Custom Application IDs and Signatures
    : Context Qualifiers
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. Custom Application IDs and Signatures
    4. Custom Application and Threat Signatures
    5. Custom Signature Contexts
    6. Context Qualifiers
    Download PDF

    Custom Application IDs and Signatures

    Context Qualifiers

    Table of Contents

    Context Qualifiers

    Add context qualifiers with custom signatures to limit match conditions and reduce false positives.
    Qualifiers lessen the chance of false positives by restricting the locations where the firewall can find a given pattern. In other words, a signature matches only when the firewall detects the pattern inside a specific qualifier, which corresponds to a specific context. For example, you might use the http-method qualifier to specify that a http-req-uri-path pattern matters when found inside a HTTP GET method.
    FTP Command Qualifiers
    FTP Vendor ID Qualifiers
    HTTP Header Field Qualifiers
    HTTP Method Qualifiers
    IMAP Command Qualifiers
    RTSP Method Qualifiers
    SMTP Method Qualifiers

    FTP Command Qualifiers

    FTP command qualifiers can be added to custom signatures that use FTP-related contexts to limit a match condition to specific FTP commands.
    ABORACCTALLOAPPEAUTHCDUPCWD
    DELEEHLOERPTHELOLISTMDTMMKD
    MODENLISTOPTSPASSPASVPBSZPORT
    PWDQUITREINRESTRETRRMDRNFR
    RNTOSITESIZESMNTSTATSTORSTOU
    STRUSYSTTESTTYPEUNKNOWN-COMMANDUNLOCKUSER
    XCRCXMD5XSHA1

    FTP Vendor ID Qualifiers

    FTP vendor ID qualifiers can be added to custom signatures that use FTP-related contexts to limit a match condition to specific FTP clients.
    CEASERFTPEASY_FILE_SHARING_FTPFILE_COPA_FTPFREEFTPDMICROSOFTFTPNETTERM
    PROFTPDSERV_UUNKNOWN_FTP_SERVERVSFTPDWARFTPDWS_FTP
    WUFTP

    HTTP Header Field Qualifiers

    HTTP header field qualifiers can be added to custom signatures that use HTTP-related contexts to limit a match condition to HTTP headers that have specific values for select header fields.
    ACCEPT_LANGUAGEAUTHORIZATIONCONTENT_ENCODINGCONTENT_LENGTHCONTENT_TYPEHOST
    IF_MOD_SINCESUBSCRIBE_HDRTRANSFER_ENCODINGUNKNOWN_HDRX_FORWARD_FOR

    HTTP Method Qualifiers

    HTTP method qualifiers can be added to custom signatures that use HTTP-related contexts to limit a match condition to HTTP headers that use specific HTTP methods.
    BCOPYBDELETEBITS_POSTBMOVEBPROPFINDBROPPATCHCCM_POST
    CONNECTCOPYDELETEGETHEADLINKLOCK
    MCKCOLMOVENOTIFYOPTIONSPOLLPOSTPROPFIND
    PROPPATCHPROXY_SUCCESSPUTRPC_CONNECTSEARCHSMS_POSTSOURCE
    SUBSCRIBETRACETRACKUNKNOWN_METHODUNLINKUNLOCKUNSUBSCRIBE

    IMAP Command Qualifiers

    IMAP command qualifiers can be added to custom signatures that use IMAP-related contexts to limit a match condition to specific IMAP commands.
    APPENDAUTHENTICATECAPABILITYCHECKCLOSECOPYCREATE
    DELETEEXAMINEEXPUNGEFETCHFINDIDLELIST
    LOGINLSUBNOOPRENAMESEARCHSELECTSTARTTLS
    STATUSSUBSCRIBEUNKNOWN_COMMANDUNSUBSCRIBE

    RTSP Method Qualifiers

    RTSP method qualifiers can be added to custom signatures that use RTSP-related contexts to limit a match condition to specific RTSP methods.
    ANNOUNCESDESCRIBEGET_PARAMETEROPTIONSPAUSE
    PLAYRECORDREDIRECTSET_PARAMETERSETUP
    SETUP_PARAMETERTEAR_DOWNUNKNOWN_METHOD

    SMTP Method Qualifiers

    SMTP method qualifiers can be added to custom signatures that use SMTP-related contexts to limit a match condition to specific SMTP methods.
    AUTHBDATDATAEHLOHELOMAILQUIT
    RCPTRSETSAMLSENDSOMLSTARTTLSUNKNOWN_CMD
    USERVRFYXEXCH50XEXPSXLINK2STATEXTELLMAIL

    © 2024 Palo Alto Networks, Inc. All rights reserved.