OISF · glongo · Oct 4, 2024 · Oct 4, 2024 · Oct 15, 2024 · Sep 30, 2024
@@ -29,6 +29,7 @@ Suricata Rules
    snmp-keywords
    base64-keywords
    sip-keywords
+   sdp-keywords
    rfb-keywords
    mqtt-keywords
    ike-keywords

@@ -0,0 +1,382 @@
+SDP Keywords
+============
+
+The SDP keywords are implemented as sticky buffers and can be used to match on fields in SDP messages.
+
+======================================== ==================
+Keyword                                  Direction
+======================================== ==================
+sdp.origin                               Both
+sdp.session_name                         Both
+sdp.session_info                         Both
+sdp.uri                                  Both
+sdp.email                                Both
+sdp.connection_data                      Both
+sdp.bandwidth                            Both
+sdp.time                                 Both
+sdp.repeat_time                          Both
+sdp.timezone                             Both
+sdp.encryption_key                       Both
+sdp.attribute                            Both
+sdp.media_description.media              Both
+sdp.media_description.session_info       Both
+sdp.media_description.connection_data    Both
+sdp.media_description.encryption_key     Both
+======================================== ==================
+
+sdp.origin
+----------
+
+This keyword matches on the originator found in an SDP request or response.
+
+Syntax
+~~~~~~
+
+::
+
+  sdp.origin; content:<origin>;
+
+Where <origin> is an originator that follows the SDP Origin (o=) scheme.
+
+Examples
+~~~~~~~~
+
+::
+
+  sdp.origin; content:"SIPPS 105015165 105015162 IN IP4 192.168.1.2";
+
+sdp.session_name
+----------------
+
+This keyword matches on the session name found in an SDP request or response.
+
+Syntax
+~~~~~~
+
+::
+
+  sdp.session_name; content:<session_name>;
+
+Where <session_name> is a name that follows the SDP Session name (s=) scheme.
+
+Examples
+~~~~~~~~
+
+::
+
+  sdp.session_name; content:"SIP call";
+
+sdp.session_info
+----------------
+
+This keyword matches on the session information found in an SDP request or response.
+
+Syntax
+~~~~~~
+
+::
+
+  sdp.session_info; content:<session_info>;
+
+Where <session_info> is a description that follows the SDP Session information (i=) scheme.
+
+Examples
+~~~~~~~~
+
+::
+
+  sdp.session_info; content:"Session Description Protocol";
+
+sdp.uri
+-------
+
+This keyword matches on the URI found in an SDP request or response.
+
+Syntax
+~~~~~~
+
+::
+
+  sdp.uri; content:<uri>;
+
+Where <uri> is a URI (u=) that the follows the SDP scheme.
+
+Examples
+~~~~~~~~
+
+::
+
+  sdp.uri; content:"https://www.sdp.proto"
+
+sdp.email
+---------
+
+This keyword matches on the email found in an SDP request or response.
+
+Syntax
+~~~~~~
+
+::
+
+  sdp.email; content:<email>
+
+Where <email> is an email address (e=) that follows the SDP scheme.
+
+Examples
+~~~~~~~~
+
+::
+
+  sdp.email; content:"[email protected] (Jane Doe)";
+
+sdp.phone_number
+----------------
+
+This keyword matches on the phone number found in an SDP request or response.
+
+Syntax
+~~~~~~
+
+::
+
+  sdp.phone_number; content:<phone_number>
+
+Where <phone_number> is a phone number (p=) that follows the SDP scheme.
+
+Examples
+~~~~~~~~
+
+::
+
+  sdp.phone_number; content:"+1 617 555-6011 (Jane Doe)";
+
+sdp.connection_data
+-------------------
+
+This keyword matches on the connection found in an SDP request or response.
+
+Syntax
+~~~~~~
+
+::
+
+  sdp.connection_data; content:<connection_data>;
+
+Where <connection_data> is a connection (c=) that follows the SDP scheme.
+
+Examples
+~~~~~~~~
+
+::
+
+  sdp.connection_data; content:"IN IP4 192.168.1.2"
+
+sdp.bandwidth
+-------------
+
+This keyword matches on the bandwidths found in an SDP request or response. 
+
+Syntax
+~~~~~~
+
+::
+
+  sdp.bandwidth; content:<bandwidth>
+
+Where <bandwidth> is a bandwidth (b=) that follows the SDP scheme.
+
+Example
+~~~~~~~
+
+::
+
+  sdp.bandwidth; content:"AS:64"
+
+sdp.time
+--------
+
+This keyword matches on the time found in an SDP request or response. 
+
+Syntax
+~~~~~~
+
+::
+
+  sdp.time; content:<time>
+
+Where <time> is a time (t=) that follows the SDP scheme.
+
+Example
+~~~~~~~
+
+::
+
+  sdp.time; content:"3034423619 3042462419"
+
+sdp.repeat_time
+---------------
+
+This keyword matches on the repeat time found in an SDP request or response.
+
+Syntax
+~~~~~~
+
+::
+
+  sdp.repeat_time; content:<repeat_time>
+
+Where <repeat_time> is a repeat time (r=) that follows the SDP scheme.
+
+Example
+~~~~~~~
+
+::
+
+  sdp.repeat_time; content:"604800 3600 0 90000"
+
+sdp.timezone
+------------
+
+This keyword matches on the timezone found in an SDP request or response.
+
+Syntax
+~~~~~~
+
+::
+
+  sdp.timezone; content:<timezone>
+
+Where <timezone> is a timezone (z=) that follows the SDP scheme.
+
+Example
+~~~~~~~
+
+::
+
+  sdp.timezone; content:"2882844526 -1h 2898848070 0"
+
+sdp.encryption_key
+------------------
+
+This keyword matches on the encryption key found in an SDP request or response.
+
+Syntax
+~~~~~~
+
+::
+
+  sdp.encryption_key; content:<encryption_key>
+
+Where <encryption_key> is a key (k=) that follows the SDP scheme.
+
+Example
+~~~~~~~
+
+::
+
+  sdp.encryption_key; content:"prompt"
+
+sdp.attribute
+----------------
+
+This keyword matches on the attributes found in an SDP request or response.
+
+Syntax
+~~~~~~
+
+::
+
+  sdp.attribute; content:<attribute>
+
+Where <attribute> is an attribute (a=) that follows the SDP scheme.
+
+Example
+~~~~~~~
+
+::
+
+  sdp.attribute; content:"sendrecv"
+
+sdp.media_description.media
+---------------------------
+
+This keyword matches on the Media subfield of a Media description field found in an SDP request or response.
+
+Syntax
+~~~~~~
+
+::
+
+  sdp.media_description.media; content:<media>
+
+Where <media> is a media (m=) that follows the SDP scheme.
+
+Example
+~~~~~~~
+
+::
+
+  sdp.media_description.media; content:"audio 30000 RTP/AVP 0 8 97 2 3"
+
+sdp.media_description.session_info
+----------------------------------
+
+This keyword matches on the Session information subfield of a Media description field found in an SDP request or response.
+
+Syntax
+~~~~~~
+
+::
+
+  sdp.media_description.session_info; content:<session_info>
+
+Where <session_info> is a description (i=) that follows the SDP scheme.
+
+Example
+~~~~~~~
+
+::
+
+  sdp.media_description.session_info; content:"Session Description Protocol"
+
+sdp.media_description.connection_data
+-------------------------------------
+
+This keyword matches on the Connection data subfield of a Media description field found in an SDP request or response.
+
+Syntax
+~~~~~~
+
+::
+
+  sdp.media_description.connection_data; content:<connection_data>
+
+Where <connection_data> is a connection (c=) that follows the SDP scheme.
+
+Example
+~~~~~~~
+
+::
+
+  sdp.media_description.connection_data; content:"IN IP4 192.168.1.2"
+
+sdp.media_description.encryption_key
+------------------------------------
+
+This keyword matches on the Encryption key subfield of a Media description field found in an SDP request or response.
+
+Syntax
+~~~~~~
+
+::
+
+  sdp.media_description.encryption_key; content:<encryption_key>
+
+Where <encryption_key> is a key (k=) that follows the SDP scheme.
+
+Example
+~~~~~~~
+
+::
+
+  sdp.media_description.encryption_key; content:"prompt"
@@ -79,6 +79,7 @@ Major changes
     - sip.content_length
 - Napatech support has been moved to a capture plugin. See :doc:`Napatech plugin
   <upgrade/8.0-napatech-plugin>`.
+- SDP sticky buffers have been introduced.
 
 Removals
 ~~~~~~~~