The sip_header Keyword
You can use the
sip_header keyword to start inspection at the beginning
of the extracted SIP request or response header and restrict inspection to
header fields.
The
sip_header keyword has no arguments.
The following example rule fragment points to the SIP header and matches the CSeq header field:
alert udp any any -> any 5060 ( sip_header; content:"CSeq"; )