Context Qualifiers
Table of Contents
Expand all | Collapse all
-
- About Custom Application Signatures
- Create a Custom Application Signature
- Create a Custom L3 & L4 Vulnerability Signature
- Test a Custom Signature
- Custom Signature Pattern Requirements
- Testing Pattern Performance Impact
-
-
- dhcp-req-chaddr
- dhcp-req-ciaddr
- dhcp-rsp-chaddr
- dhcp-rsp-ciaddr
- dns-req-addition-section
- dns-req-answer-section
- dns-req-authority-section
- dns-req-header
- dns-req-protocol-payload
- dns-req-section
- dns-rsp-addition-section
- dns-rsp-answer-section
- dns-rsp-authority-section
- dns-rsp-header
- dns-rsp-protocol-payload
- dns-rsp-ptr-answer-data
- dns-rsp-queries-section
- email-headers
- file-data
- file-elf-body
- file-flv-body
- file-html-body
- file-java-body
- file-mov-body
- file-office-content
- file-pdf-body
- file-riff-body
- file-swf-body
- file-tiff-body
- file-unknown-body
- ftp-req-params
- ftp-req-protocol-payload
- ftp-rsp-protocol-payload
- ftp-rsp-banner
- ftp-rsp-message
- gdbremote-req-context
- gdbremote-rsp-context
- giop-req-message-body
- giop-rsp-message-body
- h225-payload
- http-req-cookie
- http-req-headers
- http-req-host-header
- http-req-host-ipv4-address-found
- http-req-host-ipv6-address-found
- http-req-message-body
- http-req-mime-form-data
- http-req-ms-subdomain
- http-req-origin-headers
- http-req-params
- http-req-uri
- http-req-uri-path
- http-req-user-agent-header
- http-rsp-headers
- http-rsp-non-2xx-response-body
- http-rsp-reason
- icmp-req-code
- icmp-req-data
- icmp-req-type
- icmp-req-protocol-payload
- icmp-rsp-data
- icmp-rsp-protocol-payload
- icmp-req-possible-custom-payload
- ike-req-headers
- ike-rsp-headers
- ike-req-payload-text
- ike-rsp-payload-text
- imap-req-cmd-line
- imap-req-first-param
- imap-req-params-after-first-param
- imap-req-protocol-payload
- imap-rsp-protocol-payload
- irc-req-params
- irc-req-prefix
- jpeg-file-scan-data
- jpeg-file-segment-data
- jpeg-file-segment-header
- ldap-req-searchrequest-baseobject
- ldap-rsp-searchresentry-objectname
- ms-ds-smb-req-share-name
- ms-ds-smb-req-v1-create-filename
- ms-ds-smb-req-v2-create-filename
- msrpc-req-bind-data
- mssql-db-req-body
- netbios-dg-req-protocol-payload
- netbios-dg-rsp-protocol-payload
- netbios-ns-req-protocol-payload
- netbios-ns-rsp-protocol-payload
- nettcp-req-context
- oracle-req-data-text
- pe-dos-headers
- pe-file-header
- pe-optional-header
- pe-section-header
- pe-body-data
- pop3-req-protocol-payload
- pop3-rsp-protocol-payload
- pre-app-req-data
- pre-app-rsp-data
- rtmp-req-message-body
- rtsp-req-headers
- rtsp-req-uri-path
- sip-req-headers
- snmp-req-community-text
- smtp-req-argument
- smtp-rsp-content
- smtp-req-protocol-payload
- smtp-rsp-protocol-payload
- ssh-req-banner
- ssh-rsp-banner
- ssl-req-certificate
- ssl-req-chello-sni
- ssl-req-client-hello
- ssl-req-protocol-payload
- ssl-req-random-bytes
- ssl-rsp-cert-subjectpublickey
- ssl-rsp-certificate
- ssl-rsp-protocol-payload
- ssl-rsp-server-hello
- tcp-context-free
- telnet-req-client-data
- telnet-rsp-server-data
- udp-context-free
- unknown-req-tcp-payload
- unknown-rsp-tcp-payload
- unknown-req-udp-payload
- unknown-rsp-udp-payload
-
- dnp3-req-func-code
- dnp3-req-object-type
- dns-rsp-tcp-over-dns
- dns-rsp-txt-found
- ftp-req-params-len
- http-req-connect-method
- http-req-content-length
- http-req-cookie-length
- http-req-dst-port
- http-req-header-length
- http-req-param-length
- http-req-no-host-header
- http-req-no-version-string-small-pkt
- http-req-simple-request
- http-req-uri-path-length
- http-req-uri-tilde-count-num
- http-rsp-code
- http-rsp-content-length
- http-rsp-total-headers-len
- iccp-req-func-code
- ike-req-payload-type
- ike-rsp-payload-type
- ike-req-payload-length
- ike-rsp-payload-length
- ike-version
- imap-req-cmd-param-len
- imap-req-first-param-len
- imap-req-param-len-from-second
- irc-req-protocol-payload
- irc-rsp-protocol-payload
- open-vpn-req-protocol-payload
- pfcp-req-msg-type
- pfcp-rsp-msg-type
- smtp-req-helo-argument-length
- smtp-req-mail-argument-length
- smtp-req-rcpt-argument-length
- sctp-req-ppid
- ssl-req-client-hello-ext-type
- ssl-req-client-hello-missing-sni
- ssl-rsp-version
- stun-req-attr-type
- panav-rsp-zip-compression-ratio
- Context Qualifiers
-
Context Qualifiers
Add context qualifiers with custom signatures to limit
match conditions and reduce false positives.
Qualifiers lessen the chance of false positives by restricting
the locations where the firewall can find a given pattern. In other
words, a signature matches only when the firewall detects the pattern
inside a specific qualifier, which corresponds to a specific context.
For example, you might use the http-method qualifier to specify
that a http-req-uri-path pattern matters when found inside a HTTP
GET method.
FTP Command Qualifiers
FTP command qualifiers can be added
to custom signatures that use FTP-related contexts to limit a match
condition to specific FTP commands.
ABOR | ACCT | ALLO | APPE | AUTH | CDUP | CWD |
DELE | EHLO | ERPT | HELO | LIST | MDTM | MKD |
MODE | NLIST | OPTS | PASS | PASV | PBSZ | PORT |
PWD | QUIT | REIN | REST | RETR | RMD | RNFR |
RNTO | SITE | SIZE | SMNT | STAT | STOR | STOU |
STRU | SYST | TEST | TYPE | UNKNOWN-COMMAND | UNLOCK | USER |
XCRC | XMD5 | XSHA1 |
FTP Vendor ID Qualifiers
FTP vendor ID qualifiers can be added
to custom signatures that use FTP-related contexts to limit a match
condition to specific FTP clients.
CEASERFTP | EASY_FILE_SHARING_FTP | FILE_COPA_FTP | FREEFTPD | MICROSOFTFTP | NETTERM |
PROFTPD | SERV_U | UNKNOWN_FTP_SERVER | VSFTPD | WARFTPD | WS_FTP |
WUFTP |
HTTP Header Field Qualifiers
HTTP header field qualifiers can
be added to custom signatures that use HTTP-related contexts to
limit a match condition to HTTP headers that have specific values
for select header fields.
ACCEPT_LANGUAGE | AUTHORIZATION | CONTENT_ENCODING | CONTENT_LENGTH | CONTENT_TYPE | HOST |
IF_MOD_SINCE | SUBSCRIBE_HDR | TRANSFER_ENCODING | UNKNOWN_HDR | X_FORWARD_FOR |
HTTP Method Qualifiers
HTTP method qualifiers can be added
to custom signatures that use HTTP-related contexts to limit a match
condition to HTTP headers that use specific HTTP methods.
BCOPY | BDELETE | BITS_POST | BMOVE | BPROPFIND | BROPPATCH | CCM_POST |
CONNECT | COPY | DELETE | GET | HEAD | LINK | LOCK |
MCKCOL | MOVE | NOTIFY | OPTIONS | POLL | POST | PROPFIND |
PROPPATCH | PROXY_SUCCESS | PUT | RPC_CONNECT | SEARCH | SMS_POST | SOURCE |
SUBSCRIBE | TRACE | TRACK | UNKNOWN_METHOD | UNLINK | UNLOCK | UNSUBSCRIBE |
IMAP Command Qualifiers
IMAP command qualifiers can be added
to custom signatures that use IMAP-related contexts to limit a match
condition to specific IMAP commands.
APPEND | AUTHENTICATE | CAPABILITY | CHECK | CLOSE | COPY | CREATE |
DELETE | EXAMINE | EXPUNGE | FETCH | FIND | IDLE | LIST |
LOGIN | LSUB | NOOP | RENAME | SEARCH | SELECT | STARTTLS |
STATUS | SUBSCRIBE | UNKNOWN_COMMAND | UNSUBSCRIBE |
RTSP Method Qualifiers
RTSP method qualifiers can be added
to custom signatures that use RTSP-related contexts to limit a match
condition to specific RTSP methods.
ANNOUNCES | DESCRIBE | GET_PARAMETER | OPTIONS | PAUSE |
PLAY | RECORD | REDIRECT | SET_PARAMETER | SETUP |
SETUP_PARAMETER | TEAR_DOWN | UNKNOWN_METHOD |
SMTP Method Qualifiers
SMTP method qualifiers can be added
to custom signatures that use SMTP-related contexts to limit a match
condition to specific SMTP methods.
AUTH | BDAT | DATA | EHLO | HELO | QUIT | |
RCPT | RSET | SAML | SEND | SOML | STARTTLS | UNKNOWN_CMD |
USER | VRFY | XEXCH50 | XEXPS | XLINK2STATE | XTELLMAIL |