The sip_body Keyword

You can use the sip_body keyword to start inspection at the beginning of the extracted SIP request or response message body and restrict inspection to the message body.

The sip_body keyword has no arguments.

The following example rule fragment points to the SIP message body and matches a specific IP address in the c (connection information) field in extracted SDP data:

alert udp any any -> any 5060 ( sip_body; content:"c=IN 192.168.12.14"; )

Note that rules are not limited to searching for SDP content. The SIP preprocessor extracts the entire message body and makes it available to the rules engine.