TechNote Contexts Rev

Custom
Signature Contexts
PAN-OS 4.1

Revision
2012, Palo Alto Networks, Inc. www.paloaltonetworks.com
Table of C ontents
Overview ................................................................................................................................................................................ 4
Integer Contexts (Greater than, Less than, Equal to) .............................................................................................................. 4
ftp-req-params-len ........................................................................................................................................................... 4
http-req-content-length.................................................................................................................................................... 4
http-req-header-length ..................................................................................................................................................... 4
http-req-param-length ..................................................................................................................................................... 5
http-req-uri-path-length .................................................................................................................................................. 5
http-req-uri-tilde-count-num ........................................................................................................................................... 5
http-rsp-code ................................................................................................................................................................... 6
http-rsp-content-length .................................................................................................................................................... 6
http-rsp-total-headers-len ................................................................................................................................................ 6
imap-req-cmd-param-len ................................................................................................................................................. 7
imap-req-first-param-len ................................................................................................................................................. 7
imap-req-param-len-from-second .................................................................................................................................... 7
smtp-req-helo-argument-length ....................................................................................................................................... 7
smtp-req-mail-argument-length ....................................................................................................................................... 8
smtp-req-rcpt-argument-length ........................................................................................................................................ 8
String Contexts (Pattern Match) ............................................................................................................................................. 8
dns-req-section ................................................................................................................................................................ 8
file-flv-body ..................................................................................................................................................................... 8
file-html-body ................................................................................................................................................................. 9
file-mov-body .................................................................................................................................................................. 9
file-office-content ............................................................................................................................................................ 9
file-pdf-body ................................................................................................................................................................... 9
file-riff-body .................................................................................................................................................................... 9
file-swf-body ................................................................................................................................................................... 9
ftp-req-params ................................................................................................................................................................ 9
ftp-rsp-banner ................................................................................................................................................................. 9
http-req-headers .............................................................................................................................................................. 9
http-req-host-header ...................................................................................................................................................... 10
http-req-message-body .................................................................................................................................................. 10
http-req-mime-form-data............................................................................................................................................... 10
http-req-params ............................................................................................................................................................ 11
http-req-uri-path ........................................................................................................................................................... 11
http-rsp-headers ............................................................................................................................................................ 11
imap-req-cmd-line ......................................................................................................................................................... 12
imap-req-first-param ..................................................................................................................................................... 12
imap-req-params-after-first-param ................................................................................................................................ 12
ms-ds-smb-req-share-name ............................................................................................................................................ 12
msrpc-req-bind-data ...................................................................................................................................................... 12
msssql-db-req-body ....................................................................................................................................................... 12
rtsp-req-headers ............................................................................................................................................................ 12
rtsp-req-uri-path ............................................................................................................................................................ 13
smtp-req-argument ........................................................................................................................................................ 13
smtp-rsp-content ........................................................................................................................................................... 13
ssh-req-banner ............................................................................................................................................................... 13
ssh-rsp-banner ............................................................................................................................................................... 13
ssl-req-certificate ........................................................................................................................................................... 14
ssl-req-client-hello ......................................................................................................................................................... 14
ssl-rsp-certificate ........................................................................................................................................................... 14
ssl-rsp-server-hello ......................................................................................................................................................... 15
telnet-req-client-data ..................................................................................................................................................... 15
Revision

telnet-rsp-server-data ..................................................................................................................................................... 15
unknown-req-tcp-payload ............................................................................................................................................. 16
unknown-req-udp-payload ............................................................................................................................................ 16
unknown-rsp-tcp-payload ............................................................................................................................................. 16
unknown-rsp-udp-payload ............................................................................................................................................ 16
Context Qualifiers ................................................................................................................................................................ 16
Table 1: FTP Command Qualifiers ............................................................................................................................... 16
Table 2: FTP Vendor ID Qualifiers ............................................................................................................................... 16
Table 3: HTTP Header Field Qualifiers ........................................................................................................................ 16
Table 4: HTTP Method Qualifiers ................................................................................................................................ 16
Table 5: IMAP Command Qualifiers ............................................................................................................................ 17
Table 6: RTSP Method Qualifiers ................................................................................................................................. 17
Table 7: SMTP Method Qualifiers ................................................................................................................................ 17
Revision History ................................................................................................................................................................... 17
Revision

Overview
This document describes the decoder contexts that can be used to develop custom IPS and custom application signatures.
The document is broken up into three sections. The first section describes all integer contexts, which apply to the greaterthan, less-than, and equal-to operators. These contexts are available for custom IPS signatures, but are not available for
custom application signatures. The second section describes all string contexts, which apply to the pattern-matching
operator. The final section provides tables of all qualifiers available to various contexts. Qualifiers can be used to further
refine and limit the scope of a custom signature, and are context-dependent.
Integer C ontexts (G reater than, Less than, Equal to)

ftp-req-params-len
Description: The length of the arguments to an FTP command, not including the command itself.
Example: This context provides the length of the text in bold.
put test.bin /test.bin
Qualifiers: This context can use FTP command (Table 1) and FTP vendor ID (Table 2) qualifiers to limit signatures to
specific FTP commands and known FTP clients.
http-req-content-length
Description: The content length of the HTTP request, as provided in the HTTP header of the request in the content-length
field.
Example: This context provides the integer in bold.
POST /foo.php HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102
Firefox/3.5.5 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 43
http-req-header-length
Description: Length of the HTTP header of the request, excluding method, path, and HTTP version.
GET /en-us/default.aspx HTTP/1.1
Revision

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0) Gecko/20100101

Firefox/10.0
Accept-Encoding: gzip, deflate
Cookie: MC0=1331060353560
Qualifiers: This context can use HTTP header field (Table 3) and HTTP method (Table 4) qualifiers to limit signatures to
HTTP headers with specific values for select header fields and for specific HTTP methods.
http-req-param-length
Description: Length of the URL query string.
GET /en-us/default.aspx?page=1&view=full HTTP/1.1
Firefox/10.0
Cookie: MC0=1331060353560
http-req-uri-path-length
Description: Length of the path, not including query string.
Firefox/10.0
Cookie: MC0=1331060353560
Qualifiers: This context can use the HTTP method (Table 4) qualifier to limit signatures to HTTP headers with specific
HTTP methods.
http-req-uri-tilde-count-num
Description: Number of ~ characters in the path. The following encoded characters are included in this context:
%3A
%u003A
%u0589
%u2236
Revision

%u007E
%u0303
%u223C
%uFF5E
HTTP methods.
http-rsp-code
Description: The number corresponding to the HTTP response code
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Content-Length: 34113
http-rsp-content-length
Description: The content length of the HTTP response, as provided in the HTTP header of the response in the content-length
field
HTTP/1.1 200 OK
Pragma: no-cache
Expires: -1
http-rsp-total-headers-len
Description: Length of the HTTP headers of the response, not including the HTTP status banner
HTTP/1.1 200 OK
Revision

Pragma: no-cache
Expires: -1
imap-req-cmd-param-len
Description: Total length of all parameters of an IMAP command
LOGIN MyUsername MyPassword
Qualifiers: This context can use the IMAP command (Table 5) qualifier to limit signatures to specific IMAP commands.
imap-req-first-param-len
Description: Length of the first parameter of an IMAP command
imap-req-param-len-from-second
Description: Total length of all parameters of an IMAP command, not including the first
smtp-req-helo-argument-length
Description: Length of the argument to the SMTP HELO command
HELO relay.example.org
Revision

smtp-req-mail-argument-length
Description: Length of the argument to the SMTP MAIL FROM command
MAIL FROM: bob@example.com
smtp-req-rcpt-argument-length
Description: Length of the argument to the SMTP RCPT TO command
RCPT TO: alice@example.com
String C ontexts (Pattern Match)

dns-req-section
Description: This context matches against the DNS questions of a DNS query, so that patterns can be written against one or
more domains in a given DNS query. It is a direct pattern match against the format of a DNS query, so patterns must
adhere to the DNS question structure. A recommended approach to create a DNS pattern is to capture the DNS request
with Wireshark and copy the DNS Request field (make sure to remove the ending period in the request).
Example: The following example illustrates how to build a signature for a DNS query for the domain
www.bayareagamers.com.
The signature pattern is:
\x 03 77 77 77 10 74 68 65 62 61 79 61 72 65 61 67 61 6d 65 72 73 03 63 6f 6d\x
Pattern
\x
03
77 77 77
10
74 68 65 62 61 79 61 72 65 61 67 61 6d 65
72 73
03
63 6f 6d
\x
Description
Indicates this pattern is a hex pattern match
Indicates that the next 3 bytes are to be matched
"www"
[The period in the domain name is omitted.]
Indicates that the next 16 bytes (10 hex) are to be
matched
"thebayareagamers"
Indicates that the next 3 bytes are to be matched
"com"
Ends hex pattern match
file-flv-body
Revision

Description: This context provides the full file body of an FLV file, minus the first 8 bytes.
file-html-body
Description: This context provides the full file body of a text file, minus the first 8 bytes.
file-mov-body
Description: This context provides the full file body of an MOV file, minus the first 8 bytes.
file-office-content
Description: This context provides the full file body of a Microsoft Office Document file, minus the first 8 bytes.
file-pdf-body
Description: This context provides the full file body of a PDF file, minus the first 8 bytes. Compressed data is provided as
decompressed data by the decoder.
file-riff-body
Description: This context provides the full file body of a RIFF file, minus the first 8 bytes.
file-swf-body
Description: This context provides the full file body of a SWF file, minus the first 8 bytes.
ftp-req-params
Description: This context provides the parameters following an FTP command.
Example: The context provides the text in bold.
put test.bin /test.bin
Qualifiers: This context can use FTP command (Table 1) and FTP vendor ID (Table 2) qualifiers to limit signatures to
specific FTP commands and known FTP clients.
ftp-rsp-banner
Description: This context provides the FTP welcome banner shown before authentication.
http-req-headers
Description: This context provides the HTTP header of a request, not include the method, path, HTTP version, and host.
Example: This context provides the text in bold.
Revision

Firefox/10.0
Cookie: MC0=1331060353560
http-req-host-header
Description: This context provides the host indicated by the Host field in the HTTP header of the request.
Firefox/10.0
Cookie: MC0=1331060353560
http-req-message-body
Description: This context provides body content of an HTML request, when the body content cannot be recognized as URL
encoded or MIME type data using the Content-Type field.
HTTP methods.
http-req-mime-form-data
Description: This context provides all MIME header data in the body of an HTTP request, not including embedded file
contents.
Example: This context provides the data in bold.
------------------------------b2449e94a11c
Content-Disposition: form-data; name="image1"; filename="/tmp/current_file1"
Content-Type: application/octet-stream
[binary data follows not included]
------------------------------b2449e94a11c
Content-Disposition: form-data; name="image2"; filename="/tmp/current_file2"
Content-Type: application/octet-stream
Revision

[binary data follows not included]
http-req-params
Description: This context provides the query string as well as parameters in the HTTP body for a POST method.
POST /foo.php?page=1&view=full HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102
Keep-Alive: 300
Content-Type: application/x-www-form-urlencoded
userid=joe&password=guessme
HTTP methods.
http-req-uri-path
Description: This context provides the path in the HTTP header of a request.
Firefox/10.0
HTTP methods.
http-rsp-headers
Description: This context provides the full HTTP header of a response, not including the HTTP banner.
HTTP/1.1 200 OK
Pragma: no-cache
Expires: -1
Revision

imap-req-cmd-line
Description: This context provides the IMAP command used.
imap-req-first-param
Description: This context provides the first parameter to an IMAP command.
imap-req-params-after-first-param
Description: This context provides the complete parameters to an IMAP command, not including the first parameter.
ms-ds-smb-req-share-name
Description: This context provides the full path to a file that is read or written using SMB.
msrpc-req-bind-data
Description: This context provides the data payload of an MS RPC Bind request.
msssql-db-req-body
Description: This context provides the request to a Microsoft SQL server, excluding the request header.
rtsp-req-headers
Description: This context provides the full RTSP request headers, not including the command line.
Revision

PLAY rtsp://example.com/media.mp4/streamed=0 RTSP/1.0

CSeq: 2
Range: ntp=5-20
Session: 12345678
Qualifiers: This context can use the RTSP method (Table 6) qualifier to limit signatures to specific RTSP methods.
rtsp-req-uri-path
Description: This context provides the path of an RTSP request, not including the command line.
PLAY rtsp://example.com/media.mp4/streamed=0 RTSP/1.0
CSeq: 2
Range: ntp=5-20
Session: 12345678
Qualifiers: This context can use the RTSP method (Table 6) qualifier to limit signatures to specific RTSP methods.
smtp-req-argument
Description: This context provides the argument of an SMTP command.
HELO relay.example.org
Qualifiers: This context can use the SMTP method (Table 7) qualifier to limit signatures to specific SMTP methods.
smtp-rsp-content
Description: This context provides all SMTP server response content.
ssh-req-banner
Description: This context provides the SSH banner of the client, not including comments.
SSH-2.0-OpenSSH_5.2
ssh-rsp-banner
Description: This context provides the SSH banner of the server, not including comments.
SSH-2.0-OpenSSH_5.2
Revision

ssl-req-certificate
Description: This context provides the handshake message data of an SSL negotiation message for Certificate messages from
the client.
Example: This context provides the data in blue from the clients SSL negotiation message, when the message type is
certificate (11).
Byte +0
Byte 0
22
Byte +2
Byte +3

Version
Bytes 1..4
Bytes 5..8
Byte +1
(Major)
Length
(Minor)
Message Type = 11
(Certificate)
Bytes 9.. (n-1)
(bits 15..8)
(bits 7..0)
Handshake message data length

(bits 23..16)
(bits 15..8)
(bits 7..0)
Handshake message data
ssl-req-client-hello
Description: This context provides the handshake message data of an SSL negotiation message for ClientHello messages
from the client.
ClientHello (1).
Byte +0
Byte 0
22
Bytes 1..4
Bytes 5..8
Bytes 9.. (n-1)
Byte +1
Byte +2
Byte +3

Version
(Major)
Message Type = 1
(ClientHello)
Length
(Minor)
(bits 15..8)
(bits 7..0)

(bits 23..16)
(bits 15..8)
(bits 7..0)
ssl-rsp-certificate
Description: This context provides the handshake message data of an SSL negotiation message for Certificate messages from
the server.
Revision

Example: This context provides the data in blue from the servers SSL negotiation message, when the message type is
certificate (11).
Byte +0
Byte 0
22
Byte +2
Byte +3

Version
Bytes 1..4
Bytes 5..8
Byte +1
(Major)
Length
(Minor)
Message Type = 11
(Certificate)
Bytes 9.. (n-1)
(bits 15..8)
(bits 7..0)

(bits 23..16)
(bits 15..8)
(bits 7..0)
ssl-rsp-server-hello
Description: This context provides the handshake message data of an SSL negotiation message for ServerHello messages
from the server.
ServerHello (2).
Byte +0
Byte 0
22
Byte +2
(Major)
Message Type = 2
(ServerHello)
Bytes 9.. (n-1)
Byte +3

Version
Bytes 1..4
Bytes 5..8
Byte +1
Length
(Minor)
(bits 15..8)
(bits 7..0)

(bits 23..16)
(bits 15..8)
telnet-req-client-data
Description: This context provides full telnet payloads for all traffic originating from the client.
telnet-rsp-server-data
Description: This context provides full telnet payloads for all traffic originating from the server.
Revision

(bits 7..0)
unknown-req-tcp-payload
Description: This context provides the full TCP payload for unknown UPD traffic originating from the client.
unknown-req-udp-payload
Description: This context provides the full UDP payload for unknown UPD traffic originating from the client, which is the
initiator of UDP communications.
unknown-rsp-tcp-payload
Description: This context provides the full TCP payload for unknown UPD traffic originating from the server.
unknown-rsp-udp-payload
Description: This context provides the full UDP payload for unknown UPD traffic originating from the server, which is
opposite the client.
C ontext Qualifiers
Table 1: FTP C ommand Qualifiers
FTP command qualifiers can be added to custom signatures that use FTP-related contexts to limit a match condition to
specific FTP commands.
ABOR
DELE
MODE
PWD
RNTO
STRU
XCRC
ACCT
EHLO
NLIST
QUIT
SITE
SYST
XMD5
ALLO
ERPT
OPTS
REIN
SIZE
TEST
XSHA1
APPE
HELO
PASS
REST
SMNT
TYPE
AUTH
LIST
PASV
RETR
STAT
UNKNOWN_COMMAND
CDUP
MDTM
PBSZ
RMD
STOR
UNLOCK
CWD
MKD
PORT
RNFR
STOU
USER
Table 2: FTP Vendor ID Qualifiers

FTP vendor ID qualifiers can be added to custom signatures that use FTP-related contexts to limit a match condition to
specific FTP clients.
CEASERFTP
PROFTPD
WUFTP
EASY_FILE_SHARING_FTP
SERV_U
FILE_COPA_FTP
UNKNOWN_FTP_SERVER
FREEFTPD
VSFTPD
MICROSOFTFTP
WARFTPD
NETTERM
WS_FTP
Table 3: HTTP Header Field Qualifiers

HTTP header field qualifiers can be added to custom signatures that use HTTP-related contexts to limit a match condition
to HTTP headers that have specific values for select header fields.
ACCEPT_LANGUAGE
AUTHORIZATION
CONTENT_ENCODING
CONTENT_LENGTH
CONTENT_TYPE
IF_MOD_SINCE
SUBSCRIBE_HDR
TRANSFER_ENCODING
UNKNOWN_HDR
X_FORWARD_FOR
HOST
Table 4: HTTP Method Qualifiers

HTTP method qualifiers can be added to custom signatures that use HTTP-related contexts to limit a match condition to
HTTP headers that use specific HTTP methods.
BCOPY
CONNECT
BDELETE
COPY
BITS_POST
DELETE
BMOVE
GET
Revision

BPROPFIND
HEAD
BPROPPATCH
LINK
CCM_POST
LOCK
MKCOL
PROPPATCH
SUBSCRIBE
MOVE
PROXY_SUCCESS
TRACE
NOTIFY
PUT
TRACK
OPTIONS
RPC_CONNECT
UNKNOWN_METHOD
POLL
SEARCH
UNLINK
POST
SMS_POST
UNLOCK
PROPFIND
SOURCE
UNSUBSCRIBE
Table 5: IMAP C ommand Qualifiers

IMAP command qualifiers can be added to custom signatures that use IMAP-related contexts to limit a match condition to
specific IMAP commands.
APPEND
DELETE
LOGIN
STATUS
AUTHENTICATE
EXAMINE
LSUB
SUBSCRIBE
CAPABILITY
EXPUNGE
NOOP
UNKNOWN_COMMAND
CHECK
FETCH
RENAME
UNSUBSCRIBE
CLOSE
FIND
SEARCH
COPY
IDLE
SELECT
CREATE
LIST
STARTTLS
Table 6: RTSP Method Qualifiers

RTSP method qualifiers can be added to custom signatures that use RTSP-related contexts to limit a match condition to
specific RTSP methods.
ANNOUNCES
PLAY
SETUP_PARAMETER
DESCRIBE
RECORD
TEAR_DOWN
GET_PARAMETER
REDIRECT
UNKNOWN_METHOD
OPTIONS
SET_PARAMETER
PAUSE
SETUP
Table 7: SMTP Method Qualifiers

SMTP method qualifiers can be added to custom signatures that use SMTP-related contexts to limit a match condition to
specific SMTP methods.
AUTH
RCPT
USER
BDAT
RSET
VRFY
DATA
SAML
XEXCH50
EHLO
SEND
XEXPS
Revision H istory
Date
03/07/12
Revision
-
Comment
Tech note created.
Revision

HELO
SOML
XLINK2STATE
MAIL
STARTTLS
XTELLMAIL
QUIT
UNKNOWN_CMD

TechNote Contexts Rev

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

TechNote Contexts Rev

Transféré par

Droits d'auteur :

Formats disponibles

Custom

Integer C ontexts (G reater than, Less than, Equal to)

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0) Gecko/20100101

String C ontexts (Pattern Match)

[binary data follows not included]

PLAY rtsp://example.com/media.mp4/streamed=0 RTSP/1.0

Bytes 9.. (n-1)

Handshake message data length

Handshake message data

Handshake message data length

Handshake message data

Bytes 9.. (n-1)

Handshake message data length

Handshake message data

Bytes 9.. (n-1)

Handshake message data length

Handshake message data

Table 2: FTP Vendor ID Qualifiers

Table 3: HTTP Header Field Qualifiers

Table 4: HTTP Method Qualifiers

Table 5: IMAP C ommand Qualifiers

Table 6: RTSP Method Qualifiers

Table 7: SMTP Method Qualifiers

Vous aimerez peut-être aussi