From a9af0df8c2eb032beac4a5b81045c0d5f4993947 Mon Sep 17 00:00:00 2001
From: Giuseppe Longo <giuseppe@glongo.it>
Date: Thu, 13 Apr 2023 18:59:03 +0200
Subject: [PATCH] sip: add tests for sip over tcp

---
 tests/sip-pattern-matching/Makefile           |   3 +
 tests/sip-pattern-matching/README.md          |   7 +
 .../sip-pattern-matching.syn                  |  21 +++
 tests/sip-pattern-matching/sip.pcap           | Bin 0 -> 1099 bytes
 tests/sip-pattern-matching/test.yaml          |  19 +++
 tests/sip-tcp-body-frames/README.md           |   1 +
 tests/sip-tcp-body-frames/test.rules          |  11 ++
 tests/sip-tcp-body-frames/test.yaml           |  62 ++++++++
 tests/sip-tcp-method/README.md                |   1 +
 tests/sip-tcp-method/sip-tcp.pcap             | Bin 0 -> 2018 bytes
 tests/sip-tcp-method/sip_client.c             | 137 +++++++++++++++++
 tests/sip-tcp-method/sip_server.c             | 140 ++++++++++++++++++
 tests/sip-tcp-method/test.rules               |   1 +
 tests/sip-tcp-method/test.yaml                |  28 ++++
 tests/sip-tcp-pattern-matching/Makefile       |   3 +
 tests/sip-tcp-pattern-matching/README.md      |   7 +
 .../sip-tcp-pattern-matching.syn              |  21 +++
 tests/sip-tcp-pattern-matching/sip.pcap       | Bin 0 -> 1473 bytes
 tests/sip-tcp-pattern-matching/test.yaml      |  34 +++++
 tests/sip-tcp-protocol/README.md              |   1 +
 tests/sip-tcp-protocol/test.rules             |   2 +
 tests/sip-tcp-protocol/test.yaml              |  40 +++++
 tests/sip-tcp-request-line/README.md          |   1 +
 tests/sip-tcp-request-line/test.rules         |   1 +
 tests/sip-tcp-request-line/test.yaml          |  28 ++++
 tests/sip-tcp-response-line/README.md         |   1 +
 tests/sip-tcp-response-line/test.rules        |   1 +
 tests/sip-tcp-response-line/test.yaml         |  28 ++++
 tests/sip-tcp-stat-code/README.md             |   1 +
 tests/sip-tcp-stat-code/test.rules            |   1 +
 tests/sip-tcp-stat-code/test.yaml             |  28 ++++
 tests/sip-tcp-stat-msg/README.md              |   1 +
 tests/sip-tcp-stat-msg/test.rules             |   1 +
 tests/sip-tcp-stat-msg/test.yaml              |  28 ++++
 tests/sip-tcp-uri/README.md                   |   1 +
 tests/sip-tcp-uri/test.rules                  |   1 +
 tests/sip-tcp-uri/test.yaml                   |  28 ++++
 37 files changed, 689 insertions(+)
 create mode 100644 tests/sip-pattern-matching/Makefile
 create mode 100644 tests/sip-pattern-matching/README.md
 create mode 100644 tests/sip-pattern-matching/sip-pattern-matching.syn
 create mode 100644 tests/sip-pattern-matching/sip.pcap
 create mode 100644 tests/sip-pattern-matching/test.yaml
 create mode 100644 tests/sip-tcp-body-frames/README.md
 create mode 100644 tests/sip-tcp-body-frames/test.rules
 create mode 100644 tests/sip-tcp-body-frames/test.yaml
 create mode 100644 tests/sip-tcp-method/README.md
 create mode 100755 tests/sip-tcp-method/sip-tcp.pcap
 create mode 100644 tests/sip-tcp-method/sip_client.c
 create mode 100644 tests/sip-tcp-method/sip_server.c
 create mode 100644 tests/sip-tcp-method/test.rules
 create mode 100644 tests/sip-tcp-method/test.yaml
 create mode 100644 tests/sip-tcp-pattern-matching/Makefile
 create mode 100644 tests/sip-tcp-pattern-matching/README.md
 create mode 100644 tests/sip-tcp-pattern-matching/sip-tcp-pattern-matching.syn
 create mode 100644 tests/sip-tcp-pattern-matching/sip.pcap
 create mode 100644 tests/sip-tcp-pattern-matching/test.yaml
 create mode 100644 tests/sip-tcp-protocol/README.md
 create mode 100644 tests/sip-tcp-protocol/test.rules
 create mode 100644 tests/sip-tcp-protocol/test.yaml
 create mode 100644 tests/sip-tcp-request-line/README.md
 create mode 100644 tests/sip-tcp-request-line/test.rules
 create mode 100755 tests/sip-tcp-request-line/test.yaml
 create mode 100644 tests/sip-tcp-response-line/README.md
 create mode 100644 tests/sip-tcp-response-line/test.rules
 create mode 100755 tests/sip-tcp-response-line/test.yaml
 create mode 100644 tests/sip-tcp-stat-code/README.md
 create mode 100644 tests/sip-tcp-stat-code/test.rules
 create mode 100644 tests/sip-tcp-stat-code/test.yaml
 create mode 100644 tests/sip-tcp-stat-msg/README.md
 create mode 100644 tests/sip-tcp-stat-msg/test.rules
 create mode 100644 tests/sip-tcp-stat-msg/test.yaml
 create mode 100644 tests/sip-tcp-uri/README.md
 create mode 100644 tests/sip-tcp-uri/test.rules
 create mode 100755 tests/sip-tcp-uri/test.yaml

diff --git a/tests/sip-pattern-matching/Makefile b/tests/sip-pattern-matching/Makefile
new file mode 100644
index 000000000..09b5e3c55
--- /dev/null
+++ b/tests/sip-pattern-matching/Makefile
@@ -0,0 +1,3 @@
+sip.pcap: sip-pattern-matching.syn
+	flowsynth.py -f pcap -w $@ $^
+
diff --git a/tests/sip-pattern-matching/README.md b/tests/sip-pattern-matching/README.md
new file mode 100644
index 000000000..f78c05298
--- /dev/null
+++ b/tests/sip-pattern-matching/README.md
@@ -0,0 +1,7 @@
+# Test Purpose
+
+Test that SIP/TCP is detected with pattern matching.
+
+## PCAP
+
+This PCAP was generated with flowsynth.
diff --git a/tests/sip-pattern-matching/sip-pattern-matching.syn b/tests/sip-pattern-matching/sip-pattern-matching.syn
new file mode 100644
index 000000000..0ed0082eb
--- /dev/null
+++ b/tests/sip-pattern-matching/sip-pattern-matching.syn
@@ -0,0 +1,21 @@
+flow default udp 1.1.1.1:5555 > 2.2.2.2:5062;
+default > (content:"REGISTER sip:sip.cybercity.dk SIP/2.0\x0d
+Via: SIP/2.0/UDP 192.168.1.2;branch=z9hG4bKnp151248737-46ea715e192.168.1.2;rport\x0d
+From: <sip:voi18063@sip.cybercity.dk>;tag=903df0a\x0d
+To: <sip:voi18063@sip.cybercity.dk>\x0d
+Call-ID: 578222729-4665d775@578222732-4665d772\x0d
+Contact:  <sip:voi18063@192.168.1.2:5060;line=9c7d2dbd8822013c>;expires=1200;q=0.500\x0d
+Expires: 1200\x0d
+CSeq: 68 REGISTER\x0d
+Content-Length: 0\x0d
+Max-Forwards: 70\x0d
+User-Agent: Nero SIPPS IP Phone Version 2.0.51.16\x0d\x0a\x0d\x0a";);
+default < (content:"SIP/2.0 401 Unauthorized\x0d
+Call-ID: 578222729-4665d775@578222732-4665d772\x0d
+CSeq: 68 REGISTER\x0d
+From: <sip:voi18063@sip.cybercity.dk>;tag=903df0a\x0d
+To: <sip:voi18063@sip.cybercity.dk>;tag=00-04092-1701af62-120c67172\x0d
+Via: SIP/2.0/UDP 192.168.1.2;received=80.230.219.70;rport=5060;branch=z9hG4bKnp151248737-46ea715e192.168.1.2\x0d
+WWW-Authenticate: Digest realm=\"sip.cybercity.dk\",nonce=\"1701af566be182070084c6f740706bb\",opaque=\"1701a1351f70795\",stale=false,algorithm=MD5\x0d
+Content-Length: 0\x0d\x0a\x0d\x0a";);
+
diff --git a/tests/sip-pattern-matching/sip.pcap b/tests/sip-pattern-matching/sip.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..8dc982a9d7666a25077b807bc19758ed91a215bb
GIT binary patch
literal 1099
zcmcIiO>5LZ7|t$xD1jWLR0N?61#e9{Gx?Y#YswaPTNbS>-F_VG!AUZ^8_Xu#N&1N(
z9{d+7c<aG~*dL%G^cQ&Zpmz^~3W^|gvh7N#qA2*n3-dnnOx`!|^SpZb^if%=NTWD9
zlBAL-9`93j??XlUCW<28KD@a&d-uiXC#CYynADI;?+aS(9RE@hQ5G?AFn(BiJ^6g8
zvCwQUH<mya4P230u<J7(MER~3-U97rYX)mjkyj(?j;fiJdJ7;2Ysj)Sq~WU1X%h6j
zJ*T%|_*atwG7&axq7&7y7$wMLr`ddv@?4SUdD?fu<)ZCY8X+56dhKlg*=kO^o&)u;
z1F0e}r+<8)$X93_tIfI#Ok!h<33kL3mKhRa)=nTDk031gX_C_*cfpxiPL1rE(1O)C
zN|@&aB*dW~+Tz;~>A`H3?F=H$G7n)0s~aBFOepr%I7VGiz@kZ;ZMeX)!D!vbeOZ#L
z*I3fcdoB>HMY^NTr+l08FmnMB$V$ezI@c9E7hGpNEhK2QL9+!~y)<E9mGLY}6CgCw
zOe6$RWJNB_u>Y|loi9tny#3(**Bf`9O<vr-FjJVJJa%G+H-!-jLyR9z9F#s?dUql>
zFdzae3Ej+lDUbG8_zzqC`G^0H;6sN%s6qoeSVaUP+Ofm|!@wel2!VfVUCsg)ZL!d^
zp@wyl$k7O_4n67(W&bO4EArafnmQ*ICnSpknll&Fqb|#Gz!{DE-ul#8kFQTnCutHe
zadkYsX<0r)HiiU3+X$=<F~rgGeZfozbYt@e73n7G5J((TTxB_pnb)Cl#-?f96~g7c
NzPDI6e`z&E{tf~WHt_%e

literal 0
HcmV?d00001

diff --git a/tests/sip-pattern-matching/test.yaml b/tests/sip-pattern-matching/test.yaml
new file mode 100644
index 000000000..2d5874db1
--- /dev/null
+++ b/tests/sip-pattern-matching/test.yaml
@@ -0,0 +1,19 @@
+checks:
+  - filter:
+      min-version: 8
+      count: 1
+      match:
+        event_type: sip
+        sip.method: "REGISTER"
+        sip.uri: "sip:sip.cybercity.dk"
+        sip.version: "SIP/2.0"
+        sip.request_line: "REGISTER sip:sip.cybercity.dk SIP/2.0"
+  - filter:
+      min-version: 8
+      count: 1
+      match:
+        event_type: sip
+        sip.version: "SIP/2.0"
+        sip.code: "401"
+        sip.reason: "Unauthorized"
+        sip.response_line: "SIP/2.0 401 Unauthorized"
diff --git a/tests/sip-tcp-body-frames/README.md b/tests/sip-tcp-body-frames/README.md
new file mode 100644
index 000000000..21918c677
--- /dev/null
+++ b/tests/sip-tcp-body-frames/README.md
@@ -0,0 +1 @@
+Match on SIP frames.
diff --git a/tests/sip-tcp-body-frames/test.rules b/tests/sip-tcp-body-frames/test.rules
new file mode 100644
index 000000000..2767052c1
--- /dev/null
+++ b/tests/sip-tcp-body-frames/test.rules
@@ -0,0 +1,11 @@
+alert sip any any -> any any (flow:to_server; frame:pdu; content:"REGISTER"; startswith; sid:2;)
+alert sip any any -> any any (flow:to_client; frame:pdu; content:"SIP/2.0 200 OK|0D 0A|"; startswith; sid:11;)
+
+alert sip any any -> any any (flow:to_server; frame:request.line; content:"REGISTER"; startswith; sid:21;)
+alert sip any any -> any any (flow:to_server; frame:request.line; content:"SIP/2.0|0D 0A|"; endswith; sid:22;)
+
+alert sip any any -> any any (flow:to_server; frame:request.headers; content:"Via:"; startswith; sid:31;)
+alert sip any any -> any any (flow:to_server; frame:request.headers; content:"Via:"; startswith; content:"0|0d 0a|"; endswith; sid:32;)
+
+alert sip any any -> any any (flow:to_client; frame:response.headers; content:"Via:"; startswith; sid:41;)
+alert sip any any -> any any (flow:to_client; frame:response.headers; content:"Via:"; startswith; content:"Content-Length: 0|0d 0a|"; endswith; sid:42;)
diff --git a/tests/sip-tcp-body-frames/test.yaml b/tests/sip-tcp-body-frames/test.yaml
new file mode 100644
index 000000000..aeca4e9db
--- /dev/null
+++ b/tests/sip-tcp-body-frames/test.yaml
@@ -0,0 +1,62 @@
+requires:
+  min-version: 8
+
+args:
+  - -k none
+
+pcap: ../sip-tcp-method/sip-tcp.pcap
+
+checks:
+  - filter:
+      min-version: 8
+      count: 2
+      match:
+        proto: TCP
+        event_type: sip
+  - filter:
+      min-version: 8
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      min-version: 8
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 22
+  - filter:
+      min-version: 8
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 31
+  - filter:
+      min-version: 8
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 32
+        frame.type: "request.headers"
+        frame.complete: true
+        frame.length: 532
+        frame.direction: toserver
+  - filter:
+      min-version: 8
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 41
+  - filter:
+      min-version: 8
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 42
+  - filter:
+      min-version: 8
+      count: 1
+      match:
+        event_type: stats
+        stats.app_layer.tx.sip_tcp: 2
+        stats.app_layer.flow.sip_tcp: 1
diff --git a/tests/sip-tcp-method/README.md b/tests/sip-tcp-method/README.md
new file mode 100644
index 000000000..83094d8f3
--- /dev/null
+++ b/tests/sip-tcp-method/README.md
@@ -0,0 +1 @@
+Match on SIP over TCP method field.
diff --git a/tests/sip-tcp-method/sip-tcp.pcap b/tests/sip-tcp-method/sip-tcp.pcap
new file mode 100755
index 0000000000000000000000000000000000000000..4820afad5fdcd9d53930cc494c7a15ee68b3ed6b
GIT binary patch
literal 2018
zcmc(g-)q}e6vwaC(6uHeO}mG_?d~mQk|N2nEXnbR?a9GQ8@rKRNMD95T_sxNACtAj
z9h7$a2gV-uyzX(Ydl;iMFqXg`#>f^1eJhkeVU)4wwP~_*<%l}LH54{>;ed62e9pP&
ze2?$%+uwf8pb7MHOrQjOJlcC^Nxz;)@566u!{Zz>5SrWldmhc7^?$g7P=eYM=F-mo
z^!*>{&U?(!!$ScfX5#4K1amI=DEszxI-fXm<_$`|K9-CSCC}ZD$(MGXFkbDCKG3)C
zT|D~vG?~(4atp{s@I-BRL@~>|&!U)ripj?@Zv*|--3tsloPih<gLo;G#`+Bq_aG(I
zh6g1kc6Ogr;<_@Dc$q;*-=8Ed8w(Y)ZY<-T*VRQ$;zdQ}<uoq}LM{xfcCXtB!hF3{
z!)B#6EAc`qdBd~x_-mG~3?I{FHJw#*O*m?=<v-EZ7Ubq4myu*i&2l2gagOcE#Bp59
z)m%|ZYq@}WNF}dXeXiUIHm$(v={O61N}YCS*`bc-Xl$CARWkDY2w#EM?uFov<eNky
zwx&9QE2l|Tu!n9C+TC|k$$ID2w9^-c?d71;dW{3Q&|1xFO-&P(tPAm5zRy+O)3I7@
zg)5DQYB;{-HrC`-`9rU;$@8$qBp>Nm#Bmi;Nm}9W#%gA2o>rLqEUxge8gK1SKQQlJ
zNW2)OnO}hT9K=Fxctk4vbN3)p;bcr4sPKUqsSq@C`1qt|jDFV(2vkWCpiBkd?`-P0
zvUH<TH&|RKEwZ>&SSlG;SzKI!nWbvIQeI)<l4WC=#n%keEG)o$wN|fGmrNFpma8l_
z8%49UTqzo<WTQs{uCPklQ2d)6uS)_PY=ATcKFv$V9ywzJ)**;4ghHVDEMD)nd=`h6
zzdjHTtaDdMdo^6sF$6kD?qB1RTZoeTX`G6e$=#ZS<Q|Ml?&rUqM;wD9JDptSt*Ig<
zzVqcs;^o8vdh=v*kJ}7Of`F@w|4p~$<utT;E+97XHi(lSZmQR8l7Z$OM-g3D5s4~D
zj!L8^aWk$cE0Rduv@P)&TWtO>?ewqzhvdjW{P{@xCJ8o3pyPF`WqH2W!7~{ibc$#C
zs`7y%&-z~b<NlQ^W90Z1h-b|E@FMEWomf1B&fJ>xYEPY4_4?VpvBblOxIL0MJ^ID@
f;&yUOj8mnkW$whpLCZXK_NTW}r&{JVeZ&3%@faB0

literal 0
HcmV?d00001

diff --git a/tests/sip-tcp-method/sip_client.c b/tests/sip-tcp-method/sip_client.c
new file mode 100644
index 000000000..7ff4dd441
--- /dev/null
+++ b/tests/sip-tcp-method/sip_client.c
@@ -0,0 +1,137 @@
+#include <arpa/inet.h> // inet_addr()
+#include <netdb.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <strings.h> // bzero()
+#include <sys/socket.h>
+#include <unistd.h> // read(), write(), close()
+#define MAX 1024
+#define PORT 5060
+#define SA struct sockaddr
+
+void func(int sockfd)
+{
+	char msg1[] = {
+		0x52, 0x45, 0x47, 0x49, 0x53, 0x54, 0x45, 0x52,
+		0x20, 0x73, 0x69, 0x70, 0x3a, 0x31, 0x39, 0x32,
+		0x2e, 0x31, 0x36, 0x38, 0x2e, 0x34, 0x33, 0x2e,
+		0x31, 0x30, 0x30, 0x3b, 0x74, 0x72, 0x61, 0x6e,
+		0x73, 0x70, 0x6f, 0x72, 0x74, 0x3d, 0x54, 0x43,
+		0x50, 0x20, 0x53, 0x49, 0x50, 0x2f, 0x32, 0x2e,
+		0x30, 0x0d, 0x0a, 0x56, 0x69, 0x61, 0x3a, 0x20,
+		0x53, 0x49, 0x50, 0x2f, 0x32, 0x2e, 0x30, 0x2f,
+		0x54, 0x43, 0x50, 0x20, 0x31, 0x39, 0x32, 0x2e,
+		0x31, 0x36, 0x38, 0x2e, 0x34, 0x33, 0x2e, 0x31,
+		0x3a, 0x34, 0x38, 0x33, 0x37, 0x36, 0x3b, 0x62,
+		0x72, 0x61, 0x6e, 0x63, 0x68, 0x3d, 0x7a, 0x39,
+		0x68, 0x47, 0x34, 0x62, 0x4b, 0x2d, 0x35, 0x32,
+		0x34, 0x32, 0x38, 0x37, 0x2d, 0x31, 0x2d, 0x2d,
+		0x2d, 0x64, 0x63, 0x66, 0x34, 0x65, 0x64, 0x64,
+		0x66, 0x61, 0x66, 0x39, 0x66, 0x31, 0x32, 0x33,
+		0x39, 0x3b, 0x72, 0x70, 0x6f, 0x72, 0x74, 0x0d,
+		0x0a, 0x4d, 0x61, 0x78, 0x2d, 0x46, 0x6f, 0x72,
+		0x77, 0x61, 0x72, 0x64, 0x73, 0x3a, 0x20, 0x37,
+		0x30, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x74, 0x61,
+		0x63, 0x74, 0x3a, 0x20, 0x3c, 0x73, 0x69, 0x70,
+		0x3a, 0x39, 0x38, 0x37, 0x36, 0x35, 0x34, 0x40,
+		0x31, 0x39, 0x32, 0x2e, 0x31, 0x36, 0x38, 0x2e,
+		0x34, 0x33, 0x2e, 0x31, 0x3a, 0x34, 0x38, 0x33,
+		0x37, 0x36, 0x3b, 0x72, 0x69, 0x6e, 0x73, 0x74,
+		0x61, 0x6e, 0x63, 0x65, 0x3d, 0x62, 0x65, 0x32,
+		0x65, 0x63, 0x39, 0x38, 0x64, 0x30, 0x66, 0x34,
+		0x33, 0x65, 0x37, 0x30, 0x63, 0x3b, 0x74, 0x72,
+		0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x3d,
+		0x74, 0x63, 0x70, 0x3e, 0x0d, 0x0a, 0x54, 0x6f,
+		0x3a, 0x20, 0x3c, 0x73, 0x69, 0x70, 0x3a, 0x39,
+		0x38, 0x37, 0x36, 0x35, 0x34, 0x40, 0x31, 0x39,
+		0x32, 0x2e, 0x31, 0x36, 0x38, 0x2e, 0x34, 0x33,
+		0x2e, 0x31, 0x30, 0x30, 0x3b, 0x74, 0x72, 0x61,
+		0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x3d, 0x54,
+		0x43, 0x50, 0x3e, 0x0d, 0x0a, 0x46, 0x72, 0x6f,
+		0x6d, 0x3a, 0x20, 0x3c, 0x73, 0x69, 0x70, 0x3a,
+		0x39, 0x38, 0x37, 0x36, 0x35, 0x34, 0x40, 0x31,
+		0x39, 0x32, 0x2e, 0x31, 0x36, 0x38, 0x2e, 0x34,
+		0x33, 0x2e, 0x31, 0x30, 0x30, 0x3b, 0x74, 0x72,
+		0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x3d,
+		0x54, 0x43, 0x50, 0x3e, 0x3b, 0x74, 0x61, 0x67,
+		0x3d, 0x39, 0x62, 0x39, 0x39, 0x31, 0x36, 0x37,
+		0x66, 0x0d, 0x0a, 0x43, 0x61, 0x6c, 0x6c, 0x2d,
+		0x49, 0x44, 0x3a, 0x20, 0x38, 0x4f, 0x6d, 0x74,
+		0x59, 0x55, 0x55, 0x38, 0x45, 0x64, 0x6c, 0x61,
+		0x66, 0x55, 0x68, 0x34, 0x67, 0x34, 0x6a, 0x69,
+		0x41, 0x77, 0x2e, 0x2e, 0x0d, 0x0a, 0x43, 0x53,
+		0x65, 0x71, 0x3a, 0x20, 0x31, 0x20, 0x52, 0x45,
+		0x47, 0x49, 0x53, 0x54, 0x45, 0x52, 0x0d, 0x0a
+	};
+
+	char msg2[] = {
+		0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x3a,
+		0x20, 0x36, 0x30, 0x30, 0x0d, 0x0a, 0x41, 0x6c,
+		0x6c, 0x6f, 0x77, 0x3a, 0x20, 0x49, 0x4e, 0x56,
+		0x49, 0x54, 0x45, 0x2c, 0x20, 0x41, 0x43, 0x4b,
+		0x2c, 0x20, 0x43, 0x41, 0x4e, 0x43, 0x45, 0x4c,
+		0x2c, 0x20, 0x42, 0x59, 0x45, 0x2c, 0x20, 0x4e,
+		0x4f, 0x54, 0x49, 0x46, 0x59, 0x2c, 0x20, 0x52,
+		0x45, 0x46, 0x45, 0x52, 0x2c, 0x20, 0x4d, 0x45,
+		0x53, 0x53, 0x41, 0x47, 0x45, 0x2c, 0x20, 0x4f,
+		0x50, 0x54, 0x49, 0x4f, 0x4e, 0x53, 0x2c, 0x20,
+		0x49, 0x4e, 0x46, 0x4f, 0x2c, 0x20, 0x53, 0x55,
+		0x42, 0x53, 0x43, 0x52, 0x49, 0x42, 0x45, 0x0d,
+		0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d, 0x41, 0x67,
+		0x65, 0x6e, 0x74, 0x3a, 0x20, 0x5a, 0x6f, 0x69,
+		0x70, 0x65, 0x72, 0x20, 0x72, 0x76, 0x32, 0x2e,
+		0x31, 0x30, 0x2e, 0x33, 0x2e, 0x32, 0x0d, 0x0a,
+		0x41, 0x6c, 0x6c, 0x6f, 0x77, 0x2d, 0x45, 0x76,
+		0x65, 0x6e, 0x74, 0x73, 0x3a, 0x20, 0x70, 0x72,
+		0x65, 0x73, 0x65, 0x6e, 0x63, 0x65, 0x2c, 0x20,
+		0x6b, 0x70, 0x6d, 0x6c, 0x2c, 0x20, 0x74, 0x61,
+		0x6c, 0x6b, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x74,
+		0x65, 0x6e, 0x74, 0x2d, 0x4c, 0x65, 0x6e, 0x67,
+		0x74, 0x68, 0x3a, 0x20, 0x30, 0x0d, 0x0a, 0x0d,
+		0x0a
+	};
+
+	char buff[MAX];
+
+    write(sockfd, msg1, sizeof(msg1));
+    write(sockfd, msg2, sizeof(msg2));
+    bzero(buff, sizeof(buff));
+    read(sockfd, buff, sizeof(buff));
+
+}
+
+int main()
+{
+	int sockfd, connfd;
+	struct sockaddr_in servaddr, cli;
+
+	// socket create and verification
+	sockfd = socket(AF_INET, SOCK_STREAM, 0);
+	if (sockfd == -1) {
+		printf("socket creation failed...\n");
+		exit(0);
+	}
+	else
+		printf("Socket successfully created..\n");
+	bzero(&servaddr, sizeof(servaddr));
+
+	// assign IP, PORT
+	servaddr.sin_family = AF_INET;
+	servaddr.sin_addr.s_addr = inet_addr("127.0.0.1");
+	servaddr.sin_port = htons(PORT);
+
+	// connect the client socket to server socket
+	if (connect(sockfd, (SA*)&servaddr, sizeof(servaddr))
+		!= 0) {
+		printf("connection with the server failed...\n");
+		exit(0);
+	}
+	else
+		printf("connected to the server..\n");
+
+	func(sockfd);
+
+	close(sockfd);
+}
+
diff --git a/tests/sip-tcp-method/sip_server.c b/tests/sip-tcp-method/sip_server.c
new file mode 100644
index 000000000..f8bd4f57a
--- /dev/null
+++ b/tests/sip-tcp-method/sip_server.c
@@ -0,0 +1,140 @@
+#include <stdio.h>
+#include <netdb.h>
+#include <netinet/in.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <unistd.h> // read(), write(), close()
+#define MAX 1024
+#define PORT 5060
+#define SA struct sockaddr
+
+void func(int connfd)
+{
+	char msg[] = {
+		0x53, 0x49, 0x50, 0x2f, 0x32, 0x2e, 0x30, 0x20,
+		0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d, 0x0a,
+		0x56, 0x69, 0x61, 0x3a, 0x20, 0x53, 0x49, 0x50,
+		0x2f, 0x32, 0x2e, 0x30, 0x2f, 0x54, 0x43, 0x50,
+		0x20, 0x31, 0x39, 0x32, 0x2e, 0x31, 0x36, 0x38,
+		0x2e, 0x34, 0x33, 0x2e, 0x31, 0x3a, 0x34, 0x38,
+		0x33, 0x37, 0x36, 0x3b, 0x62, 0x72, 0x61, 0x6e,
+		0x63, 0x68, 0x3d, 0x7a, 0x39, 0x68, 0x47, 0x34,
+		0x62, 0x4b, 0x2d, 0x35, 0x32, 0x34, 0x32, 0x38,
+		0x37, 0x2d, 0x31, 0x2d, 0x2d, 0x2d, 0x64, 0x63,
+		0x66, 0x34, 0x65, 0x64, 0x64, 0x66, 0x61, 0x66,
+		0x39, 0x66, 0x31, 0x32, 0x33, 0x39, 0x3b, 0x72,
+		0x70, 0x6f, 0x72, 0x74, 0x3d, 0x34, 0x33, 0x31,
+		0x36, 0x38, 0x3b, 0x72, 0x65, 0x63, 0x65, 0x69,
+		0x76, 0x65, 0x64, 0x3d, 0x31, 0x39, 0x32, 0x2e,
+		0x31, 0x36, 0x38, 0x2e, 0x34, 0x33, 0x2e, 0x31,
+		0x0d, 0x0a, 0x54, 0x6f, 0x3a, 0x20, 0x3c, 0x73,
+		0x69, 0x70, 0x3a, 0x39, 0x38, 0x37, 0x36, 0x35,
+		0x34, 0x40, 0x31, 0x39, 0x32, 0x2e, 0x31, 0x36,
+		0x38, 0x2e, 0x34, 0x33, 0x2e, 0x31, 0x30, 0x30,
+		0x3b, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f,
+		0x72, 0x74, 0x3d, 0x54, 0x43, 0x50, 0x3e, 0x3b,
+		0x74, 0x61, 0x67, 0x3d, 0x39, 0x64, 0x64, 0x36,
+		0x31, 0x66, 0x66, 0x36, 0x31, 0x65, 0x38, 0x30,
+		0x32, 0x64, 0x38, 0x65, 0x32, 0x62, 0x65, 0x66,
+		0x35, 0x66, 0x31, 0x34, 0x36, 0x32, 0x31, 0x65,
+		0x66, 0x33, 0x63, 0x32, 0x2e, 0x35, 0x63, 0x31,
+		0x62, 0x0d, 0x0a, 0x46, 0x72, 0x6f, 0x6d, 0x3a,
+		0x20, 0x3c, 0x73, 0x69, 0x70, 0x3a, 0x39, 0x38,
+		0x37, 0x36, 0x35, 0x34, 0x40, 0x31, 0x39, 0x32,
+		0x2e, 0x31, 0x36, 0x38, 0x2e, 0x34, 0x33, 0x2e,
+		0x31, 0x30, 0x30, 0x3b, 0x74, 0x72, 0x61, 0x6e,
+		0x73, 0x70, 0x6f, 0x72, 0x74, 0x3d, 0x54, 0x43,
+		0x50, 0x3e, 0x3b, 0x74, 0x61, 0x67, 0x3d, 0x39,
+		0x62, 0x39, 0x39, 0x31, 0x36, 0x37, 0x66, 0x0d,
+		0x0a, 0x43, 0x61, 0x6c, 0x6c, 0x2d, 0x49, 0x44,
+		0x3a, 0x20, 0x38, 0x4f, 0x6d, 0x74, 0x59, 0x55,
+		0x55, 0x38, 0x45, 0x64, 0x6c, 0x61, 0x66, 0x55,
+		0x68, 0x34, 0x67, 0x34, 0x6a, 0x69, 0x41, 0x77,
+		0x2e, 0x2e, 0x0d, 0x0a, 0x43, 0x53, 0x65, 0x71,
+		0x3a, 0x20, 0x31, 0x20, 0x52, 0x45, 0x47, 0x49,
+		0x53, 0x54, 0x45, 0x52, 0x0d, 0x0a, 0x43, 0x6f,
+		0x6e, 0x74, 0x61, 0x63, 0x74, 0x3a, 0x20, 0x3c,
+		0x73, 0x69, 0x70, 0x3a, 0x39, 0x38, 0x37, 0x36,
+		0x35, 0x34, 0x40, 0x31, 0x39, 0x32, 0x2e, 0x31,
+		0x36, 0x38, 0x2e, 0x34, 0x33, 0x2e, 0x31, 0x3a,
+		0x34, 0x38, 0x33, 0x37, 0x36, 0x3b, 0x72, 0x69,
+		0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x3d,
+		0x62, 0x65, 0x32, 0x65, 0x63, 0x39, 0x38, 0x64,
+		0x30, 0x66, 0x34, 0x33, 0x65, 0x37, 0x30, 0x63,
+		0x3b, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f,
+		0x72, 0x74, 0x3d, 0x74, 0x63, 0x70, 0x3e, 0x3b,
+		0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x3d,
+		0x36, 0x30, 0x30, 0x0d, 0x0a, 0x53, 0x65, 0x72,
+		0x76, 0x65, 0x72, 0x3a, 0x20, 0x6b, 0x61, 0x6d,
+		0x61, 0x69, 0x6c, 0x69, 0x6f, 0x20, 0x28, 0x35,
+		0x2e, 0x32, 0x2e, 0x31, 0x20, 0x28, 0x78, 0x38,
+		0x36, 0x5f, 0x36, 0x34, 0x2f, 0x6c, 0x69, 0x6e,
+		0x75, 0x78, 0x29, 0x29, 0x0d, 0x0a, 0x43, 0x6f,
+		0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c, 0x65,
+		0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x30, 0x0d,
+		0x0a, 0x0d, 0x0a
+	};
+
+	char buff[MAX];
+
+	bzero(buff, sizeof(buff));
+	read(connfd, buff, sizeof(buff));
+	read(connfd, buff, sizeof(buff));
+	write(connfd, msg, sizeof(msg));
+}
+
+int main()
+{
+	int sockfd, connfd, len;
+	struct sockaddr_in servaddr, cli;
+
+	sockfd = socket(AF_INET, SOCK_STREAM, 0);
+	if (sockfd == -1) {
+		printf("socket creation failed...\n");
+		exit(0);
+	}
+	else
+		printf("Socket successfully created..\n");
+	bzero(&servaddr, sizeof(servaddr));
+
+	// assign IP, PORT
+	servaddr.sin_family = AF_INET;
+	servaddr.sin_addr.s_addr = htonl(INADDR_ANY);
+	servaddr.sin_port = htons(PORT);
+
+	// Binding newly created socket to given IP and verification
+	if ((bind(sockfd, (SA*)&servaddr, sizeof(servaddr))) != 0) {
+		printf("socket bind failed...\n");
+		exit(0);
+	}
+	else
+		printf("Socket successfully binded..\n");
+
+	// Now server is ready to listen and verification
+	if ((listen(sockfd, 5)) != 0) {
+		printf("Listen failed...\n");
+		exit(0);
+	}
+	else
+		printf("Server listening..\n");
+	len = sizeof(cli);
+
+	// Accept the data packet from client and verification
+	connfd = accept(sockfd, (SA*)&cli, &len);
+	if (connfd < 0) {
+		printf("server accept failed...\n");
+		exit(0);
+	}
+	else
+		printf("server accept the client...\n");
+
+	// Function for chatting between client and server
+	//func(connfd);
+	func(connfd);
+
+	// After chatting close the socket
+	close(sockfd);
+}
+
diff --git a/tests/sip-tcp-method/test.rules b/tests/sip-tcp-method/test.rules
new file mode 100644
index 000000000..1fd849f78
--- /dev/null
+++ b/tests/sip-tcp-method/test.rules
@@ -0,0 +1 @@
+alert sip any any -> any any (flow:to_server; sip.method; content:"REGISTER"; sid:1;)
diff --git a/tests/sip-tcp-method/test.yaml b/tests/sip-tcp-method/test.yaml
new file mode 100644
index 000000000..3b21824d5
--- /dev/null
+++ b/tests/sip-tcp-method/test.yaml
@@ -0,0 +1,28 @@
+requires:
+  min-version: 6
+
+args:
+  - -k none
+  - --set app-layer.protocols.sip.enabled=yes
+
+pcap: sip-tcp.pcap
+
+checks:
+  - filter:
+      min-version: 8
+      count: 1
+      match:
+        event_type: alert
+  - filter:
+      min-version: 8
+      count: 2
+      match:
+        proto: TCP
+        event_type: sip
+  - filter:
+      min-version: 8
+      count: 1
+      match:
+        event_type: stats
+        stats.app_layer.tx.sip_tcp: 2
+        stats.app_layer.flow.sip_tcp: 1
diff --git a/tests/sip-tcp-pattern-matching/Makefile b/tests/sip-tcp-pattern-matching/Makefile
new file mode 100644
index 000000000..4cad1e9f4
--- /dev/null
+++ b/tests/sip-tcp-pattern-matching/Makefile
@@ -0,0 +1,3 @@
+sip.pcap: sip-tcp-pattern-matching.syn
+	flowsynth.py -f pcap -w $@ $^
+
diff --git a/tests/sip-tcp-pattern-matching/README.md b/tests/sip-tcp-pattern-matching/README.md
new file mode 100644
index 000000000..f78c05298
--- /dev/null
+++ b/tests/sip-tcp-pattern-matching/README.md
@@ -0,0 +1,7 @@
+# Test Purpose
+
+Test that SIP/TCP is detected with pattern matching.
+
+## PCAP
+
+This PCAP was generated with flowsynth.
diff --git a/tests/sip-tcp-pattern-matching/sip-tcp-pattern-matching.syn b/tests/sip-tcp-pattern-matching/sip-tcp-pattern-matching.syn
new file mode 100644
index 000000000..f3df6d5f0
--- /dev/null
+++ b/tests/sip-tcp-pattern-matching/sip-tcp-pattern-matching.syn
@@ -0,0 +1,21 @@
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:5062 (tcp.initialize; mss:9000;);
+default > (content:"REGISTER sip:sip.cybercity.dk SIP/2.0\x0d
+Via: SIP/2.0/UDP 192.168.1.2;branch=z9hG4bKnp151248737-46ea715e192.168.1.2;rport\x0d
+From: <sip:voi18063@sip.cybercity.dk>;tag=903df0a\x0d
+To: <sip:voi18063@sip.cybercity.dk>\x0d
+Call-ID: 578222729-4665d775@578222732-4665d772\x0d
+Contact:  <sip:voi18063@192.168.1.2:5060;line=9c7d2dbd8822013c>;expires=1200;q=0.500\x0d
+Expires: 1200\x0d
+CSeq: 68 REGISTER\x0d
+Content-Length: 0\x0d
+Max-Forwards: 70\x0d
+User-Agent: Nero SIPPS IP Phone Version 2.0.51.16\x0d\x0a\x0d\x0a";);
+default < (content:"SIP/2.0 401 Unauthorized\x0d
+Call-ID: 578222729-4665d775@578222732-4665d772\x0d
+CSeq: 68 REGISTER\x0d
+From: <sip:voi18063@sip.cybercity.dk>;tag=903df0a\x0d
+To: <sip:voi18063@sip.cybercity.dk>;tag=00-04092-1701af62-120c67172\x0d
+Via: SIP/2.0/UDP 192.168.1.2;received=80.230.219.70;rport=5060;branch=z9hG4bKnp151248737-46ea715e192.168.1.2\x0d
+WWW-Authenticate: Digest realm=\"sip.cybercity.dk\",nonce=\"1701af566be182070084c6f740706bb\",opaque=\"1701a1351f70795\",stale=false,algorithm=MD5\x0d
+Content-Length: 0\x0d\x0a\x0d\x0a";);
+
diff --git a/tests/sip-tcp-pattern-matching/sip.pcap b/tests/sip-tcp-pattern-matching/sip.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..cd7d18cea6d5208ef1b93e402f2df2eed337b898
GIT binary patch
literal 1473
zcmcJP!Ee+?6o)4ZYKzfUv;jm<9fh`36>DZ@*B;x8QE0QERSPnNBq~}#XYJWti;caR
zH7VhcL;4T&(q4cPE)^glRY4WEUO*rfiB?s6;1Y3xdrv*21)k%iVV4NhN{sZRndj%<
zd!F|_|9*4fQVwlItLw=Vga+X7`DG!;&uPeneQNVtf4TGepRFr%&37wrpbA1CreVXc
zB|i_q%E8)peegB}YGBCAVf4lEOl9``n#%XiLhbUs3rjct`F6HfB~?h325)b>4gvw#
zX76o`PCm?3<b^er?b=sA9sl(=KYsA>-@Ph*wQL3z>1_d(N14jq?=-Y2hnDSwtM=mK
z`#Wzf-I{-psthb;U!?w8S7irAKfHy|(aOQ<=&{OC+zmSpnC{QirSijMMh{Nm(W<wH
z=_Id>hr(Gs?HL>KFtwRZO-rXbE7z5X{FZyxZXGPuKaD!npsZx^A}^FoDL6Icv(c&(
zt0b=-Q1PUL_oiv5<B(d!EDrbQ-&amV)3r%4Xb_Rtj>Rv1A+LQR+U-Jh#K8u)7-O8-
zP=#p(oEyU{t|D7?F^G?&MEHq=`)YZnWXB*TDYwH&y0*^)7Ssa^v<WTx`^xf6CseZQ
zQbtI5$|br%;JzxE*TJb9l8nkJ2b&gNz3wcpjFQ4<GHNC*2Sd~$ai(w}R$mGgbREpW
zGuD-=u)hg$4n8bZoVLIl#Z?b`tvHf+T&ivuM;Lmf8x$In*YaA5`o)WDcwMV*xUsPF
z)SGkXy<NR{^+76OR2EabP7G#viFpkT0bZ%8cXIb0{qfOEjhzcpmE6`9ycXA00la>k
zLudscTp|>YMdEbQidA@42LGc^&tKuIL1>vdLJFirY*wJ0P|+}9!-#Kk$^n@d4ug`u
z45ww_T100>Fly_Zl$WV@mqGeZ<C51VCMF8|;o<;-&=-kx@JQH{-2^Ks+LLZ=sDEl|
zL%X9m@+CaVsy9rtE~&)`C&ViGW`mbtYu4)!8F$3g>3>6M(Vz`ZxNX3rZX(*!ZHRVP
z?iTGPG%jgPx`#%Lb>Yppd;iiJce7Wn8Q)C5H$8{d*S*~J{*VS15y~A&xvT9$=qa1X
BfSLdR

literal 0
HcmV?d00001

diff --git a/tests/sip-tcp-pattern-matching/test.yaml b/tests/sip-tcp-pattern-matching/test.yaml
new file mode 100644
index 000000000..2a42e507e
--- /dev/null
+++ b/tests/sip-tcp-pattern-matching/test.yaml
@@ -0,0 +1,34 @@
+requires:
+  min-version: 6
+
+args:
+  - -k none
+
+checks:
+  - filter:
+      min-version: 8
+      count: 1
+      match:
+        proto: TCP
+        event_type: sip
+        sip.method: "REGISTER"
+        sip.uri: "sip:sip.cybercity.dk"
+        sip.version: "SIP/2.0"
+        sip.request_line: "REGISTER sip:sip.cybercity.dk SIP/2.0"
+  - filter:
+      min-version: 8
+      count: 1
+      match:
+        proto: TCP
+        event_type: sip
+        sip.version: "SIP/2.0"
+        sip.code: "401"
+        sip.reason: "Unauthorized"
+        sip.response_line: "SIP/2.0 401 Unauthorized"
+  - filter:
+      min-version: 8
+      count: 1
+      match:
+        event_type: stats
+        stats.app_layer.tx.sip_tcp: 2
+        stats.app_layer.flow.sip_tcp: 1
diff --git a/tests/sip-tcp-protocol/README.md b/tests/sip-tcp-protocol/README.md
new file mode 100644
index 000000000..2d175aa3e
--- /dev/null
+++ b/tests/sip-tcp-protocol/README.md
@@ -0,0 +1 @@
+Match on SIP version field.
diff --git a/tests/sip-tcp-protocol/test.rules b/tests/sip-tcp-protocol/test.rules
new file mode 100644
index 000000000..b68e37811
--- /dev/null
+++ b/tests/sip-tcp-protocol/test.rules
@@ -0,0 +1,2 @@
+alert sip any any -> any any (flow:to_server; sip.protocol; content:"SIP/2.0"; sid:1;)
+alert sip any any -> any any (flow:to_client; sip.protocol; content:"SIP/2.0"; sid:2;)
diff --git a/tests/sip-tcp-protocol/test.yaml b/tests/sip-tcp-protocol/test.yaml
new file mode 100644
index 000000000..3bdbe3f9b
--- /dev/null
+++ b/tests/sip-tcp-protocol/test.yaml
@@ -0,0 +1,40 @@
+requires:
+  min-version: 6
+
+args:
+  - -k none
+  - --set app-layer.protocols.sip.enabled=yes
+
+pcap: ../sip-tcp-method/sip-tcp.pcap
+
+checks:
+  - filter:
+      min-version: 8
+      count: 2
+      match:
+        event_type: alert
+  - filter:
+      min-version: 8
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      min-version: 8
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      min-version: 8
+      count: 2
+      match:
+        proto: TCP
+        event_type: sip
+  - filter:
+      min-version: 8
+      count: 1
+      match:
+        event_type: stats
+        stats.app_layer.tx.sip_tcp: 2
+        stats.app_layer.flow.sip_tcp: 1
diff --git a/tests/sip-tcp-request-line/README.md b/tests/sip-tcp-request-line/README.md
new file mode 100644
index 000000000..7881b9897
--- /dev/null
+++ b/tests/sip-tcp-request-line/README.md
@@ -0,0 +1 @@
+Match on the whole SIP request line.
diff --git a/tests/sip-tcp-request-line/test.rules b/tests/sip-tcp-request-line/test.rules
new file mode 100644
index 000000000..812e51ab7
--- /dev/null
+++ b/tests/sip-tcp-request-line/test.rules
@@ -0,0 +1 @@
+alert sip any any -> any any (flow:to_server; sip.request_line; content:"REGISTER sip:192.168.43.100\;transport=TCP SIP/2.0"; sid:1;)
diff --git a/tests/sip-tcp-request-line/test.yaml b/tests/sip-tcp-request-line/test.yaml
new file mode 100755
index 000000000..b87dd3275
--- /dev/null
+++ b/tests/sip-tcp-request-line/test.yaml
@@ -0,0 +1,28 @@
+requires:
+  min-version: 6
+
+args:
+  - -k none
+  - --set app-layer.protocols.sip.enabled=yes
+
+pcap: ../sip-tcp-method/sip-tcp.pcap
+
+checks:
+  - filter:
+      min-version: 8
+      count: 1
+      match:
+        event_type: alert
+  - filter:
+      min-version: 8
+      count: 2
+      match:
+        proto: TCP
+        event_type: sip
+  - filter:
+      min-version: 8
+      count: 1
+      match:
+        event_type: stats
+        stats.app_layer.tx.sip_tcp: 2
+        stats.app_layer.flow.sip_tcp: 1
diff --git a/tests/sip-tcp-response-line/README.md b/tests/sip-tcp-response-line/README.md
new file mode 100644
index 000000000..136ca58ae
--- /dev/null
+++ b/tests/sip-tcp-response-line/README.md
@@ -0,0 +1 @@
+Match on the whole SIP response line.
diff --git a/tests/sip-tcp-response-line/test.rules b/tests/sip-tcp-response-line/test.rules
new file mode 100644
index 000000000..01dfd77ad
--- /dev/null
+++ b/tests/sip-tcp-response-line/test.rules
@@ -0,0 +1 @@
+alert sip any any -> any any (flow:to_client; sip.response_line; content:"SIP/2.0 200 OK"; sid:1;)
diff --git a/tests/sip-tcp-response-line/test.yaml b/tests/sip-tcp-response-line/test.yaml
new file mode 100755
index 000000000..b87dd3275
--- /dev/null
+++ b/tests/sip-tcp-response-line/test.yaml
@@ -0,0 +1,28 @@
+requires:
+  min-version: 6
+
+args:
+  - -k none
+  - --set app-layer.protocols.sip.enabled=yes
+
+pcap: ../sip-tcp-method/sip-tcp.pcap
+
+checks:
+  - filter:
+      min-version: 8
+      count: 1
+      match:
+        event_type: alert
+  - filter:
+      min-version: 8
+      count: 2
+      match:
+        proto: TCP
+        event_type: sip
+  - filter:
+      min-version: 8
+      count: 1
+      match:
+        event_type: stats
+        stats.app_layer.tx.sip_tcp: 2
+        stats.app_layer.flow.sip_tcp: 1
diff --git a/tests/sip-tcp-stat-code/README.md b/tests/sip-tcp-stat-code/README.md
new file mode 100644
index 000000000..e96cf40e9
--- /dev/null
+++ b/tests/sip-tcp-stat-code/README.md
@@ -0,0 +1 @@
+Match on SIP stat code field.
diff --git a/tests/sip-tcp-stat-code/test.rules b/tests/sip-tcp-stat-code/test.rules
new file mode 100644
index 000000000..099c902e4
--- /dev/null
+++ b/tests/sip-tcp-stat-code/test.rules
@@ -0,0 +1 @@
+alert sip any any -> any any (flow:to_client; sip.stat_code; content:"200"; sid:1;)
diff --git a/tests/sip-tcp-stat-code/test.yaml b/tests/sip-tcp-stat-code/test.yaml
new file mode 100644
index 000000000..b87dd3275
--- /dev/null
+++ b/tests/sip-tcp-stat-code/test.yaml
@@ -0,0 +1,28 @@
+requires:
+  min-version: 6
+
+args:
+  - -k none
+  - --set app-layer.protocols.sip.enabled=yes
+
+pcap: ../sip-tcp-method/sip-tcp.pcap
+
+checks:
+  - filter:
+      min-version: 8
+      count: 1
+      match:
+        event_type: alert
+  - filter:
+      min-version: 8
+      count: 2
+      match:
+        proto: TCP
+        event_type: sip
+  - filter:
+      min-version: 8
+      count: 1
+      match:
+        event_type: stats
+        stats.app_layer.tx.sip_tcp: 2
+        stats.app_layer.flow.sip_tcp: 1
diff --git a/tests/sip-tcp-stat-msg/README.md b/tests/sip-tcp-stat-msg/README.md
new file mode 100644
index 000000000..56ba3ba2c
--- /dev/null
+++ b/tests/sip-tcp-stat-msg/README.md
@@ -0,0 +1 @@
+Match on SIP stat msg field.
diff --git a/tests/sip-tcp-stat-msg/test.rules b/tests/sip-tcp-stat-msg/test.rules
new file mode 100644
index 000000000..f86c9da06
--- /dev/null
+++ b/tests/sip-tcp-stat-msg/test.rules
@@ -0,0 +1 @@
+alert sip any any -> any any (flow:to_client; sip.stat_msg; content:"OK"; sid:1;)
diff --git a/tests/sip-tcp-stat-msg/test.yaml b/tests/sip-tcp-stat-msg/test.yaml
new file mode 100644
index 000000000..b87dd3275
--- /dev/null
+++ b/tests/sip-tcp-stat-msg/test.yaml
@@ -0,0 +1,28 @@
+requires:
+  min-version: 6
+
+args:
+  - -k none
+  - --set app-layer.protocols.sip.enabled=yes
+
+pcap: ../sip-tcp-method/sip-tcp.pcap
+
+checks:
+  - filter:
+      min-version: 8
+      count: 1
+      match:
+        event_type: alert
+  - filter:
+      min-version: 8
+      count: 2
+      match:
+        proto: TCP
+        event_type: sip
+  - filter:
+      min-version: 8
+      count: 1
+      match:
+        event_type: stats
+        stats.app_layer.tx.sip_tcp: 2
+        stats.app_layer.flow.sip_tcp: 1
diff --git a/tests/sip-tcp-uri/README.md b/tests/sip-tcp-uri/README.md
new file mode 100644
index 000000000..c1c134a6d
--- /dev/null
+++ b/tests/sip-tcp-uri/README.md
@@ -0,0 +1 @@
+Match on SIP URI field.
diff --git a/tests/sip-tcp-uri/test.rules b/tests/sip-tcp-uri/test.rules
new file mode 100644
index 000000000..ef6bfba9c
--- /dev/null
+++ b/tests/sip-tcp-uri/test.rules
@@ -0,0 +1 @@
+alert sip any any -> any any (flow:to_server; sip.uri; content:"sip:192.168.43.100\;transport=TCP"; sid:1;)
diff --git a/tests/sip-tcp-uri/test.yaml b/tests/sip-tcp-uri/test.yaml
new file mode 100755
index 000000000..a9802dbe9
--- /dev/null
+++ b/tests/sip-tcp-uri/test.yaml
@@ -0,0 +1,28 @@
+requires:
+  min-version: 6
+
+args:
+  - -k none
+  - --set app-layer.protocols.sip.enabled=yes
+
+pcap: ../sip-tcp-method/sip-tcp.pcap
+
+checks:
+  - filter:
+      min-version: 8 
+      count: 1
+      match:
+        event_type: alert
+  - filter:
+      min-version: 8
+      count: 2
+      match:
+        proto: TCP
+        event_type: sip
+  - filter:
+      min-version: 8
+      count: 1
+      match:
+        event_type: stats
+        stats.app_layer.tx.sip_tcp: 2
+        stats.app_layer.flow.sip_tcp: 1