topic/vladg/sip has a SIP analyzer.
I've been running vlad's branch (2443d319112fd345878766618951c56c2fd65fbd) for a long while and for all practical purposes, its been running stable and blocking sip scanners and logging sip sessions.
There are a couple unknown_SIP_method (SUBSCRIBE and NOTIFY) in weird logs. I will send vlad pcaps for these specific ones. At present, I don't know if these are affecting anything per se.
Seth going to review the code.
Aashish - can you send me those PCAPs whenever you get a chance?
I believe that traffic is actually SSDP and not SIP, but maybe I can tighten up the DPD sig a bit.
I merged master, updated the tests (no changes to bro-testing and bro-testing-private), and updated NEWS.