Rule Options

New rule options are supported by enabling the sip preprocessor:

  sip_method
  sip_stat_code
  sip_header
  sip_body

Overload modifiers to existing pcre rule options:

H: Match SIP request or SIP response header, Similar to sip_header.

P: Match SIP request or SIP response body, Similar to sip_body.

sip_method

The sip_method keyword is used to check for specific SIP request methods. The list of methods is: invite, cancel, ack, bye, register, options, refer, subscribe, update, join, info, message, notify, prack. More than one method can be specified, via a comma separated list, and are OR'ed together. It will be applied in fast pattern match if available. If the method used in this rule is not listed in the preprocessor configuration, it will be added to the preprocessor configuration for the associated policy.

Syntax

    sip_method:<method-list>;
    method-list = method|method, method-list
    method      = ["!"] "invite"|"cancel"|"ack"|"bye"|"register"| "options"\
                  |"refer"|"subscribe"|"update"|"join"|"info"|"message"\                
                  |"notify"|"prack"
    Note: if "!" is used, only one method is allowed in sip_method.

Examples

   sip_method:invite, cancel
   sip_method:!invite
   
   Note: If a user wants to use "and", they can use something like this:
   sip_method:!invite; sip_method:!bye

sip_stat_code

The sip_stat_code is used to check the SIP response status code. This option matches if any one of the state codes specified matches the status codes of the SIP response.

Syntax

   sip_stat_code:<code _list> ;
   code_list = state_code|state_code, code_list
   code      = "100-999"|"1-9"

Note: 1,2,3,4,5,6... mean to check for "1xx", "2xx", '3xx', '4xx', '5xx', '6xx'... reponses.

Examples

   sip_stat_code:200  
   sip_stat_code: 2  
   sip_stat_code: 200, 180

sip_header

The sip_header keyword restricts the search to the extracted Header fields of a SIP message request or a response. This works similar to file_data.

Syntax

   sip_header;

Examples

   alert udp any any -> any 5060 (sip_header; content:"CSeq"; )

sip_body

The sip_body keyword places the cursor at the beginning of the Body fields of a SIP message. This works similar to file_data and dce_stub_data. The message body includes channel information using SDP protocol (Session Description Protocol).

Syntax

   sip_body;

Examples

   alert udp any any -> any 5060 (sip_body; content:"C=IN 0.0.0.0"; within 100;)

pcre

SIP overloads two options for pcre:

• H: Match SIP header for request or response , Similar to sip_header.
  
• P: Match SIP body for request or response , Similar to sip_body.
  

Examples

    alert udp any any -> any 5060 (pcre:"/INVITE/H"; sid:1000000;)
    alert udp any any -> any 5060 (pcre:"/m=/P"; sid:2000000;)