doc: add new sip keywords

glongo · Jun 19, 2024 · 23cc839 · 23cc839
1 parent 2ffe747
commit 23cc839
Show file tree

Hide file tree

Showing 2 changed files with 138 additions and 0 deletions.
diff --git a/doc/userguide/rules/sip-keywords.rst b/doc/userguide/rules/sip-keywords.rst
@@ -13,6 +13,12 @@ sip.stat_code                  Response
 sip.stat_msg                   Response
 sip.response_line              Response
 sip.protocol                   Both
+sip.from                       Both
+sip.to                         Both
+sip.via                        Both
+sip.user_agent                 Both
+sip.content_type               Both
+sip.content_length             Both
 ============================== ==================
 
 sip.method
@@ -177,3 +183,129 @@ Example
 ::
 
   sip.protocol; content:"SIP/2.0"
+
+sip.from
+--------
+
+This keyword matches on the From field that can be present in SIP headers.
+
+Syntax
+~~~~~~
+
+::
+
+  sip.from; content:<from>
+
+Where <from> is the value of the From header.
+
+Example
+~~~~~~~
+
+::
+
+  sip.from; content:"user"
+
+sip.to
+------
+
+This keyword matches on the To field that can be present in SIP headers.
+
+Syntax
+~~~~~~
+
+::
+
+  sip.to; content:<to>
+
+Where <to> is the value of the To header.
+
+Example
+~~~~~~~
+
+::
+
+  sip.to; content:"user"
+
+sip.via
+--------
+
+This keyword matches on the Via field that can be present in SIP headers.
+
+Syntax
+~~~~~~
+
+::
+
+  sip.via; content:<via>
+
+Where <via> is the value of the Via header.
+
+Example
+~~~~~~~
+
+::
+
+  sip.via; content:"SIP/2.0/UDP"
+
+sip.user_agent
+--------------
+
+This keyword matches on the User-Agent field that can be present in SIP headers.
+
+Syntax
+~~~~~~
+
+::
+
+  sip.user_agent; content:<user_agent>
+
+Where <user_agent> is the value of the User-Agent header.
+
+Example
+~~~~~~~
+
+::
+
+  sip.user_agent; content:"Asterisk"
+
+sip.content_type
+----------------
+
+This keyword matches on the Content-Type field that can be present in SIP headers.
+
+Syntax
+~~~~~~
+
+::
+
+  sip.content_type; content:<content_type>
+
+Where <content_type> is the value of the Content-Type header.
+
+Example
+~~~~~~~
+
+::
+
+  sip.content_type; content:"application/sdp"
+
+sip.content_length
+------------------
+
+This keyword matches on the Content-Length field that can be present in SIP headers.
+
+Syntax
+~~~~~~
+
+::
+
+  sip.content_length; content:<content_length>
+
+Where <content_length> is the value of the Content-Length header.
+
+Example
+~~~~~~~
+
+::
+
+  sip.content_length; content:"200"
diff --git a/doc/userguide/upgrade.rst b/doc/userguide/upgrade.rst
@@ -60,6 +60,12 @@ Major changes
 - It is possible to see an increase of alerts, for the same rule-sets, if you
   use many stream/payload rules, due to Suricata triggering TCP stream
   reassembly earlier.
+- The following sticky buffers for matching SIP headers have been implemented:
+    - sip.via
+    - sip.from
+    - sip.to
+    - sip.content_type
+    - sip.content_length
 
 Upgrading 6.0 to 7.0
 --------------------