Snort 3's Session Initiation Protocol (SIP) inspector keeps track of SIP request and response messages, and it provides four rule options that let rule-writers look for specific SIP components:
sip_method rule option enables rule writers to check packets against a specific SIP method or multiple SIP methods. The list of methods that can be matched include
It's declared with
sip_method: followed by one or more methods to look for. Multiple methods are specified via a comma separated list, and evaluation checks for any of the specified methods against any SIP methods extracted from a given packet.
This option can also be "negated" by placing
! after the colon to check that a given SIP method does not match a particular method.
# check that a SIP message is not an INVITE AND also not a BYE sip_method:!invite; sip_method:!bye;
Note: While SIP methods are case-sensitive, the arguments for this option are case-insensitive.
sip_header rule option is a sticky buffer that sets the detection cursor to the buffers containing extracted SIP headers from a SIP message request or response. This option takes no arguments and is declared before all other payload options that one wants to match against the SIP header portion of a message.
sip_body rule option is a sticky buffer that sets the detection cursor to a SIP message body. This option takes no arguments and is declared before all other payload options that one wants to match against the SIP body portion of a message.
sip_body; content:"v=0|0D 0A|", within 5;
sip_stat_code option is used to check the status code of a SIP response packet.
This option is declared with
sip_stat_code: followed by a status code or status codes to match. Multiple status codes are specified via a comma separated list, and evaluation checks for any of the specified codes are present in a given SIP response packet.
Valid stat codes are
1-9codes mean to check for
4xx, etc. responses.
# match any 2xx SIP status codes sip_stat_code:2;
# match a SIP status code of 200 or 180 sip_stat_code:200, 180;
# match any 2xx SIP status codes or any 4xx SIP status codes sip_stat_code:200, 180;