The sip_method Keyword

A method field in each SIP request identifies the purpose of the request. You can use the sip_method keyword to test SIP requests for specific methods. Separate multiple methods with commas.

You can specify any of the following currently defined SIP methods:

ack, benotify, bye, cancel, do, info, invite, join, message, notify, options, prack, 
publish, quath, refer, register, service, sprack, subscribe, unsubscribe, update

Methods are case-insensitive. You can separate multiple methods with commas.

Because new SIP methods might be defined in the future, you can also specify a custom method, that is, a method that is not a currently defined SIP method. Accepted field values are defined in RFC 2616, which allows all characters except control characters and separators such as =, (, and }. See RFC 2616 for the complete list of excluded separators. When the system encounters a specified custom method in traffic, it will inspect the packet header but not the message.

The system supports up to 32 methods, including the 21 currently defined methods and an additional 11 methods. The system ignores any undefined methods that you might configure. Note that the 32 total methods includes methods specified using the Methods to Check SIP preprocessor option.

You can specify only one method when you use negation. For example:

!invite

Note, however, that multiple sip_method keywords in a rule are linked with an AND operation. For example, to test for all extracted methods except invite and cancel, you would use two negated sip_method keywords:

sip_method: !invite
sip_method: !cancel

Cisco recommends that you include at least one content keyword in rules that include the sip_method keyword to ensure that the rules engine uses the fast pattern matcher, which increases processing speed and improves performance. Note that the rules engine uses the fast pattern matcher when a rule includes at least one content keyword, regardless of whether you enable the content keyword Use Fast Pattern Matcher argument.