SIP Specific Options

Snort 3's Session Initiation Protocol (SIP) inspector keeps track of SIP request and response messages, and it provides four rule options that let rule-writers look for specific SIP components: sip_method, sip_header, sip_body, and sip_stat_code.

sip_method

The sip_method rule option enables rule writers to check packets against a specific SIP method or multiple SIP methods. The list of methods that can be matched include invite, cancel, ack, bye, register, options, refer, subscribe, update, join, info, message, notify, and prack.

It's declared with sip_method: followed by one or more methods to look for. Multiple methods are specified via a comma separated list, and evaluation checks for any of the specified methods against any SIP methods extracted from a given packet.

This option can also be "negated" by placing ! after the colon to check that a given SIP method does not match a particular method.

Format:

sip_method:[!]method[,method]…;

Examples:

sip_method:invite, cancel;

sip_method:!invite;

# check that a SIP message is not an INVITE AND also not a BYE
sip_method:!invite; 
sip_method:!bye;

Note: While SIP methods are case-sensitive, the arguments for this option are case-insensitive.

sip_header

The sip_header rule option is a sticky buffer that sets the detection cursor to the buffers containing extracted SIP headers from a SIP message request or response. This option takes no arguments and is declared before all other payload options that one wants to match against the SIP header portion of a message.

Format:

sip_header;

Examples:

sip_header; 
content:"CSeq";

sip_body

The sip_body rule option is a sticky buffer that sets the detection cursor to a SIP message body. This option takes no arguments and is declared before all other payload options that one wants to match against the SIP body portion of a message.

Format:

sip_body;

Examples:

sip_body; 
content:"v=0|0D 0A|", within 5;

sip_stat_code

The sip_stat_code option is used to check the status code of a SIP response packet.

This option is declared with sip_stat_code: followed by a status code or status codes to match. Multiple status codes are specified via a comma separated list, and evaluation checks for any of the specified codes are present in a given SIP response packet.

Valid stat codes are 1-9 and 100-999.

Format:

sip_stat_code:stat_code[,stat_code]…;

Note: 1-9 codes mean to check for 1xx, 2xx, 3xx, 4xx, etc. responses.

Examples:

sip_stat_code:200;

# match any 2xx SIP status codes
sip_stat_code:2;

# match a SIP status code of 200 or 180
sip_stat_code:200, 180;

# match any 2xx SIP status codes or any 4xx SIP status codes
sip_stat_code:200, 180;

Snort 3 Rule Writing Guide