; content:"SIP/2.0/UDP"
+
+sip.user_agent
+--------------
+
+This keyword matches on the User-Agent field that can be present in SIP headers.
+
+Syntax
+~~~~~~
+
+::
+
+ sip.user_agent; content:<user_agent>
+
+Where <user_agent> is the value of the User-Agent header.
+
+Example
+~~~~~~~
+
+::
+
+ sip.user_agent; content:"Asterisk"
+
+sip.content_type
+----------------
+
+This keyword matches on the Content-Type field that can be present in SIP headers.
+It matches both the regular and short forms, though it cannot distinguish between them.
+
+Syntax
+~~~~~~
+
+::
+
+ sip.content_type; content:<content_type>
+
+Where <content_type> is the value of the Content-Type header.
+
+Example
+~~~~~~~
+
+::
+
+ sip.content_type; content:"application/sdp"
+
+sip.content_length
+------------------
+
+This keyword matches on the Content-Length field that can be present in SIP headers.
+It matches both the regular and short forms, though it cannot distinguish between them.
+
+Syntax
+~~~~~~
+
+::
+
+ sip.content_length; content:<content_length>
+
+Where <content_length> is the value of the Content-Length header.
+
+Example
+~~~~~~~
+
+::
+
+ sip.content_length; content:"200"
projects / thirdparty / suricata.git / commitdiff
