- Stage: 1 (proposal)
- Date: 2020-12-04
ECS SIP Fields provide normalization for fields related to Session Initiation and Session Description Protocols used in IP based real time communications (voice, video, sip based messaging).
| Sip Fields | type | Example |
|---|---|---|
| SIP Request | INVITE sip:[email protected]:5060 SIP/2.0 | |
| sip.type | keyword | request / response |
| sip.method | keyword | invite |
| sip.uri.original | wildcard | [email protected]:5060 |
| sip.uri.original.text | text | [email protected]:5060 |
| sip.uri.scheme | keyword | sip |
| sip.uri.username | keyword | test |
| sip.uri.host | keyword | sip.cybercity.dk |
| sip.uri.port | long | 5060 |
| sip.version | keyword | 2 |
| SIP Response | SIP/2.0 200 OK | |
| sip.status_code | keyword | 200 |
| sip.status | keyword | ok |
| sip.version | keyword | 2 |
| SIP Headers | ||
| sip.accept | keyword | application/sdp |
| sip.allow[] | keyword[] | REGISTER, INVITE, ACK, BYE |
| sip.call_id | keyword | [email protected] |
| sip.content_length | integer | 0 |
| sip.content_type | keyword | application/sdp |
| sip.max_forwards | integer | 70 |
| sip.private.uri.original | wildcard | sip:[email protected] |
| sip.private.uri.scheme | keyword | sip |
| sip.private.username | keyword | 35104723 |
| sip.supported[] | keyword[] | timer, path, replaces |
| user_agent.original | keyword | FreeSWITCH-mod_sofia/1.6.12-20-b91a0a6~64bit |
| user_agent.original.text | text | FreeSWITCH-mod_sofia/1.6.12-20-b91a0a6~64bit |
| SIP Headers CSEQ | 68 invite | |
| sip.cseq.code | integer | 68 |
| sip.cseq.method | keyword | invite |
| SIP Headers Via | SIP/2.0/UDP 192.168.1.2;received=80.230.219.70;rport=5061 branch=z9hG4bKnp112903503-43a64480192.168.1.2 | |
| sip.via.transport | keyword | udp |
| sip.via.sent_by.address | keyword | 192.168.1.2 |
| sip.via.sent_by.port | long | 5060 |
| sip.via.received.address | keyword | 80.230.219.70 |
| sip.via.rport | long | 5060 |
| sip.via.branch | keyword | z9hG4bKnp112903503-43a64480192.168.1.2 |
| SIP Headers To | test sip:[email protected]:5060;tag=QvN92t713vSZK | |
| sip.to.display_info | keyword | test |
| sip.to.uri.original | wildcard | sip:[email protected]:5060 |
| sip.to.uri.scheme | keyword | sip |
| sip.to.uri.username | keyword | test |
| sip.to.uri.host | keyword | 10.0.2.15 |
| sip.to.uri.port | long | 5060 |
| sip.to.tag | keyword | QvN92t713vSZK |
| SIP Headers From | "PCMU/8000" sip:[email protected]:5060;tag=1 | |
| sip.from.display_info | keyword | PCMU/8000 |
| sip.from.uri.original | wilcard | sip:[email protected]:5060 |
| sip.from.uri.scheme | keyword | sip |
| sip.from.uri.username | keyword | sipp |
| sip.from.uri.host | keyword | 10.0.2.20 |
| sip.from.uri.port | long | 5060 |
| sip.from.tag | keyword | 1 |
| SIP Headers Contact | "Matthew Hodgson" sip:[email protected]:5060;line=aca6b97ca3f5e51a;expires=1200;q=0.500 | |
| sip.contact.display_info | keyword | |
| sip.contact.uri.original | wildcard | sip:[email protected]:5060 |
| sip.contact.uri.scheme | keyword | sip |
| sip.contact.uri.username | keyword | test |
| sip.contact.uri.host | keyword | 10.0.2.15 |
| sip.contact.uri.port | long | 5060 |
| sip.contact.transport | keyword | udp |
| sip.contact.line | keyword | aca6b97ca3f5e51a |
| sip.contact.expires | integer | 1200 |
| sip.contact.q | float | 0.5 |
| SIP Headers Auth | Authorization: Digest username="voi18062",realm="sip.cybercity.dk",uri="sip:192.168.1.2",nonce="1701b22972b90f440c3e4eb250842bb",opaque="1701a1351f70795",nc="00000001",response="79a0543188495d288c9ebbe0c881abdc" | |
| sip.auth.scheme | keyword | Digest |
| sip.auth.realm | keyword | sip.cybercity.dk |
| sip.auth.uri.original | wildcard | sip:192.168.1.2 |
| sip.auth.uri.scheme | keyword | sip |
| sip.auth.uri.host | keyword | 192.168.1.2 |
| sip.auth.uri.port | long | |
| user.name | keyword | voi18062 |
| SIP Body / SDP | Needs Example | |
| sip.sdp.version | integer | 0 |
| sip.sdp.owner.username | keyword | Matthew |
| sip.sdp.owner.session_id | keyword | |
| sip.sdp.owner.version | keyword | |
| sip.sdp.owner.ip | keyword | 127.0.0.1 |
| sip.sdp.session.name | keyword | CounterPath eyeBeam 1.5 |
| sdp.connection.address | keyword | 127.0.0.1 |
| SIP Body / SDP Media | audio 27942 RTP/AVP 0 101 | |
| sip.sdp.audio.description[] | wildcard | audio 57126 RTP/AVP 8 101 |
| sip.sdp.audio.port | long | 57126 |
| sip.sdp.media.format[] | wildcard | 8, 101 (ITU-T G.711 PCMA, DynamicRTP-Type-101) |
| sip.sdp.media.attributes[] | wildcard | 0 PCMU/8000, 101 telephone-event/8000, fmtp:101 0-16 |
| sip.sdp.video.description[] | wildcard | video 57126 RTP/AVP 8 101 |
| sip.sdp.video.port | keyword | 57126 |
| sip.sdp.video.format[] | wildcard | 8, 101 (ITU-T G.711 PCMA, DynamicRTP-Type-101) |
| sip.sdp.video.attributes[] | wildcard | 0 PCMU/8000, 101 telephone-event/8000, fmtp:101 0-16 |
Typical implementations will utilize these fields to describe and normalize the various stages of a SIP/SDP based communcations mechanism. Additional considerations including call analytics, fraud detection, troubleshooting, and threat detection have been identified as additional considerations.
Source Data will come from packet/protocol analysis from endpoints (e.g. Packetbeat) or network observers (e.g. Zeek/Corelight & Suricata), logs from SIP Servers (e.g. Cisco Call Manager, Microsoft Lync), or logs from SIP-aware perimeter devices (e.g. Palo Alto NGFW).
See this example of raw SIP header.
No impact expected as SIP fieldsets are new, and will not impact any existing fields.
Normalization, and the degree of normalization, of SIP URI fields may be an issue for discussion based on the potential implementation of ingesting SIP call records for the purposes of review of e.g. various types of communications fraud (e.g. should PSTN numbers be normalized with international dial codes, should implementation include capabilities to define internal call plans for more effective analysis, etc.)
Normalization of SIP/SDP and real time communication protocol connections may require the definition of a field similar to network.community_id to allow for the tracking of the full scope of a connection. Additionally the initial SDP setup phase often includes multiple audio/video codec definitions which may be difficult to normalize in such a way as to make analysis of the call setup phase effective.
Utilizing SIP fields in combination with network performance indicators (IP SLA, QOS settings, jitter, mos, etc.) would also be of interest to many users looking at SIP logging.
Packetbeat Implementation (packet/protocol analysis)
The following are the people that consulted on the contents of this RFC.
- @DainPerkins | Author
- @marc-gr | Sponsor
- @jiriatipteldotorg | Subject Matter Expert