doc: add new sip keywords

doc/userguide/rules/sip-keywords.rst

@@ -3,6 +3,10 @@ SIP Keywords
 
 The SIP keywords are implemented as sticky buffers and can be used to match on fields in SIP messages.
 
+As described in RFC3261, common header field names can be represented in a short form. 
+In such cases, the header name is normalized to its regular form to be matched by its
+corresponding sticky buffer.
+
 ============================== ==================
 Keyword                        Direction
 ============================== ==================
@@ -13,6 +17,12 @@ sip.stat_code                  Response
 sip.stat_msg                   Response
 sip.response_line              Response
 sip.protocol                   Both
+sip.from                       Both
+sip.to                         Both
+sip.via                        Both
+sip.user_agent                 Both
+sip.content_type               Both
+sip.content_length             Both
 ============================== ==================
 
 sip.method
@@ -177,3 +187,134 @@ Example
 ::
 
   sip.protocol; content:"SIP/2.0"
+
+sip.from
+--------
+
+This keyword matches on the From field that can be present in SIP headers.
+It matches both the regular and short forms, though it cannot distinguish between them. 
+
+Syntax
+~~~~~~
+
+::
+
+  sip.from; content:<from>
+
+Where <from> is the value of the From header.
+
+Example
+~~~~~~~
+
+::
+
+  sip.from; content:"user"
+
+sip.to
+------
+
+This keyword matches on the To field that can be present in SIP headers.
+It matches both the regular and short forms, though it cannot distinguish between them. 
+
+Syntax
+~~~~~~
+
+::
+
+  sip.to; content:<to>
+
+Where <to> is the value of the To header.
+
+Example
+~~~~~~~
+
+::
+
+  sip.to; content:"user"
+
+sip.via
+--------
+
+This keyword matches on the Via field that can be present in SIP headers.
+It matches both the regular and short forms, though it cannot distinguish between them. 
+
+Syntax
+~~~~~~
+
+::
+
+  sip.via; content:<via>
+
+Where <via> is the value of the Via header.
+
+Example
+~~~~~~~
+
+::
+
+  sip.via; content:"SIP/2.0/UDP"
+
+sip.user_agent
+--------------
+
+This keyword matches on the User-Agent field that can be present in SIP headers.
+
+Syntax
+~~~~~~
+
+::
+
+  sip.user_agent; content:<user_agent>
+
+Where <user_agent> is the value of the User-Agent header.
+
+Example
+~~~~~~~
+
+::
+
+  sip.user_agent; content:"Asterisk"
+
+sip.content_type
+----------------
+
+This keyword matches on the Content-Type field that can be present in SIP headers.
+It matches both the regular and short forms, though it cannot distinguish between them. 
+
+Syntax
+~~~~~~
+
+::
+
+  sip.content_type; content:<content_type>
+
+Where <content_type> is the value of the Content-Type header.
+
+Example
+~~~~~~~
+
+::
+
+  sip.content_type; content:"application/sdp"
+
+sip.content_length
+------------------
+
+This keyword matches on the Content-Length field that can be present in SIP headers.
+It matches both the regular and short forms, though it cannot distinguish between them. 
+
+Syntax
+~~~~~~
+
+::
+
+  sip.content_length; content:<content_length>
+
+Where <content_length> is the value of the Content-Length header.
+
+Example
+~~~~~~~
+
+::
+
+  sip.content_length; content:"200"

doc/userguide/upgrade.rst

@@ -71,6 +71,12 @@ Major changes
 - PF_RING support has been moved to a plugin. See :doc:`PF_RING plugin
   <upgrade/8.0-pfring-plugin>`.
 - LDAP parser and logger have been introduced.
+- The following sticky buffers for matching SIP headers have been implemented:
+    - sip.via
+    - sip.from
+    - sip.to
+    - sip.content_type
+    - sip.content_length
 
 Removals
 ~~~~~~~~