Scribd
Upload
205 views

TechNote Contexts Rev

Uploaded by

Kimberly Conley
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
205 views

TechNote Contexts Rev

Uploaded by

Kimberly Conley
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 17

Custom

Signature Contexts
PAN-OS 4.1


Revision
2012, Palo Alto Networks, Inc. www.paloaltonetworks.com

Table of C ontents
Overview ................................................................................................................................................................................ 4
Integer Contexts (Greater than, Less than, Equal to) .............................................................................................................. 4
ftp-req-params-len ........................................................................................................................................................... 4
http-req-content-length.................................................................................................................................................... 4
http-req-header-length ..................................................................................................................................................... 4
http-req-param-length ..................................................................................................................................................... 5
http-req-uri-path-length .................................................................................................................................................. 5
http-req-uri-tilde-count-num ........................................................................................................................................... 5
http-rsp-code ................................................................................................................................................................... 6
http-rsp-content-length .................................................................................................................................................... 6
http-rsp-total-headers-len ................................................................................................................................................ 6
imap-req-cmd-param-len ................................................................................................................................................. 7
imap-req-first-param-len ................................................................................................................................................. 7
imap-req-param-len-from-second .................................................................................................................................... 7
smtp-req-helo-argument-length ....................................................................................................................................... 7
smtp-req-mail-argument-length ....................................................................................................................................... 8
smtp-req-rcpt-argument-length ........................................................................................................................................ 8
String Contexts (Pattern Match) ............................................................................................................................................. 8
dns-req-section ................................................................................................................................................................ 8
file-flv-body ..................................................................................................................................................................... 8
file-html-body ................................................................................................................................................................. 9
file-mov-body .................................................................................................................................................................. 9
file-office-content ............................................................................................................................................................ 9
file-pdf-body ................................................................................................................................................................... 9
file-riff-body .................................................................................................................................................................... 9
file-swf-body ................................................................................................................................................................... 9
ftp-req-params ................................................................................................................................................................ 9
ftp-rsp-banner ................................................................................................................................................................. 9
http-req-headers .............................................................................................................................................................. 9
http-req-host-header ...................................................................................................................................................... 10
http-req-message-body .................................................................................................................................................. 10
http-req-mime-form-data............................................................................................................................................... 10
http-req-params ............................................................................................................................................................ 11
http-req-uri-path ........................................................................................................................................................... 11
http-rsp-headers ............................................................................................................................................................ 11
imap-req-cmd-line ......................................................................................................................................................... 12
imap-req-first-param ..................................................................................................................................................... 12
imap-req-params-after-first-param ................................................................................................................................ 12
ms-ds-smb-req-share-name ............................................................................................................................................ 12
msrpc-req-bind-data ...................................................................................................................................................... 12
msssql-db-req-body ....................................................................................................................................................... 12
rtsp-req-headers ............................................................................................................................................................ 12
rtsp-req-uri-path ............................................................................................................................................................ 13
smtp-req-argument ........................................................................................................................................................ 13
smtp-rsp-content ........................................................................................................................................................... 13
ssh-req-banner ............................................................................................................................................................... 13
ssh-rsp-banner ............................................................................................................................................................... 13
ssl-req-certificate ........................................................................................................................................................... 14
ssl-req-client-hello ......................................................................................................................................................... 14
ssl-rsp-certificate ........................................................................................................................................................... 14
ssl-rsp-server-hello ......................................................................................................................................................... 15
telnet-req-client-data ..................................................................................................................................................... 15

Revision
2012, Palo Alto Networks, Inc. www.paloaltonetworks.com

telnet-rsp-server-data ..................................................................................................................................................... 15
unknown-req-tcp-payload ............................................................................................................................................. 16
unknown-req-udp-payload ............................................................................................................................................ 16
unknown-rsp-tcp-payload ............................................................................................................................................. 16
unknown-rsp-udp-payload ............................................................................................................................................ 16
Context Qualifiers ................................................................................................................................................................ 16
Table 1: FTP Command Qualifiers ............................................................................................................................... 16
Table 2: FTP Vendor ID Qualifiers ............................................................................................................................... 16
Table 3: HTTP Header Field Qualifiers ........................................................................................................................ 16
Table 4: HTTP Method Qualifiers ................................................................................................................................ 16
Table 5: IMAP Command Qualifiers ............................................................................................................................ 17
Table 6: RTSP Method Qualifiers ................................................................................................................................. 17
Table 7: SMTP Method Qualifiers ................................................................................................................................ 17
Revision History ................................................................................................................................................................... 17

Revision
2012, Palo Alto Networks, Inc. www.paloaltonetworks.com

Overview
This document describes the decoder contexts that can be used to develop custom IPS and custom application signatures.
The document is broken up into three sections. The first section describes all integer contexts, which apply to the greaterthan, less-than, and equal-to operators. These contexts are available for custom IPS signatures, but are not available for
custom application signatures. The second section describes all string contexts, which apply to the pattern-matching
operator. The final section provides tables of all qualifiers available to various contexts. Qualifiers can be used to further
refine and limit the scope of a custom signature, and are context-dependent.

Integer C ontexts (G reater than, Less than, Equal to)


ftp-req-params-len
Description: The length of the arguments to an FTP command, not including the command itself.
Example: This context provides the length of the text in bold.
put test.bin /test.bin

Qualifiers: This context can use FTP command (Table 1) and FTP vendor ID (Table 2) qualifiers to limit signatures to
specific FTP commands and known FTP clients.

http-req-content-length
Description: The content length of the HTTP request, as provided in the HTTP header of the request in the content-length
field.
Example: This context provides the integer in bold.
POST /foo.php HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102
Firefox/3.5.5 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 43

http-req-header-length
Description: Length of the HTTP header of the request, excluding method, path, and HTTP version.
Example: This context provides the length of the text in bold.
GET /en-us/default.aspx HTTP/1.1
Host: www.example.com

Revision
2012, Palo Alto Networks, Inc. www.paloaltonetworks.com

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0) Gecko/20100101


Firefox/10.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: MC0=1331060353560

Qualifiers: This context can use HTTP header field (Table 3) and HTTP method (Table 4) qualifiers to limit signatures to
HTTP headers with specific values for select header fields and for specific HTTP methods.

http-req-param-length
Description: Length of the URL query string.
Example: This context provides the length of the text in bold.
GET /en-us/default.aspx?page=1&view=full HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0) Gecko/20100101
Firefox/10.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: MC0=1331060353560

http-req-uri-path-length
Description: Length of the path, not including query string.
Example: This context provides the length of the text in bold.
GET /en-us/default.aspx?page=1&view=full HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0) Gecko/20100101
Firefox/10.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: MC0=1331060353560

Qualifiers: This context can use the HTTP method (Table 4) qualifier to limit signatures to HTTP headers with specific
HTTP methods.

http-req-uri-tilde-count-num
Description: Number of ~ characters in the path. The following encoded characters are included in this context:

%3A
%u003A
%u0589
%u2236

Revision
2012, Palo Alto Networks, Inc. www.paloaltonetworks.com

%u007E
%u0303
%u223C
%uFF5E

Qualifiers: This context can use the HTTP method (Table 4) qualifier to limit signatures to HTTP headers with specific
HTTP methods.

http-rsp-code
Description: The number corresponding to the HTTP response code
Example: This context provides the integer in bold.
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Content-Length: 34113

http-rsp-content-length
Description: The content length of the HTTP response, as provided in the HTTP header of the response in the content-length
field
Example: This context provides the integer in bold.
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Content-Length: 34113

http-rsp-total-headers-len
Description: Length of the HTTP headers of the response, not including the HTTP status banner
Example: This context provides the length of the text in bold.
HTTP/1.1 200 OK
Cache-Control: no-cache

Revision
2012, Palo Alto Networks, Inc. www.paloaltonetworks.com

Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Content-Length: 34113

imap-req-cmd-param-len
Description: Total length of all parameters of an IMAP command
Example: This context provides the length of the text in bold.
LOGIN MyUsername MyPassword

Qualifiers: This context can use the IMAP command (Table 5) qualifier to limit signatures to specific IMAP commands.

imap-req-first-param-len
Description: Length of the first parameter of an IMAP command
Example: This context provides the length of the text in bold.
LOGIN MyUsername MyPassword

Qualifiers: This context can use the IMAP command (Table 5) qualifier to limit signatures to specific IMAP commands.

imap-req-param-len-from-second
Description: Total length of all parameters of an IMAP command, not including the first
Example: This context provides the length of the text in bold.
LOGIN MyUsername MyPassword

Qualifiers: This context can use the IMAP command (Table 5) qualifier to limit signatures to specific IMAP commands.

smtp-req-helo-argument-length
Description: Length of the argument to the SMTP HELO command
Example: This context provides the length of the text in bold.
HELO relay.example.org

Revision
2012, Palo Alto Networks, Inc. www.paloaltonetworks.com

smtp-req-mail-argument-length
Description: Length of the argument to the SMTP MAIL FROM command
Example: This context provides the length of the text in bold.
MAIL FROM: [email protected]

smtp-req-rcpt-argument-length
Description: Length of the argument to the SMTP RCPT TO command
Example: This context provides the length of the text in bold.
RCPT TO: [email protected]

String C ontexts (Pattern Match)


dns-req-section
Description: This context matches against the DNS questions of a DNS query, so that patterns can be written against one or
more domains in a given DNS query. It is a direct pattern match against the format of a DNS query, so patterns must
adhere to the DNS question structure. A recommended approach to create a DNS pattern is to capture the DNS request
with Wireshark and copy the DNS Request field (make sure to remove the ending period in the request).
Example: The following example illustrates how to build a signature for a DNS query for the domain
www.bayareagamers.com.
The signature pattern is:
\x 03 77 77 77 10 74 68 65 62 61 79 61 72 65 61 67 61 6d 65 72 73 03 63 6f 6d\x

Pattern
\x
03
77 77 77
10
74 68 65 62 61 79 61 72 65 61 67 61 6d 65
72 73
03
63 6f 6d
\x

Description
Indicates this pattern is a hex pattern match
Indicates that the next 3 bytes are to be matched
"www"
[The period in the domain name is omitted.]
Indicates that the next 16 bytes (10 hex) are to be
matched
"thebayareagamers"
Indicates that the next 3 bytes are to be matched
"com"
Ends hex pattern match

file-flv-body
Revision
2012, Palo Alto Networks, Inc. www.paloaltonetworks.com

Description: This context provides the full file body of an FLV file, minus the first 8 bytes.

file-html-body
Description: This context provides the full file body of a text file, minus the first 8 bytes.

file-mov-body
Description: This context provides the full file body of an MOV file, minus the first 8 bytes.

file-office-content
Description: This context provides the full file body of a Microsoft Office Document file, minus the first 8 bytes.

file-pdf-body
Description: This context provides the full file body of a PDF file, minus the first 8 bytes. Compressed data is provided as
decompressed data by the decoder.

file-riff-body
Description: This context provides the full file body of a RIFF file, minus the first 8 bytes.

file-swf-body
Description: This context provides the full file body of a SWF file, minus the first 8 bytes.

ftp-req-params
Description: This context provides the parameters following an FTP command.
Example: The context provides the text in bold.
put test.bin /test.bin

Qualifiers: This context can use FTP command (Table 1) and FTP vendor ID (Table 2) qualifiers to limit signatures to
specific FTP commands and known FTP clients.

ftp-rsp-banner
Description: This context provides the FTP welcome banner shown before authentication.

http-req-headers
Description: This context provides the HTTP header of a request, not include the method, path, HTTP version, and host.
Example: This context provides the text in bold.
GET /en-us/default.aspx HTTP/1.1

Revision
2012, Palo Alto Networks, Inc. www.paloaltonetworks.com

Host: www.example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0) Gecko/20100101
Firefox/10.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: MC0=1331060353560

Qualifiers: This context can use HTTP header field (Table 3) and HTTP method (Table 4) qualifiers to limit signatures to
HTTP headers with specific values for select header fields and for specific HTTP methods.

http-req-host-header
Description: This context provides the host indicated by the Host field in the HTTP header of the request.
Example: This context provides the text in bold.
GET /en-us/default.aspx HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0) Gecko/20100101
Firefox/10.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: MC0=1331060353560

Qualifiers: This context can use HTTP header field (Table 3) and HTTP method (Table 4) qualifiers to limit signatures to
HTTP headers with specific values for select header fields and for specific HTTP methods.

http-req-message-body
Description: This context provides body content of an HTML request, when the body content cannot be recognized as URL
encoded or MIME type data using the Content-Type field.
Qualifiers: This context can use the HTTP method (Table 4) qualifier to limit signatures to HTTP headers with specific
HTTP methods.

http-req-mime-form-data
Description: This context provides all MIME header data in the body of an HTTP request, not including embedded file
contents.
Example: This context provides the data in bold.
------------------------------b2449e94a11c
Content-Disposition: form-data; name="image1"; filename="/tmp/current_file1"
Content-Type: application/octet-stream
[binary data follows not included]
------------------------------b2449e94a11c
Content-Disposition: form-data; name="image2"; filename="/tmp/current_file2"
Content-Type: application/octet-stream

Revision
2012, Palo Alto Networks, Inc. www.paloaltonetworks.com

[binary data follows not included]

http-req-params
Description: This context provides the query string as well as parameters in the HTTP body for a POST method.
Example: This context provides the text in bold.
POST /foo.php?page=1&view=full HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102
Keep-Alive: 300
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
userid=joe&password=guessme

Qualifiers: This context can use the HTTP method (Table 4) qualifier to limit signatures to HTTP headers with specific
HTTP methods.

http-req-uri-path
Description: This context provides the path in the HTTP header of a request.
Example: This context provides the text in bold.
GET /en-us/default.aspx?page=1&view=full HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0) Gecko/20100101
Firefox/10.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

Qualifiers: This context can use the HTTP method (Table 4) qualifier to limit signatures to HTTP headers with specific
HTTP methods.

http-rsp-headers
Description: This context provides the full HTTP header of a response, not including the HTTP banner.
Example: This context provides the text in bold.
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727

Revision
2012, Palo Alto Networks, Inc. www.paloaltonetworks.com

X-Powered-By: ASP.NET
Content-Length: 34113

imap-req-cmd-line
Description: This context provides the IMAP command used.
Example: This context provides the text in bold.
LOGIN MyUsername MyPassword

imap-req-first-param
Description: This context provides the first parameter to an IMAP command.
Example: This context provides the text in bold.
LOGIN MyUsername MyPassword

Qualifiers: This context can use the IMAP command (Table 5) qualifier to limit signatures to specific IMAP commands.

imap-req-params-after-first-param
Description: This context provides the complete parameters to an IMAP command, not including the first parameter.
Example: This context provides the text in bold.
LOGIN MyUsername MyPassword

ms-ds-smb-req-share-name
Description: This context provides the full path to a file that is read or written using SMB.

msrpc-req-bind-data
Description: This context provides the data payload of an MS RPC Bind request.

msssql-db-req-body
Description: This context provides the request to a Microsoft SQL server, excluding the request header.

rtsp-req-headers
Description: This context provides the full RTSP request headers, not including the command line.
Example: This context provides the text in bold.

Revision
2012, Palo Alto Networks, Inc. www.paloaltonetworks.com

PLAY rtsp://example.com/media.mp4/streamed=0 RTSP/1.0


CSeq: 2
Range: ntp=5-20
Session: 12345678

Qualifiers: This context can use the RTSP method (Table 6) qualifier to limit signatures to specific RTSP methods.

rtsp-req-uri-path
Description: This context provides the path of an RTSP request, not including the command line.
Example: This context provides the text in bold.
PLAY rtsp://example.com/media.mp4/streamed=0 RTSP/1.0
CSeq: 2
Range: ntp=5-20
Session: 12345678

Qualifiers: This context can use the RTSP method (Table 6) qualifier to limit signatures to specific RTSP methods.

smtp-req-argument
Description: This context provides the argument of an SMTP command.
Example: This context provides the text in bold.
HELO relay.example.org

Qualifiers: This context can use the SMTP method (Table 7) qualifier to limit signatures to specific SMTP methods.

smtp-rsp-content
Description: This context provides all SMTP server response content.

ssh-req-banner
Description: This context provides the SSH banner of the client, not including comments.
Example: This context provides the text in bold.
SSH-2.0-OpenSSH_5.2

ssh-rsp-banner
Description: This context provides the SSH banner of the server, not including comments.
Example: This context provides the text in bold.
SSH-2.0-OpenSSH_5.2

Revision
2012, Palo Alto Networks, Inc. www.paloaltonetworks.com

ssl-req-certificate
Description: This context provides the handshake message data of an SSL negotiation message for Certificate messages from
the client.
Example: This context provides the data in blue from the clients SSL negotiation message, when the message type is
certificate (11).

Byte +0

Byte 0

22

Byte +2

Byte +3


Version

Bytes 1..4
Bytes 5..8

Byte +1

(Major)

Length
(Minor)

Message Type = 11
(Certificate)

Bytes 9.. (n-1)

(bits 15..8)

(bits 7..0)

Handshake message data length


(bits 23..16)

(bits 15..8)

(bits 7..0)

Handshake message data

ssl-req-client-hello
Description: This context provides the handshake message data of an SSL negotiation message for ClientHello messages
from the client.
Example: This context provides the data in blue from the clients SSL negotiation message, when the message type is
ClientHello (1).

Byte +0

Byte 0

22

Bytes 1..4
Bytes 5..8
Bytes 9.. (n-1)

Byte +1

Byte +2

Byte +3


Version

(Major)
Message Type = 1
(ClientHello)

Length
(Minor)

(bits 15..8)

(bits 7..0)

Handshake message data length


(bits 23..16)

(bits 15..8)

(bits 7..0)

Handshake message data

ssl-rsp-certificate
Description: This context provides the handshake message data of an SSL negotiation message for Certificate messages from
the server.

Revision
2012, Palo Alto Networks, Inc. www.paloaltonetworks.com

Example: This context provides the data in blue from the servers SSL negotiation message, when the message type is
certificate (11).

Byte +0

Byte 0

22

Byte +2

Byte +3


Version

Bytes 1..4
Bytes 5..8

Byte +1

(Major)

Length
(Minor)

Message Type = 11
(Certificate)

Bytes 9.. (n-1)

(bits 15..8)

(bits 7..0)

Handshake message data length


(bits 23..16)

(bits 15..8)

(bits 7..0)

Handshake message data

ssl-rsp-server-hello
Description: This context provides the handshake message data of an SSL negotiation message for ServerHello messages
from the server.
Example: This context provides the data in blue from the clients SSL negotiation message, when the message type is
ServerHello (2).

Byte +0

Byte 0

22

Byte +2

(Major)
Message Type = 2
(ServerHello)

Bytes 9.. (n-1)

Byte +3


Version

Bytes 1..4
Bytes 5..8

Byte +1

Length
(Minor)

(bits 15..8)

(bits 7..0)

Handshake message data length


(bits 23..16)

(bits 15..8)

Handshake message data

telnet-req-client-data
Description: This context provides full telnet payloads for all traffic originating from the client.

telnet-rsp-server-data
Description: This context provides full telnet payloads for all traffic originating from the server.

Revision
2012, Palo Alto Networks, Inc. www.paloaltonetworks.com

(bits 7..0)

unknown-req-tcp-payload
Description: This context provides the full TCP payload for unknown UPD traffic originating from the client.

unknown-req-udp-payload
Description: This context provides the full UDP payload for unknown UPD traffic originating from the client, which is the
initiator of UDP communications.

unknown-rsp-tcp-payload
Description: This context provides the full TCP payload for unknown UPD traffic originating from the server.

unknown-rsp-udp-payload
Description: This context provides the full UDP payload for unknown UPD traffic originating from the server, which is
opposite the client.

C ontext Qualifiers
Table 1: FTP C ommand Qualifiers
FTP command qualifiers can be added to custom signatures that use FTP-related contexts to limit a match condition to
specific FTP commands.
ABOR
DELE
MODE
PWD
RNTO
STRU
XCRC

ACCT
EHLO
NLIST
QUIT
SITE
SYST
XMD5

ALLO
ERPT
OPTS
REIN
SIZE
TEST
XSHA1

APPE
HELO
PASS
REST
SMNT
TYPE

AUTH
LIST
PASV
RETR
STAT
UNKNOWN_COMMAND

CDUP
MDTM
PBSZ
RMD
STOR
UNLOCK

CWD
MKD
PORT
RNFR
STOU
USER

Table 2: FTP Vendor ID Qualifiers


FTP vendor ID qualifiers can be added to custom signatures that use FTP-related contexts to limit a match condition to
specific FTP clients.
CEASERFTP
PROFTPD
WUFTP

EASY_FILE_SHARING_FTP
SERV_U

FILE_COPA_FTP
UNKNOWN_FTP_SERVER

FREEFTPD
VSFTPD

MICROSOFTFTP
WARFTPD

NETTERM
WS_FTP

Table 3: HTTP Header Field Qualifiers


HTTP header field qualifiers can be added to custom signatures that use HTTP-related contexts to limit a match condition
to HTTP headers that have specific values for select header fields.
ACCEPT_LANGUAGE

AUTHORIZATION

CONTENT_ENCODING

CONTENT_LENGTH

CONTENT_TYPE

IF_MOD_SINCE

SUBSCRIBE_HDR

TRANSFER_ENCODING

UNKNOWN_HDR

X_FORWARD_FOR

HOST

Table 4: HTTP Method Qualifiers


HTTP method qualifiers can be added to custom signatures that use HTTP-related contexts to limit a match condition to
HTTP headers that use specific HTTP methods.
BCOPY
CONNECT

BDELETE
COPY

BITS_POST
DELETE

BMOVE
GET

Revision
2012, Palo Alto Networks, Inc. www.paloaltonetworks.com

BPROPFIND
HEAD

BPROPPATCH
LINK

CCM_POST
LOCK

MKCOL
PROPPATCH
SUBSCRIBE

MOVE
PROXY_SUCCESS
TRACE

NOTIFY
PUT
TRACK

OPTIONS
RPC_CONNECT
UNKNOWN_METHOD

POLL
SEARCH
UNLINK

POST
SMS_POST
UNLOCK

PROPFIND
SOURCE
UNSUBSCRIBE

Table 5: IMAP C ommand Qualifiers


IMAP command qualifiers can be added to custom signatures that use IMAP-related contexts to limit a match condition to
specific IMAP commands.
APPEND
DELETE
LOGIN
STATUS

AUTHENTICATE
EXAMINE
LSUB
SUBSCRIBE

CAPABILITY
EXPUNGE
NOOP
UNKNOWN_COMMAND

CHECK
FETCH
RENAME
UNSUBSCRIBE

CLOSE
FIND
SEARCH

COPY
IDLE
SELECT

CREATE
LIST
STARTTLS

Table 6: RTSP Method Qualifiers


RTSP method qualifiers can be added to custom signatures that use RTSP-related contexts to limit a match condition to
specific RTSP methods.
ANNOUNCES
PLAY
SETUP_PARAMETER

DESCRIBE
RECORD
TEAR_DOWN

GET_PARAMETER
REDIRECT
UNKNOWN_METHOD

OPTIONS
SET_PARAMETER

PAUSE
SETUP

Table 7: SMTP Method Qualifiers


SMTP method qualifiers can be added to custom signatures that use SMTP-related contexts to limit a match condition to
specific SMTP methods.
AUTH
RCPT
USER

BDAT
RSET
VRFY

DATA
SAML
XEXCH50

EHLO
SEND
XEXPS

Revision H istory
Date
03/07/12

Revision
-

Comment
Tech note created.

Revision
2012, Palo Alto Networks, Inc. www.paloaltonetworks.com

HELO
SOML
XLINK2STATE

MAIL
STARTTLS
XTELLMAIL

QUIT
UNKNOWN_CMD

You might also like