Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Reference: Custom Attack Object Service Contexts

    The Juniper Networks Security Center team develops predefined service contexts you can use when you create custom attack objects. The predefined service contexts are added or modified during routine signature updates.

    The following tables describe the predefined service contexts that are available in the NSM custom attack object wizard.

    Table 1: Service Contexts: AIM

    Context and Direction

    Description

    aim-auth-request-msg (ANY)

    Matches the message sent from one user to another when requesting authorization to add to the buddy list.

    aim-away-message (CTS)

    Matches the message sent to other clients when a user changes status to 'away'.

    aim-buddy-comment (ANY)

    Matches the comment stored for a buddy in the contact list.

    aim-capabilities (ANY)

    Matches the set of features supported by the client.

    aim-chat-info (STC)

    Matches the information about a chatroom.

    aim-chat-interests (STC)

    Matches the categories of personal interests in a user's profile.

    aim-chat-room-desc (STC)

    Matches the description of a chatroom.

    aim-chat-room-name (STC)

    Matches the name of a chatroom in an AIM/ICQ session.

    aim-client-ip (STC)

    Matches the IP address of the client for direct P2P communication.

    aim-client-port (STC)

    Matches the port that the client is listening on for P2P communication.

    aim-client-status (STC)

    Matches the user's online status.

    aim-decline-reason (ANY)

    Matches the decline reason when a client refuses to be added to another user's contact list.

    aim-descripted-url (ANY)

    Matches the description and URL when sending a Web page to another address.

    aim-email-address (STC)

    Matches the e-mail address of a user as it appears in the profile.

    aim-error-url (STC)

    Matches the URL on the server where the user can reconfigure the account password.

    aim-gcard-message (ANY)

    Matches the message associated with a greeting card.

    aim-gcard-recipient (ANY)

    Matches the screen name of a greeting card recipient.

    aim-gcard-sender (ANY)

    Matches the screen name of a greeting card sender.

    aim-gcard-theme (ANY)

    Matches the theme of a greeting card sent from one client to another.

    aim-gcard-title (ANY)

    Matches the title of a greeting card sent from one user to another.

    aim-gcard-url (ANY)

    Matches the URL of the greeting card sent from one user to another.

    aim-get-file (STC)

    Matches the name of a file that the user is transferring from a peer.

    aim-group (ANY)

    Matches the name of a group of items (usually buddies).

    aim-info-text (STC)

    Matches additional information text that appears in a user's profile.

    aim-local-ip (CTS)

    Matches the IP address of a client used for P2P communication.

    aim-local-port (CTS)

    Matches the local port that the client is listening on for P2P communication.

    aim-message-block (ANY)

    Matches the instant message sent from one user to another.

    aim-message-description (ANY)

    Matches the description of a message.

    aim-nick-name (ANY)

    Matches the nickname of an AIM/ICQ user.

    aim-oft-content (ANY)

    Matches the contents of a file being transferred between peers.

    aim-oft-name (ANY)

    Matches the name of a file being transferred between peers.

    aim-peer-ip (STC)

    Matches the IP address of a peer for direct P2P communication.

    aim-peer-port (STC)

    Matches the port of a peer for direct P2P communication.

    aim-put-file (CTS)

    Matches the name of a file that the user is transferring to a peer.

    aim-screen-name (ANY)

    Matches the screen name of a user.

    aim-server-ip (STC)

    Matches the IP address of a server. Typically used when the main server redirects the client to another server.

    aim-server-url (STC)

    Matches any URL on the server.

    aim-url (ANY)

    Matches the URL of a user's profile.

    aim-xml-value (STC)

    Matches the XML string sent by the server with the value of a requested URL.

    Table 2: Service Contexts: BGP

    Context and Direction

    Description

    bgp-keepalive-msg (ANY)

    Matches the BGP keep alive message.

    bgp-message (ANY)

    Matches any BGP message.

    bgp-notification-msg (ANY)

    Matches the BGP notification message.

    bgp-open-msg (ANY)

    Matches the BFP open message.

    bgp-open-no-parm (ANY)

    Matches the BFP open message without optional parameters.

    bgp-open-parm (ANY)

    Matches the optional parameters in the BGP open message.

    bgp-update-attr-aggregator (ANY)

    Matches the Aggregator path attribute data in the BGP update message.

    bgp-update-attr-as-path (ANY)

    Matches the AS path attribute data in the BGP update message.

    bgp-update-attr-atomic-aggr (ANY)

    Matches the atomic-aggregator path attribute data in the BGP update message.

    bgp-update-attr-cluster-list (ANY)

    Matches the Cluster-List path attribute data in the BGP update message.

    bgp-update-attr-communities (ANY)

    Matches the Communities path attribute data in the BGP update message.

    bgp-update-attr-local-pref (ANY)

    Matches the Local-Pref path attribute data in BGP update message.

    bgp-update-attr-med (ANY)

    Matches the Multi-Exit-Disc path attribute data in the BGP update message.

    bgp-update-attr-next-hop (ANY)

    Matches the Next-Hop path attribute data in the BGP update message.

    bgp-update-attr-nonstd (ANY)

    Matches any Non-Standard path attribute data in the BGP update message.

    bgp-update-attr-rigin (ANY)

    Matches the Origin path attribute date in the BGP update message.

    bgp-updet-attr-originator (ANY)

    Matches the Originator path attribute data in BFP update message.

    bgp-update-msg (ANY)

    Matches the BGP update message.

    bgp-update-nlri_infor (ANY)

    Matches the Network Layer Reachability Information in the BGP update message.

    bgp-update-norm-unfeasible-rte (ANY)

    Matches the unfeasible routes data in BFP update message. This context shows each route expanded to 4 bytes, prefixed by a delimiter.

    bgp-update-total-path-attribute (ANY)

    Matches the Total Path Attribute data in the BGP update message.

    bgp-update-unfeasible-rts (ANY)

    Matches the unfeasible routes data in the BGP update message.

    Table 3: Service Contexts: DHCP

    Context and Direction

    Description

    dhcp-file-name (ANY)

    Matches the filename in a DHCP/bootp message.

    dhcp-option (ANY)

    Matches each option in a DHCP/bootp message. Each option context contains the type and length of the option.

    dhcp-server-name (ANY)

    Matches the server name in a DHCP/bootp message.

    Table 4: Service Contexts: DNS

    Context and Direction

    Description

    dns-cname (ANY)

    Matches the CNAME in a DNS request or response.

    dns-rr-a6-rdata (ANY)

    Match the rdata of an A6 RR in a DNS request response.

    dns-rr-afsdb-rdata (ANY)

    Matches the rdata of an AFSDB RR in a DNS request or response.

    dns-rr-apl-rdata (ANY)

    Matches the rdata of an APL RR in a DNS request or response.

    dns-rr-atma-rdata (ANY)

    Matches the rdata of an ATMA RR in a DNS request or response.

    dns-rr-cname-rdata (ANY)

    Matches the rdata of a CNAME RR in a DNS request or response.

    dns-rr-dnskey-rdata (ANY)

    Matches the rdata of DNSKEY RR in a DNS request or response.

    dns-rr-ds-rdata (ANY)

    Matches the rdata of a DN RR in a DNS request or response.

    dns-rr-eid-rdata (ANY)

    Matches the rdata of an EID RR in a DNS request or response.

    dns-rr-hinfo-rdata (ANY)

    Matches the rdata of an HINFO RR in a DNS request or response.

    dns-rr-key-rdata (ANY)

    Matches the rdata of a KEY RR in a DNS request or response.

    dns-rr-kx-rdata (ANY)

    Matches the rdata of a KX RR in a DNS request or response.

    dns-rr-mb-rdata (ANY)

    Matches the rdata of an MB RR in a DNS request or response.

    dns-rr-md-rdata (ANY)

    Matches the rdata of an MD RR in a DNS request or response.

    dns-rr-mf-rdata (ANY)

    Matches the rdata of an MF RR in a DNS request or response.

    dns-rr-mg-rdata (ANY)

    Matches the rdata of an MG RR in a DNS request or response.

    dns-rr-minfo-rdata (ANY)

    Matches the rdata of an MINFO RR in a DNS request or response.

    dns-rr-mr-rdata (ANY)

    Matches the rdata of an MR RR in a DNS request or response.

    dns-rr-mx-rdata (ANY)

    Matches the rdata of an MX RR in a DNS request or response.

    dns-rr-naptr-rdata (ANY)

    Matches the rdata of a NAPTR RR in a DNS request or response.

    dns-rr-nimloc-rdata (ANY)

    Matches the rdata of an NIMLOC RR in a DNS request or response.

    dns-rr-ns-rdata (ANY)

    Matches the rdata of an NS RR in a DNS request or response.

    dns-rr-nsap-rdata (ANY)

    Matches the rdata of an NSAP RR in a DNS request or response.

    dns-rr-ns-rdata (ANY)

    Matches the rdata of an NS RR in a DNS request or response.

    dns-rr-nsapptr-rdata (ANY)

    Matches the rdata of an NSAPPTR RR in a DNS request or response.

    dns-rr-nsec-rdata (ANY)

    Matches the rdata of an NSEC RR in a DNS request or response.

    dns-rr-null-rdata (ANY)

    Matches the rdata of a NULL RR in a DNS request or response.

    dns-rr-nxt-rdata (ANY)

    Matches the rdata of a NXT RR in a DNS request or response.

    dns-rr-ptr-rdata (ANY)

    Matches the rdata of a PTR RR in a DNS request or response.

    dns-rr-px-rdata (ANY)

    Matches the rdata of a PX RR in a DNS request or response.

    dns-rr-rp-rdata (ANY)

    Matches the rdata of an RP RR in a DNS request or response.

    dns-rr-rrsig-rdata (ANY)

    Matches the rdata of an RRSIG RR in a DNS request or response.

    dns-rr-sig-rdata (ANY)

    Matches the rdata of an SIG RR in a DNS request or response

    dns-rr-soa-rdata (ANY)

    Matches the rdata of an SOA RR in a DNS request or response.

    dns-rr-sshfp-data (ANY)

    Matches the rdata of an SSHFP RR in a DNS request or response.

    dns-rr-tsip-rdata (ANY)

    Matches the rdata of a TSIP RR in a DNS request or response.

    dns-rr-txt-rdata (ANY)

    Matches the rdata of a TXT RR in a DNS request or response.

    dns-rr-type-rdata (ANY)

    Matches the entire resource record in a DNS request or response, including the type and class.

    dns-rr-wks-rdata (ANY)

    Matches the rdata of a WKS RR in a DNS request or response.

    dns-type-name (ANY)

    Matches any name resource record in a DNS request or response. The first 2 bytes of the context contain the RFC-1035 type values.

    dns-update-header

    Matches the header of a DNS UPDATE request or response.

    Table 5: Service Contexts: Finger

    Context and Direction

    Description

    finger-host (CTS)

    Matches each hostname in a FINGER request.

    finger-user (CTS)

    Matches the username in a FINGER request.

    Table 6: Service Contexts: First Data Packet

    Context and Direction

    Description

    first-data-packet (ANY)

    Matches the first data packet of a session.

    first-packet (ANY)

    Matches the first packet of a session.

    Table 7: Service Contexts: FTP

    Context and Direction

    Description

    ftp-account (CTS)

    Matches the FTP login account name.

    ftp-banner (STC)

    Matches the banner returned by the server at the start of an FTP session.

    ftp-command (CTS)

    Matches each of the FTP command names.

    ftp-cwd-pathname (CTS)

    Matches the directory name in the CWD command of an FTP session.

    ftp-dele-pathname (CTS)

    Matches the file name in the DELE command of an FTP session.

    ftp-get-filename (CTS)

    Matches the filename in the GET command of an FTP session.

    ftp-list-pathname (CTS)

    Matches the directory or file name in the LIST command of an FTP session.

    ftp-mkd-pathname (CTS)

    Matches the directory name in the MKD command of an FTP session.

    ftp-nlst-pathname (CTS)

    Matches the directory or file name in the NLST command of an FTP session.

    ftp-password (CTS)

    Matches the FTP login password.

    ftp-pathname (CTS)

    Matches a directory or file name in any of the FTP commands.

    ftp-put-filename (CTS)

    Matches the filename in the PUT command of an FTP session.

    ftp-reply-100-line (STC)

    Matches the FTP 1yz Positive Preliminary reply.

    ftp-reply-200-line (STC)

    Matches the FTP 2yz Positive Completion reply.

    ftp-reply-300-line (STC)

    Matches the FTP 3yz Positive Intermediate reply.

    ftp-reply-400-line (STC)

    Matches the FTP 4yz Transient Negative Completion reply.

    ftp-reply-500-line (STC)

    Matches the FTP 5yz Permanent Negative Completion reply.

    ftp-reply-line (STC)

    Matches the FTP reply line.

    ftp-request (CTS)

    Matches FTP request line (command and arguments).

    ftp-rmd-pathname (CTS)

    Matches the directory name in the RMD command of an FTP session.

    ftp-rnfr-pathname (CTS)

    Matches a directory or file name in the RNFR command of an FTP session.

    ftp-rnto-pathname (CTS)

    Matches a directory or file name in the RNTO command of an FTP session.

    ftp-sitestring (CTS)

    Matches the arguments of the SITE command in an FTP session.

    ftp-smnt-pathname (CTS)

    Matches the directory or file name in the SMNT command of an FTP session.

    ftp-stat-pathname (CTS)

    Matches the directory or file name in the STAT command of an FTP session.

    ftp-username (CTS)

    Matches the FTP login user name.

    Table 8: Service Contexts: Gnutella

    Context and Direction

    Description

    gnutella-connect-fail-reason (STC)

    Matches the connection fail reason string in a Gnutella connection.

    gnutella-connect-header (ANY)

    Matches the contents of the HTTP style CONNECT message in a Gnutella session.

    gnutella-http-get-filename (CTS)

    Matches the name of the file that the client intends to retrieve.

    gnutella-http-header (ANY)

    Matches any HTTP style headers in a Gnutella session.

    gnutella-queryhit-vendor (STC)

    Matches the 4-byte vendor code in the reply for the QUERYHIT message.

    gnutella-search-criteria (CTS)

    Matches the search criteria in a QUERY message of a Gnutella session.

    gnutella-user-agent (ANY)

    Matches the name of the user agent in a Gnutella session.

    Table 9: Service Contexts: Gopher

    Context and Direction

    Description

    gopher-display (STC)

    Matches the display string of a Gopher item.

    gopher-file (STC)

    Matches the contents of a Gopher item/file.

    gopher-host-port (STC)

    Matches the host and port used to get an item.

    gopher-selector (STC)

    Matches the selector string of a Gopher item.

    Table 10: Service Contexts: H225

    Context and Direction

    Description

    h225ras-admission (ANY)

    Matches H225RAS admission messages (AdmissionConfirm, AdmissionReject, AdmisssonRequest).

    h225ras-bandwidth (ANY)

    Matches H225RAS bandwidth messages (BandwidthConfirm, BandwidthReject, BandwidthRequest).

    h225ras-command-state (ANY)

    Matches the state of the H225RSA connection.

    h225ras-disengage (ANY)

    Matches H225RAS disengage messages (DisengageConfirm, DisengageReject, DisengageRequest).

    h225ras-gatekeeper (ANY)

    Matches H225RAS gatekeeper messages (GatekeeperConfirm, GatekeeperReject, GatekeeperRequest).

    h225ras-info (ANY)

    Matches H225RAS informational messages (InfoRequestAck, InfoRequestResponse, InfoRequest).

    h225ras-location (ANY)

    Matches H225RAS location messages (LocationConfirm, LocationReject, LocationRequest).

    h225ras-message (ANY)

    Matches the broad H225RAS message context.

    h225ras-nonstandard (ANY)

    Matches the H225RAS nonstandard message context.

    h225ras-registration (ANY)

    Matches the H225RAS registration message.

    h225ras-resource (ANY)

    Matches H225RAS resources available messages (ResourcesAvailableConfirm, ResourcesAvailableIndicate).

    h225ras-rip (STC)

    Matches the H225RAS request- in-progress message.

    h225ras-servicecontrol (CTS)

    Matches the H225RAS service control message.

    h225ras-unknown-message (ANY)

    Match the H225RAS Unknown message type.

    h225ras-unregistration (ANY)

    Matches the H225RAS unregistration message.

    h225ras-unspecified-message (ANY)

    Matches the H225RAS unspecified message.

    h225ras-version (ANY)

    Matches the H225RAS version message.

    h225sgn-message (ANY)

    Matches the H225SGN message body started with the message-type byte.

    h225sgn-preamble (ANY)

    Matches the H225SGN signaling protocol discriminator and call reference value.

    Table 11: Service Contexts: HTTP

    Context and Direction

    Description

    http-authorization (CTS)

    Matches the username and password decoded from the Authorization: Basic header in an HTTP request.

    http-data (ANY)

    Matches any HTTP data in an HTTP transaction that is not text/html, text/plain, or FORM values in a POST request.

    http-first-data-chunk (ANY)

    Matches the first data chunk in an HTTP transaction.

    http-form-data (CTS)

    Matches each of the form values in a POST request of an HTTP transaction.

    http-get-url (CTS)

    Matches the URL in an HTTP get request as it appears in the stream.

    http-get-url-parsed (CTS)

    Matches the decoded, normalized URL in an HTTP get request.

    http-get-url-parsed-param (CTS)

    Matches the decoded, normalized URL in an HTTP get request along with any CGI parameters.

    http-get-url-parsed-param-parsed (CTS)

    Matches the decoded, normalized URL in and HTTP GET request along with the any decoded CGI parameters.

    http-head-url (CTS)

    Matches the URL in an HTTP head request as it appears in the stream.

    http-head-url-parsed (CTS)

    Matches the decoded, normalized URL in an HTTP head request.

    http-header (ANY)

    Matches any HTTP header.

    http-header-accept (CTS)

    Matches each Accept: header in an HTTP request.

    http-header-accept-encoding (CTS)

    Matches each Accept-Encoding: header in an HTTP request.

    http-header-accept-language (CTS)

    Matches each Accept-Language: header in an HTTP request.

    http-header-content-encoding (ANY)

    Matches each Content-Encoding: header in an HTTP transaction.

    http-header-content-language (ANY)

    Matches each Content-Language: header in an HTTP transaction.

    http-header-content-location (ANY)

    Matches each Content-Location: header in an HTTP transaction.

    http-header-content-md5 (ANY)

    Matches each Content-MD5: header in an HTTP transaction.

    http-header-content-type (ANY)

    Matches each Content-Type: header in an HTTP transaction.

    http-header-cookie (ANY)

    Matches each Cookie: header in an HTTP transaction.

    http-header-host (CTS)

    Matches each Host: header in an HTTP request.

    http-header-referer (CTS)

    Matches each Referrer: header in an HTTP request.

    http-header-server (STC)

    Matches each Server: header in an HTTP reply.

    http-header-soapaction (ANY)

    Matches each soapaction: header in an HTTP transaction.

    http-header-user-agent (CTS)

    Matches each User-Agent: header in an HTTP request.

    http-image (ANY)

    Matches IMATE contents (BMP, PNG) in HTTP transaction.

    http-jpeg-raw (ANY)

    Matches JPEG content in HTTP transaction.

    http-jpeg-tag (ANY)

    Matches JPEG tag of JPEG content in HTTP transaction.

    http-object-tag-clsid (STC)

    Matches the CLSID of an object tag.

    http-param-parsed (CTS)

    Matches the decoded CGI parameters in an HTTP request.

    http-png-chunk (ANY)

    Matches contents of PNG chunk to HTTP transaction.

    http-post-url (CTS)

    Matches the URL in an HTTP post request as it appears in the stream.

    http-post-url-parsed (CTS)

    Matches the decoded, normalized URL in an HTTP post request.

    http-post-variable (CTS)

    Matches each CGI variable in the form data of an HTTP POST request.

    http-post-variable-parsed (CTS)

    Matches each decoded CGI variable in the form data of an HTTP POST request.

    http-request (CTS)

    Matches each HTTP request line.

    http-request-method (CTS)

    Matches the method name in an HTTP request.

    http-status (STC)

    Matches the status line in an HTTP reply.

    http-text-html (ANY)

    Matches the text/html data in an HTTP transaction.

    http-text-html-head (ANY)

    Matches the header of text/html data in an HTTP transaction.

    http-text-html-script (ANY)

    Matches the script tag of text/html data in an HTTP transaction.

    http-text-html-style (ANY)

    Matches the style tag of text/html data in an HTTP transaction.

    http-text-html-tag (ANY)

    Matches any tag inside text/html data in an HTTP transaction.

    http-text-plain (ANY)

    Matches the text/plain data in an HTTP transaction.

    http-text-soap (ANY)

    Matches the text/soap data in and HTTP transaction.

    http-text-xml (ANY)

    Matches the tex/xml data in an HTTP transaction.

    http-url (CTS)

    Matches the URL in an HTTP request as it appears in the stream.

    http-url-parsed (CTS)

    Matches the decoded, normalized URL in an HTTP request.

    http-url-variable (CTS)

    Matches each CGI variable in the URL of an HTTP GET request.

    http-url-variable-parsed (CTS)

    Matches each decoded CGI variable in the URL of an HTTP GET request.

    http-variable (CTS)

    Matches each CGI variable in an HTTP GET or POST request.

    http-variable-parsed (CTS)

    Matches each decoded CGI variable in an HTTP GET or POST request.

    Table 12: Service Contexts: IEC

    Context and Direction

    Description

    iec104-message-type-i (ANY)

    Matches the Type-I message of IEC104.

    iec104-message-type-s (ANY)

    Matches the Type-S message of IEC104.

    iec104-message-type-u (ANY)

    Matches the Type-U message of IEC104.

    Table 13: Service Contexts: IMAP

    Context and Direction

    Description

    imap-append (CTS)

    Matches the e-mail contents in an IMAP append message.

    imap-append-line (CTS)

    Matches arguments of IMAP Append command line in an IMAP session.

    imap-authenticate (CTS)

    Matches arguments of IMAP Authenticate command in an IMAP session.

    imap-banner-(STC)

    Matches arguments of the fist untagged OK response from an IMAP session.

    imap-command (CTS)

    Matches each IMAP command name in an IMAP session.

    imap-command-line (CTS)

    Matches each IMAP command name and arguments in an IMAP session.

    imap-copy (CTS)

    Matches arguments of IMAP Copy command in an IMAP session.

    imap-create (CTS)

    Matches arguments of IMAP Create command in an IMAP session.

    imap-delete (CTS)

    Matches arguments of IMAP Delete command in an IMAP session.

    imap-deleteacl (CTS)

    Matches arguments of IMAP DeleteACL command in an IMAP session.

    imap-examine (CTS)

    Matches arguments of IMAP Examine command in an IMAP session.

    imap-fetch (CTS)

    Matches arguments of IMAP Fetch command in an IMAP session.

    imap-getacl (CTS)

    Matches arguments of IMAP GetACL command in an IMAP session.

    imap-list (CTS)

    Matches arguments of IMAP List/RList command in an IMAP session.

    imap-listrights (CTS)

    Matches arguments of IMAP ListRights command in an IMAP session.

    imap-login (CTS)

    Matches arguments of IMAP Login command in an IMAP session.

    imap-lsub (CTS)

    Matches arguments of IMAP LSUB/RLSUB command in an IMAP session.

    imap-mailbox (CTS)

    Matches each mailbox name in an IMAP session.

    imap-myrights (CTS)

    Matches arguments of IMAP MyRights command in an IMAP session.

    imap-rename (CTS)

    Matches arguments of IMAP Rename command in an IMAP session.

    imap-search (CTS)

    Matches arguments of IMAP Search command in an IMAP session.

    imap-select (CTS)

    Matches arguments of IMAP Select command in an IMAP session.

    imap-setacl (CTS)

    Matches arguments of IMAP SetACL command in an IMAP session.

    imap-status (CTS)

    Matches arguments of IMAP Status command in an IMAP session.

    imap-store (CTS)

    Matches arguments of IMAP Store command in an IMAP session.

    imap-subscribe (CTS)

    Matches arguments of IMAP Subscribe command in an IMAP session.

    imap-uid (CTS)

    Matches arguments of IMAP UID command in an IMAP session.

    imap-unsubscribe (CTS)

    Matches arguments of IMAP Unsubscribe command in an IMAP session.

    imap-user (CTS)

    Matches the IMAP user name in an IMAP session.

    Table 14: Service Contexts: IRC

    Context and Direction

    Description

    irc-command (ANY)

    Matches any IRC command name.

    irc-join-chan (ANY)

    Matches the channel name in the JOIN command of an IRC session.

    irc-nick-name (ANY)

    Matches the name in the NICK command of an IRC session.

    irc-notice-msg (ANY)

    Matches the message in the NOTICE command of an IRC session.

    irc-oper-name (ANY)

    Matches the name in the OPER command of an IRC session.

    irc-oper-password (ANY)

    Matches the password in the OPER command of an IRC session.

    irc-part-chan (ANY)

    Matches the channel name in the PART command of an IRC session.

    irc-password (ANY)

    Matches the password in the PASS command of an IRC session.

    irc-priv-msg (ANY)

    Matches the message in the PRIVMSG command of an IRC session.

    irc-real-name (ANY)

    Matches the real name in the USER command of an IRC session.

    irc-topic (ANY)

    Matches the arguments of the TOPIC command of an IRC session.

    irc-user-name (ANY)

    Matches the name in the USER command of an IRC session.

    Table 15: Service Contexts: LDAP

    Context and Direction

    Description

    ldap-abandon-request (CTS)

    Matches the entire Abandon Request message.

    ldap-add-request (CTS)

    Matches the entire Add Request message.

    ldap-add-request-attribute (CTS)

    Matches each attribute in an Add Request message. The values are NULL delimited and the type, and values are newline delimited.

    ldap-add-request-attributetype (CTS)

    Matches the type each attribute in an Add Request message.

    ldap-add-request-attributevalue (CTS)

    Matches the value of each attribute in an Add Request message.

    ldap-add-request-entry (CTS)

    Matches the object in an Add Request message.

    ldap-bind-request (CTS)

    Matches the entire LDAP Bind Request message.

    ldap-bind-request-authentication (CTS)

    Matches the authentication information in a Bind Request message including the 1-byte type.

    ldap-bind-request-ldapDN (CTS)

    Matches the name of the directory object to which the client wants to bind.

    ldap-bind-request-version (CTS)

    Matches the LDAP version in a Bind Request message.

    ldap-compare-request (CTS)

    Matches the entire Compare Request message.

    ldap-compare-request-assertionvalue (CTS)

    Matches the value against which the attribute value is compared in a Compare Request message.

    ldap-compare-request-attributedesc (CTS)

    Matches the attribute type of an entry in a Compare Request message.

    ldap-compare-request-entry (CTS)

    Matches the entry of the DN to be compared in a Compare Request message.

    ldap-delete-request (CTS)

    Matches the entire Delete Request message.

    ldap-extended-request (CTS)

    Matches the entire Extended Request message.

    ldap-extended-request-requestName (CTS)

    Matches the request name in the Extended Request message.

    ldap-extended-request-requestValue (CTS)

    Matches the request value in the Extended Request message.

    ldap-extended-response-response (STC)

    Matches the response field in the Extended Request message.

    ldap-extended-response-responseName (STC)

    Matches the response name in the Extended Response message.

    ldap-modify-request (CTS)

    Matches the entire Modify Request message.

    ldap-modify-request-attribute (CTS)

    Matches each attribute in a Modify Request message including the 1-byte modify operation. The values are NULL delimited, and the type and values are newline delimited.

    ldap-modify-request-attributetype (CTS)

    Matches each attribute type in a Modify Request message.

    ldap-modify-request-attributevalue (CTS)

    Matches each attribute value in a Modify Request message.

    ldap-modify-request-object (CTS)

    Matches the object in the Modify Request message.

    ldap-modifyDN-request (CTS)

    Matches the entire Modify-DN Request message.

    ldap-modifyDN-request-entry (CTS)

    Matches the DN of the entry in a Modify-DN Request message.

    ldap-modifyDN-request-newRDN (CTS)

    Matches the new DN that replaces the old DN in a Modify-DN Request message.

    ldap-modifyDN-request-newsuperior (CTS)

    Matches the new DN that becomes the parent of the existing DN entry in a Modify-DN Request message.

    ldap-result (STC)

    Matches the entire Result message, including the 1-byte response type.

    ldap-result-errorMessage (STC)

    Matches the error message in the result.

    ldap-result-matchedDN (STC)

    Matches the base object in the Result message, including the 1-byte tag.

    ldap-result-referral (STC)

    Matches each referral URL in the result.

    ldap-search-request (CTS)

    Matches the entire LDAP Search Request message.

    ldap-search-request-attribute (CTS)

    Matches each attribute in a Search Request message.

    ldap-search-request-attributelist (CTS)

    Matches all the attributes in a Search Request message.

    ldap-search-request-baseObject (CTS)

    Matches the base object entry against which the search is performed. This includes the 1-byte scope, which can represent baseObject, singleLevel or wholeSubtree.

    ldap-search-request-filter (CTS)

    Matches the contents of the search filter.

    ldap-search-request-sizeLimit (CTS)

    Matches the sizeLimit field of the search request.

    ldap-search-request-timeLimit (CTS)

    Matches the timeLimit field of the search request.

    ldap-search-resentry (STC)

    Matches the entire Search Result message.

    ldap-search-resentry-attribute (STC)

    Matches each attribute in the search result. The values are NULL delimited, and the type and value list are newline delimited.

    ldap-search-resentry-attributetype (STC)

    Matches each attribute type in the search result.

    ldap-search-resentry-attributevalue (STC)

    Matches each attribute value in the search result.

    ldap-search-resentry-objectname (STC)

    Matches the base object of the search result.

    ldap-search-resref (STC)

    Matches the entire Search Result Reference message.

    ldap-search-resref-referral (STC)

    Matches each referral URL in the Search Result Reference message.

    Table 16: Service Contexts: Line

    Context and Direction

    Description

    line (ANY)

    Matches a line extracted from the reassembled, normalized TCP stream data. This context is available for only those protocols that are line based.

    Table 17: Service Contexts: LPR

    Context and Direction

    Description

    lpr-cfile-command (CTS)

    Matches the entire CFILE subcommand line, including the first byte of the subcommand type.

    lpr-cfile-name (CTS)

    Matches the name of the control filename that is sent as part of the RECEIVE-JOB command.

    lpr-command (CTS)

    Matches the entire command line, including the first byte of the command code.

    lpr-dfile-name (CTS)

    Matches the name of the data filename that is sent as part of the RECEIVE-JOB command.

    Table 18: Service Contexts: MGCP

    Context and Direction

    Description

    mgcp-call-id (ANY)

    Matches the MGCP call ID parameter value.

    mgcp-command (ANY)

    Matches the MGCP command line.

    mgcp-ep-name (ANY)

    Matches the MGCP endpoint name specified in command line or command parameters.

    mgcp-parm (ANY)

    Matches the MGCP command parameter value.

    mgcp-rsp (ANY)

    Matches the entire MGCP response line with the return code.

    mgcp-rsp-000-line (ANY)

    Matches the MGCP 0yz response acknowledgment.

    mgcp-rsp-100-line (ANY)

    Matches the MGCP 1yz provisional response.

    mgcp-rsp-200-line (ANY)

    Matches the MGCP 2yz successful completion response.

    mgcp-rsp-400-line (ANY)

    Matches the MGCP 4yz permanent error response

    mgcp-rsp-500-line (ANY)

    Matches the MGCP 5yz permanent error response.

    mgcp-rsp-800-line (ANY)

    Matches the MGCP 8yz package-specific response codes.

    mgcp-rsp-bad-rcode (ANY)

    Matches any MGCP invalid response code.

    mgcp-sdp-line (ANY)

    Matches MGCP/SDP contents data line.

    mgcp-trans-id (ANY)

    Matches the MGCP transaction ID parameter value.

    Table 19: Service Contexts: Modbus

    Context and Direction

    Description

    modbus-except-resp (STC)

    Matches a Modbus Exception Response.

    modbus-requst (CTS)

    Matches a Modbus Request

    modbus-response (STC)

    Matches a Modbus Response.

    modbus-trailing-data (ANY)

    Matches trailing data after the first MODBUS PDU.

    Table 20: Service Contexts: MSN

    Context and Direction

    Description

    msn-addrbook-url (STC)

    Matches the URL for a user's address book.

    msn-compose-url (STC)

    Matches the URL for composing an e-mail.

    msn-display-name (ANY)

    Matches the display name of a user.

    msn-get-file (STC)

    Matches the name of a file that the client is downloading from a peer.

    msn-group-name (ANY)

    Matches the name of a group of contacts.

    msn-inbox-url (STC)

    Matches the URL for a user's Inbox.

    msn-ip-port (STC)

    Matches the address and port of a switchboard server.

    msn-message (ANY)

    Matches the instant message text.

    msn-message-application (ANY)

    Matches the line of an application message (like file transfer).

    msn-message-email-notification (STC)

    Matches the line sent by the server to notify a client of new or unread e-mail.

    msn-message-header (ANY)

    Matches the header line of an instant message.

    msn-message-profile (STC)

    Matches the line containing the profile of a message sender.

    msn-passport-url (STC)

    Matches login passport URL.

    msn-phone-number (ANY)

    Matches the user's phone number.

    msn-png-chunk (ANY)

    Matches contents of PNG chunk in MSN transaction.

    msn-profile-url (STC)

    Matches the URL of a user's passport profile.

    msn-put-file (CTS)

    Matches the name of a file that the client is sending to a peer.

    msn-sign-in-name (ANY)

    Matches the screen name (login name) of a user.

    msn-url (STC)

    Matches any URL in an MSN session

    msn-user-state (ANY)

    Matches the user's online state.

    Table 21: Service Contexts: MSRPC

    Context and Direction

    Description

    msrpc-ifid-str (ANY)

    Matches the interface ID string in an MSRPC session.

    Table 22: Service Contexts: MS-SQL

    Context and Direction

    Description

    mssql-0x12 (CTS)

    Matches the content of an MS-SQL type 0x12 request message.

    mssql-cancel (CTS)

    Matches the content of an MS-SQL cancel message

    mssql-login (CTS)

    Matches thee content of an MS-SQL login message.

    mssql-login-app (CTS)

    Matches the name of the application in an MS-SQL Login message.

    mssql-login-client (CTS)

    Matches the name of the client in an MS-SQL Login message.

    mssql-login-database (CTS)

    Matches the name of the database in an MS-SQL Login message.

    mssql-login-language (CTS)

    Matches the name of the language in an MS-SQL Login message.

    mssql-login-lib (CTS)

    Matches the name of the library in an MS-SQL Login message.

    mssql-login-pass (CTS)

    Matches the password in an MS-SQL Login message.

    mssql-login-server (CTS)

    Matches the name of the server in an MS-SQL Login message.

    mssql-login-user (CTS)

    Matches the name of the user in an MS-SQL Login message.

    mssql-query (CTS)

    Matches the content of a MS-SQL query message.

    mssql-request-other (CTS)

    Matches the content of an MS-SQL unknown Request message.

    mssql-rpe (CTS)

    Matches the content of an MS-SQL RPC message.

    mssql-rpc-name (CTS)

    Matches the RPC name in an MS-SQL request message.

    Table 23: Service Contexts: MySQL

    Context and Direction

    Description

    mysql-login-request-caps (CTS)

    Matches the MYSQL Login Request Caps Data.

    mysql-login-request-caps-pswd (CTS)

    Matches the MYSQL Login Request Caps Password.

    mysql-login-request-caps-user (CTS)

    Matches the MYSQL Login Request Caps Username.

    mysql-preamble (ANY)

    Matches the 4 first bytes of the packet.

    mysql-requst-command (CTS)

    Matches the MYSQL Request Command.

    mysql-response (STC)

    Matches the MYSQL Response.

    mysql-server-greeting (STC)

    Matches the MYSQL Server Greeting Data.

    Table 24: Service Contexts: NetBIOS

    Context and Direction

    Description

    nbds-browse-backup-server (ANY)

    Matches the name of a backup server in a NetBIOS browse message.

    nbds-browse-server-name (ANY)

    Matches the name of a server in a NetBIOS browse message.

    nbds-destination-name (ANY)

    Matches the destination name field in a NetBIOS message.

    nbds-mailslot-name (ANY)

    Matches the name of a mailslot in the NetBIOS mailslot message.

    nbds-source-ip-address (ANY)

    Matches the source IP field in the NetBIOS datagram header.

    nbds-source-name (ANY)

    Matches the source name field in a NetBIOS message.

    nbds-source-port (ANY)

    Matches the source port fields in the NetBIOS datagram header.

    nbname-node-name (ANY)

    Matches the node name in the status response message.

    nbname-node-status (ANY)

    Matches the statistics field of a node status response.

    nbname-nsd-ip-address (ANY)

    Matches the IP address of a NetBIOS name server specified in a redirect name query response message.

    nbname-nsd-name (ANY)

    Matches the name of a NetBIOS name server specified in a redirect name query response message.

    nbname-resource-address (ANY)

    Matches the IP address of a resource from the resource record.

    nbname-type-name (ANY)

    Matches the type and name in a question or a resource record.

    Table 25: Service Contexts: NFS

    Context and Direction

    Description

    nfs-create-name (CTS)

    Matches the name of a file or directory in the CREATE procedure.

    nfs-dir-entry (STC)

    Matches the name of each directory entry returned by the READDIR procedure.

    nfs-link-target (CTS)

    Matches the name of the hard link in the LINK procedure.

    nfs-lookup-name (CTS)

    Matches the name of a file or directory in the LOOKUP procedure.

    nfs-mkdir-name (CTS)

    Matches the name of a directory in the MKDIR procedure.

    nfs-mknod-name (CTS)

    Matches the name of the special file in the MKNOD procedure.

    nfs-readlink-name (STC)

    Matches the name returned by the READLINK procedure

    nfs-remove-name (CTS)

    Matches the name of a file in the REMOVE procedure.

    nfs-rename-from (CTS)

    Matches the source file or directory name in the RENAME procedure.

    nfs-rename-to (CTS)

    Matches the destination file or directory name in the RENAME procedure.

    nfs-rmdir-name (CTS)

    Matches the name of a directory in the RMDIR procedure.

    nfs-symlink-source (CTS)

    Matches the source of the symbolic link in the SYMLINK procedure.

    nfs-symlink-target (CTS)

    Matches the target of the symbolic link in the SYMLINK procedure.

    Table 26: Service Contexts: NNTP

    Context and Direction

    Description

    nntp-banner (STC)

    Matches the NNTP banner.

    nntp-body (ANY)

    Matches each line of an NNTP message body.

    nntp-command-line (CTS)

    Matches the entire NNTP command line.

    nntp-header (ANY)

    Matches any header in an NNTP session.

    nntp-ihave-msgid (CTS)

    Matches the message ID that appears in the IHAVE command of an NNTP session.

    nntp-mode (CTS)

    Matches the NNTP mode.

    nntp-msgid (ANY)

    Matches the message ID that appears in various commands of an NNTP session.

    nntp-newsgroup (ANY)

    Matches the name of news groups in an NNTP session.

    Table 27: Service Contexts: Normalized Stream

    Context and Direction

    Description

    normalized-stream (ANY)

    Normalized Stream for services Telnet, IMAP, NFS, RPC, and Ruser only.

    normalized-stream1k (ANY)

    Matches the first 1024 bytes of reassembled, normalized TCP stream data.

    normalized-stream256 (ANY)

    Matches the first 256 bytes of reassembled, normalized TCP stream data.

    normalized-stream8k (ANY)

    Matches the first 8192 bytes of reassembled, normalized TCP stream data.

    Table 28: Service Contexts: NTP

    Context and Direction

    Description

    ntp-ctrl-data-opt (ANY)

    Matches the data field in an NTP control message.

    ntp-ctrl-opcode-response-var (ANY)

    Matches each of the name and value pairs found in the NTP control message data field. The context includes a 1-byte NTP control message opcode and a 1-byte NTP response type.

    Table 29: Service Contexts: Packet

    Context and Direction

    Description

    packet (ANY)

    Matches any packet in a session.

    Table 30: Service Contexts: POP3

    Context and Direction

    Description

    pop3-apop (CTS)

    Matches the arguments of the APOP command in a POP3 session.

    pop3-auth (CTS)

    Matches the arguments of the AUTH command in a POP3 session.

    pop3-command (CTS)

    Matches each of the POP3 command names in a POP3 session.

    pop3-command-line (CTS)

    Matches each command line in a POP3 session.

    pop3-data-line (STC)

    Matches lines in the e-mail body of an POP3 transaction.

    pop3-data-text-html (STC)

    Matches lines in a text/html MIME attachment in the body of an POP3 transaction.

    pop3-data-text-plain (STC)

    Matches lines in a text/plain MIME attachment in the body of an POP3 transaction.

    pop3-dele (CTS)

    Matches the arguments of the DELE command in a POP3 session.

    pop3-header-comment (STC)

    Matches the Comment: header of an e-mail in a POP3 transaction.

    pop3-header-from (STC)

    Matches the From: header of an e-mail in a POP3 transaction.

    pop3-header-line (STC)

    Matches each header line of an e-mail in POP3 transaction.

    pop3-header-reply-to (STC)

    Matches the Reply-To: header of an e-mail in a POP3 transaction.

    pop3-header-sender (STC)

    Matches the Sender: header of an e-mail in a POP3 transaction.

    pop3-header-subject (STC)

    Matches the Subject: header of an e-mail in a POP3 transaction

    pop3-header-to (STC)

    Matches the To: header of an e-mail in a POP3 transaction.

    pop3-header-x-field (STC)

    Matches each extended header (that start with X-) of an e-mail in a POP3 transaction.

    pop3-header-x-mailer (STC)

    Matches the X-Mailer: header of an e-mail in a POP3 transaction.

    pop3-list (CTS)

    Matches the arguments of the LIST command in a POP3 session.

    pop3-mime-content-data (STC)

    Matches the first 64 bytes of the base-64 decoded MIME attachment data in a POP3 session.

    pop3-mime-content-filename (STC)

    Matches the content filename of a MIME attachment in a POP3 session.

    pop3-mime-content-name (STC)

    Matches the content name of a MIME attachment in a POP3 session.

    pop3-retr (CTS)

    Matches the arguments of the RETR command in a POP3 session.

    pop3-top (CTS)

    Matches the arguments of the TOP command in a POP3 session.

    pop3-uidl (CTS)

    Matches the arguments of the UIDL command in a POP3 session.

    pop3-user (CTS)

    Matches the user name of a POP3 session.

    pop3-xtnd (CTS)

    Matches the arguments of the XTND command in a POP3 session.

    Table 31: Service Contexts: RADIUS

    Context and Direction

    Description

    radius-access-accept (STC)

    Matches the attribute fields of a RADIUS Access-Accept message.

    radius-access-challenge (STC)

    Matches the attribute fields of a RADIUS Access-Challenge message.

    radius-access-reject (STC)

    Matches the attribute fields of a RADIUS Access-Reject message.

    radius-access-request (CTS)

    Matches the attribute fields of a RADIUS Access-Request message.

    radius-acct-request (CTS)

    Matches the attribute fields of a RADIUS Accounting-Request message.

    radius-acct-response (STC)

    Matches the attribute fields of a RADIUS Accounting-Response message.

    radius-attr-acct-multi-session-id (CTS)

    Matches the value of an Account-Multi-Session-Id attribute.

    radius-attr-acct-session-id (CTS)

    Matches the value of an Account-Session-Id attribute.

    radius-attr-acct-tunnel-connection (CTS)

    Matches the value of an Account-Tunnel-Connection attribute.

    radius-attr-arap-features (STC)

    Matches the value of an ARAP-Features attribute.

    radius-attr-arap-password (CTS)

    Matches the value of an ARAP-Password attribute.

    radius-attr-arap-security-data (ANY)

    Matches the value of an ARAP-Security-Data attribute.

    radius-attr-callback-number (ANY)

    Matches the value of a Callback-Number attribute.

    radius-attr-called-station-id (CTS)

    Matches the value of a Caller-Station-Id attribute.

    radius-attr-calling-station-id (CTS)

    Matches the value of a Calling-Station-Id attribute.

    radius-attr-chap-challenge (CTS)

    Matches the value of a Chap-Challenge attribute.

    radius-attr-chap-password (CTS)

    Matches the value of a Chap-Password attribute.

    radius-attr-configuration-token (STC)

    Matches the value of a Configuration-Token attribute.

    radius-attr-connect-info (CTS)

    Matches the value of a Connect-Info attribute.

    radius-attr-eap-message (ANY)

    Matches the value of an EAP-Message attribute.

    radius-attr-filter-id (ANY)

    Matches the value of a Filter-Id attribute.

    radius-attr-framed-appletalk-zone (ANY)

    Matches the value of a Framed-Appletalk-Zone attribute.

    radius-attr-framed-pool (STC)

    Matches the value of a Framed-Pool attribute.

    radius-attr-framed-route (ANY)

    Matches the value of a Framed-Route attribute.

    radius-attr-login-lat-group (ANY)

    Matches the value of a Login-LAT-Group attribute.

    radius-attr-login-lat-node (ANY)

    Matches the value of a Login-LAT-Node attribute.

    radius-attr-login-lat-port (ANY)

    Matches the value of a Login-LAT-Port attribute.

    radius-attr-login-lat-service (ANY)

    Matches the value of a Login-LAT-Service attribute.

    radius-attr-message-authenticator (ANY)

    Matches the value of a Message-Authenticator attribute.

    radius-attr-nas-identifier (CTS)

    Matches the value of a NAS-Identifier attribute.

    radius-attr-nas-port-id (CTS)

    Matches the value of a NAS-Port-Id attribute.

    radius-attr-proxy-state (ANY)

    Matches the value of a Proxy-State attribute.

    radius-attr-reply-message (STC)

    Matches the value of a Reply-Message attribute.

    radius-attr-state (ANY)

    Matches the value of a State attribute

    radius-attr-tunnel-assignment-id (ANY)

    Matches the value of a Tunnel-Assignemnt-Id attribute.

    radius-attr-tunnel-client-auth-id (ANY)

    Matche the value of a Tunnel-Client-Auth-Id attribute

    radius-attr-tunnel-client-endpoint (ANY)

    Matches the value of a Tunnel-Client-Endpoint attribute.

    radius-attr-tunnel-password (STC)

    Matches the value of a Tunnel-Password attribute.

    radius-attr-tunnel-private-group-id (ANY)

    Matches the value of a Tunnel-Private-Group-Id attribute.

    radius-attr-tunnel-server-auth-id (ANY)

    Matche the value of a Tunnel-Server-Auth-Id attribute.

    radius-attr-tunnel-server-endpoint (ANY)

    Matches the value of a Tunnel-Server-Endpoint attribute.

    radius-attr-user-name (ANY)

    Matches the value of a User-Name attribute.

    radius-attr-user-password (CTS)

    Matches the value of a User-Password attribute.

    radius-attr-vendor-specific (ANY)

    Matches the value of a Vendor-Specific attribute.

    radius-attribute (ANY)

    Matches any RADIUS attribute, including the type, length and value.

    Table 32: Service Contexts: REXEC

    Context and Direction

    Description

    rexec-remote-command (CTS)

    Matches the remote command in an REXEC session.

    rexec-remote-user (CTS)

    Matches the remote username in an REXEC session.

    Table 33: Service Contexts: RLOGIN

    Context and Direction

    Description

    rlogin-local-user (CTS)

    Matches the local username in an RLOGIN session.

    rlogin-remote-user (CTS)

    Matches the remote username in an RLOGIN session.

    Table 34: Service Contexts: RSH

    Context and Direction

    Description

    rsh-local-user (CTS)

    Matches the local username in an RSH session.

    rsh-remote-command (CTS)

    Matches the remote command in an RSH session.

    rsh-remote-user (CTS)

    Matches the remote username in an RSH session.

    Table 35: Service Contexts: RUSERS

    Context and Direction

    Description

    rusers-device (STC)

    Matches the name of the device in an RUSERS session.

    rusers-host (STC)

    Matches the name of the host in an RUSERS session.

    rusers-user (STC)

    Matches the name of the user in an RUSERS session.

    Table 36: Service Contexts: SIP

    Context and Direction

    Description

    sip-bad-header (ANY)

    Matches SIP hearders with bad syntax.

    sip-command-state (ANY)

    Matches the state of the SIP connection.

    sip-content-any (ANY)

    Matches SIP contents portion of packet data.

    sip-content-sdp (ANY)

    Matches SIP/SDP content data.

    sip-display-name (ANY)

    Matches the display name of URL in related headers.

    sip-header-any (ANY)

    Matches SIP headers with no designated context.

    sip-header-callid (ANY)

    Matches the SIP <Call-ID> header.

    sip-header-from (ANY)

    Matches the SIP <From> header.

    sip-header-maxforwards (CTS)

    Matches the SIP <Max-Forwards> header.

    sip-header-to (ANY)

    Matches SIP <To> header.

    sip-header-value-len (ANY)

    Artificially created context for putting thresholds on a header value.

    sip-headr-via (ANY)

    Matches the SIP <Via> header.

    sip-parameter (ANY)

    Matches parsed parameters in the headers.

    sip-parameter-bad (ANY)

    Matches parsed invalid parameters in the headers.

    sip-reply (STC)

    Matches any SIP reply line with the return code.

    sip-reply-100-line (STC)

    Matches the SIP 1yz Positive Preliminary reply.

    sip-reply-200-line (STC)

    Matches the SIP 2yz Positive Compleation reply.

    sip-reply-300-line (STC)

    Matches the SIP 3yz Postive Intermediate reply.

    sip-reply-400-line (STC)

    Matches the SIP 4yz Transient Negative Completion reply.

    sip-reply-500-line (STC)

    Matches the SIP 5yz Permanent Negative Completion reply.

    sip-reply-600-line (STC)

    Matches the SIP 6yz Failure Completion reply.

    sip-reply-bad-rcode (STC)

    Matches any SIP invalid response code.

    sip-request (CTS)

    Matches the SIP request command line.

    sip-request-unknown (CTS)

    Matches the SIP request with unknown command.

    sip-sdp-line (ANY)

    Matches the SIP/SDP contents data line.

    sip-unknown-data (ANY)

    Matches SIP unknown data.

    sip-unknown-header (ANY)

    Matches a SIP unknown header.

    sip-uri-host (ANY)

    Matches the host-name/IP-address of URI in related headers.

    sip-uri-parameter (ANY)

    Matches the parameter of URI in related headers.

    Table 37: Service Contexts: SMB

    Context and Direction

    Description

    smb-account-name (ANY)

    Matches the SMB account name in the SESSION_SETUP_ANDX request of an SMB session.

    smb-atsvc-request (CTS)

    Matches any AT Service requests sent as named pipe transactions over the SMB Transport Layer. The first 2 bytes of this context contains the opcode of the function.

    smb-atsvc-response (STC)

    Matches any AT Service responses received as named pipe transactions over the SMB Transport Layer. The first 2 bytes of this context contains the opcode of the function.

    smb-browser-request (CTS)

    Matches any Browser requests sent as named pipe transactions over the SMB Transport Layer. The first 2 bytes of this context contains the opcode of the function.

    smb-browser-response (STC)

    Matches any Browser responses received as named pipe transactions over the SMB Transport Layer. The first two bytes of this context contains the opcode of the function.

    smb-called-name (ANY)

    Matches the NetBIOS name of the initiator of an SMB session.

    smb-calling-name (ANY)

    Matches the NetBIOS name of the receiver of an SMB session.

    smb-connect-path (CTS)

    Matches the connect path in the TREE_CONNECT_ANDX request of an SMB session.

    smb-connect-service (CTS)

    Matches the connect service in the TREE_CONNECT_ANDX request of an SMB session.

    smb-copy-filename (CTS)

    Matches the filename in the COPY request of an SMB session.

    smb-data (ANY)

    Matches any SMB data portion.

    smb-dce-rpc (ANY)

    Matches any DCE/RPC message sent over the SMB Transport Layer.

    smb-dce-rpc-alter-ctx (CTS)

    Matches any DCE/RPC alter-context message sent over the SMB Transport Layer.

    smb-dce-rpc-alter-ctx-reply (STC)

    Matches any DCE/RPC alter-context-reply message sent over the SMB Transport Layer.

    smb-dce-rpc-bind (CTS)

    Matches any DCE/RPC bind message sent over the SMB Transport Layer.

    smb-dce-rpc-bind-ack (STC)

    Matches any DCE/RPC bind-ack message sent over the SMB Transport Layer.

    smb-dce-rpc-bind-nack (STC)

    Matches any DCE/RPC bind-nack message sent over the SMB Transport Layer.

    smb-dce-rpc-cancel (CTS)

    Matches any DCE/RPC cancel message sent over the SMB Transport Layer.

    smb-dce-rpc-orphanded (CTS)

    Matches any DCE/RPC orphaned message sent over the SMB Transport Layer.

    smb-dce-rpc-request (CTS)

    Matches any DCE/RPC request message sent over the SMB Transport Layer.

    smb-dce-rpc-request-obj-uuid (CTS)

    Matches object UUID of any DCE/RPC request message.

    smb-dce-rpc-response (STC)

    Matches any DCE/RPC response message sent over the SMB Transport Layer.

    smb-dce-rpc-shutdown (STC)

    Matches any DCE/RPC shutdown message sent over the SMB Transport Layer.

    smb-delete-filename (CTS)

    Matches the filename in the DELETE request of an SMB session.

    smb-dialect (CTS)

    Matches each SMB dialect string in the NEGOTIATE request of an SMB session.

    smb-lanman-request (CTS)

    Matches any LANMAN requests sent as named pipe transactions over the SMB Transport Layer. The first 2 bytes of this context contains the opcode of the function.

    smb-lanman-response (STC)

    Matches any LANMAN responses received as named pipe transactions over the SMB Transport Layer. The first 2 bytes of this context contains the opcode of the function.

    smb-lsarpc-request (CTS)

    Matches any Local Security Authority requests sent as named pipe transactions over the SMB Transport Layer. The first 2 bytes of this context contains the opcode of the function.

    smb-lsarpc-response (STC)

    Matches any Local Security Authority responses received as named pipe transactions over the SMB Transport Layer. The first 2 bytes of this context contains the opcode of the function.

    smb-move-filename (CTS)

    Matches the filename in the MOVE request of an SMB session.

    smb-msgsvc-request (CTS)

    Matches any Messenger Service requests sent as named pipe transactions over the SMB Transport Layer. The first 2 bytes of this context contains the opcode of the function.

    smb-msgsvc-response (STC)

    Matches any Messenger Service responses received as named pipe transactions over the SMB Transport Layer. The first 2 bytes of this context contains the opcode of the function.

    smb-native-lanman (ANY)

    Matches the native LANMAN in the SESSION_SETUP_ANDX request of an SMB session.

    smb-native-os (ANY)

    Matches the native OS in the SESSION_SETUP_ANDX request of an SMB session.

    smb-netlogon-request (CTS)

    Matches any Netlogon requests sent as named pipe transactions over the SMB Transport Layer. The first 2 bytes of this context contains the opcode of the function.

    smb-netlogon-response (STC)

    Matches any Netlogon responses received as named pipe transactions over the SMB Transport Layer. The first 2 bytes of this context contains the opcode of the function.

    smb-open-filename (CTS)

    Matches the filename in the NT_CREATE_ANDX and OPEN_ANDX requests of an SMB session.

    smb-pipe-request (CTS)

    Matches any generic named pipe requests over the SMB Transport Layer. The first 2 bytes of this context contains the opcode of the function.

    smb-pipe-response (STC)

    Matches any generic named pipe responses over the SMB Transport Layer. The first 2 bytes of this context contains the opcode of the function.

    smb-primary-domain (ANY)

    Matches the SMB primary domain name in the SESSION_SETUP_ANDX request of an SMB session.

    smb-rename-filename (CTS)

    Matches the filename in the RENAME request of an SMB session.

    smb-samr-request (CTS)

    Matches any Security Account Manager requests sent as named pipe transactions over the SMB Transport Layer. The first 2 bytes of this context contains the opcode of the function.

    smb-samr-response (STC)

    Matches any Security Account Manager responses received as named pipe transactions over the SMB Transport Layer. The first 2 bytes of this context contains the opcode of the function.

    smb-spoolss-request (CTS)

    Matches any Spool Subsystem requests sent as named pipe transactions over the SMB Transport Layer. The first two bytes of this context contains the opcode of the function.

    smb-spoolss-response (STC)

    Matches any Spool Subsystem responses received as named pipe transactions over the SMB Transport Layer. The first two bytes of this context contains the opcode of the function.

    smb-srvsvc-request (CTS)

    Matches any Server Service requests sent as named pipe transactions over the SMB Transport Layer. The first two bytes of this context contains the opcode of the function.

    smb-srvsvc-response (STC)

    Matches any Server Service responses received as named pipe transactions over the SMB Transport Layer. The first two bytes of this context contains the opcode of the function.

    smb-svcctl-request (CTS)

    Matches any Service Control Manager requests sent as named pipe transactions over the SMB Transport Layer. The first two bytes of this context contains the opcode of the function.

    smb-svcctl-response (STC)

    Matches any Service Control Manager responses received as named pipe transactions over the SMB Transport Layer. The first two bytes of this context contains the opcode of the function.

    smb-trans2-create-directory (CTS)

    Matches any SMB Transaction2 CREATE-DIRECTORY request.

    smb-trans2-request (CTS)

    Matches any SMB Transaction2 request.

    smb-trans2-response (STC)

    Matches any SMB Transaction2 response.

    smb-trans2-session-setup (CTS)

    Matches any SMB Transaction2 SESSION-SETUP request.

    smb-trans2-set-file-info (CTS)

    Matches any SMB Transaction2 SET-FILE-INFORMATION request.

    smb-trans2-set-path-info (CTS)

    Matches any SMB Transaction2 SET-PATH-INFORMATION request.

    smb-winreg-request (CTS)

    Matches any Windows Remote Registry requests sent as named pipe transactions over the SMB Transport Layer. The first two bytes of this context contains the opcode of the function.

    smb-winreg-response (STC)

    Matches any Windows Remote Registry responses received as named pipe transactions over the SMB Transport Layer. The first two bytes of this context contains the opcode of the function.

    smb-wkssvc-request (CTS)

    Matches any Workstation Service requests sent as named pipe transactions over the SMB Transport Layer. The first two bytes of this context contains the opcode of the function.

    smb-wkssvc-response (STC)

    Matches any Workstation Service responses received as named pipe transactions over the SMB Transport Layer. The first two bytes of this context contains the opcode of the function.

    Table 38: Service Contexts: SMTP

    Context and Direction

    Description

    smtp-banner (STC)

    Matches the banner returned by the server at the start of an SMTP transaction.

    smtp-command-line (CTS)

    Matches any SMTP command line.

    smtp-data-line (CTS)

    Matches lines in the e-mail body of an SMTP transaction.

    smtp-data-text-html (CTS)

    Matches lines in a text/html MIME attachment in the body of an SMTP transaction.

    smtp-data-text-plain (CTS)

    Matches lines in a text/plain MIME attachment in the body of an SMTP transaction.

    smtp-from (CTS)

    Matches the contents of the MAIL, SAML, SEND, and SOML commands.

    smtp-header (CTS)

    Matches any unfolded header in the SMTP data.

    smtp-header-comment (CTS)

    Matches the Comment: header in the SMTP data.

    smtp-header-from (CTS)

    Matches the From: header in the SMTP data.

    smtp-header-line (CTS)

    Matches any header lines in the SMTP data.

    smtp-header-reply-to (CTS)

    Matches the Reply-To: header in the SMTP data.

    smtp-header-sender (CTS)

    Matches the Sender: header in the SMTP data.

    smtp-header-subject (CTS)

    Matches the Subject: header in the SMTP data.

    smtp-header-to (CTS)

    Matches the To: header in the SMTP data.

    smtp-header-x-field (CTS)

    Matches all extended headers that start with X- in the SMTP data.

    smtp-header-x-mailer (CTS)

    Matches the X-Mailer: header in the SMTP data.

    smtp-mime-content-data (CTS)

    Matches the first 64 bytes of the base-64 decoded MIME attachment data in an SMTP session.

    smtp-mime-content-filename (CTS)

    Matches the content filename of a MIME attachment in an SMTP session.

    smtp-mime-content-name (CTS)

    Matches the content name of a MIME attachment in an SMTP session.

    smtp-rcpt (CTS)

    Matches the contents of the RCPT command in an SMTP transaction.

    smtp-reply-100-line (STC)

    Matches the SMTP 1yz Positive Preliminary reply.

    smtp-reply-200-line (STC)

    Matches the SMTP 2yz Positive Completion reply.

    smtp-reply-300-line (STC)

    Matches the SMTP 3yz Positive Intermediate reply.

    smtp-reply-400-line (STC)

    Matches the SMTP 4yz Transient Negative Completion reply.

    smtp-reply-500-line (STC)

    Matches the SMTP 5yz Permanent Negative Completion reply.

    smtp-reply-line (STC)

    Matches the SMTP reply line.

    Table 39: Service Contexts: SNMP

    Context and Direction

    Description

    snmp-community (ANY)

    Matches the community name in any SNMP request or response.

    snmp-get-bulk-oid (CTS)

    Matches the binary OID in any SNMP Get-Bulk request.

    snmp-get-bulk-oid-parsed (CTS)

    Matches the human-readable OID in any SNMP Get-Bulk request.

    snmp-get-next-oid (CTS)

    Matches the binary OID in any SNMP Get-Next request.

    snmp-get-next-oid-parsed (CTS)

    Matches the human-readable OID in any SNMP Get-Next request.

    snmp-get-oid (CTS)

    Matches the binary OID in any SNMP Get request.

    snmp-get-oid-parsed (CTS)

    Matches the human-readable OID in any SNMP Get request.

    snmp-oid (ANY)

    Matches the binary OID in any SNMP request or response.

    snmp-oid-parsed (ANY)

    Matches the human-readable OID in any SNMP request or response.

    snmp-set-oid (CTS)

    Matches the binary OID in any SNMP Set request.

    snmp-set-oid-parsed (CTS)

    Matches the human-readable OID in any SNMP Set request.

    snmptrap-community (CTS)

    Matches the community name in any SNMPTRAP message.

    snmptrap-eid (CTS)

    Matches the binary EID (Enterprise-ID) in any SNMPTRAP message.

    snmptrap-eid-parsed (CTS)

    Matches the human-readable EID (Enterprise-ID) in any SNMPTRAP message.

    snmptrap-inform-oid (CTS)

    Matches the binary OID in any SNMPTRAP Inform message.

    snmptrap-inform-oid-parsed (CTS)

    Matches the human-readable OID in any SNMPTRAP Inform message.

    snmptrap-oid (CTS)

    Matches the binary OID in any SNMPTRAP message.

    snmptrap-oid-parsed (CTS)

    Matches the human-readable OID in any SNMPTRAP message.

    snmptrap-v2-oid (CTS)

    Matches the binary OID in any SNMPTRAP v2 message.

    snmptrap-v2-oid-parsed (CTS)

    Matches the human-readable OID in any SNMPTRAP v2 message.

    Table 40: Service Contexts: SSH

    ssh-header (ANY)

    Matches the header at the start of an SSH session.

    Table 41: Service Contexts: SSL

    Context and Direction

    Description

    ssl-cert-common-name (ANY)

    Matches the common name attribute of the SSL certificate.

    ssl-cert-organization-name (ANY)

    Matches the organization name in the SSL certificate.

    ssl-cert-organizational-unit-name (ANY)

    Matches the organizational unit name in the SSL certificate.

    ssl-certificate (ANY)

    Matches the entire SSL certificate content.

    ssl-client-hello (CTS)

    Matches SSL client hello message content.

    ssl-client-key-exchange (CTS)

    Matches SSL client key exchange message content.

    ssl-client-version (CTS)

    Matches the client SSL version.

    ssl-selected-cipher-suite (STC)

    Matches the selected cipher suite in the server hello message.

    ssl-server-hello (STC)

    Matches SSL server hello message content.

    ssl-server-key-exchange (STC)

    Matches SSL server key exchange message content.

    ssl-server-version (STC)

    Matches the SSL server version.

    Table 42: Service Contexts: Stream

    Context and Direction

    Description

    stream (ANY)

    Matches the reassembled, normalized TCP stream data.

    stream1k (ANY)

    Matches the first 1024 bytes of reassembled TCP stream data.

    stream256 (ANY)

    Matches the first 256 bytes of reassembled, normalized TCP stream data.

    stream8k (ANY)

    Matches the first 8192 bytes of reassembled TCP stream data.

    Table 43: Service Contexts: Telnet

    Context and Direction

    Description

    telnet-option (ANY)

    Matches each of the telnet options in a Telnet session.

    telnet-subnegotiation (ANY)

    Matches each of the telnet subnegotiation options in a Telnet session.

    telnet-user (CTS)

    Matches the Telnet user name.

    Table 44: Service Contexts: TFTP

    Context and Direction

    Description

    tftp-filename (CTS)

    Matches any filename in a TFTP session.

    tftp-get-filename (CTS)

    Matches the get filename in a TFTP session.

    tftp-put-filename (CTS)

    Matches the put filename in a TFTP session.

    Table 45: Service Contexts: TNS

    Context and Direction

    Description

    tns-accept-section (STC)

    Matches the Accept Section Data in a TNS session.

    tns-connect-addr-dev (CTS)

    Matches the Connect Address-Dev in a TNS session.

    tns-connect-addr-host (CTS)

    Matches the Connect Address-Host in a TNS session.

    tns-connect-addr-key (CTS)

    Matches the Connect Address-Key in a TNS session.

    tns-connect-addr-port (CTS)

    Matches the Connect Address-Port in a TNS session.

    tns-connect-addr-proto (CTS)

    Matches the Connect Address-Protocol in an TNS session.

    tns-connect-cid-host (CTS)

    Matches the Connect Data CID Host in a TNS session.

    tns-connect-cid-user (CTS)

    Matches the Connect Data CID User in a TNS session.

    tns-connect-data-cid-prog (CTS)

    Matches the Connect Data CID Program in a TNS session.

    tns-connect-data-sid (CTS)

    Matches the Connect Data SID in a TNS session.

    tns-connect-data-svcname (CTS)

    Matches the Connect Data Service Name in an TNS session.

    tns-connect-section (CTS)

    Matches the Connect Section Data in a TNS session.

    tns-data-section (ANY)

    Matches the Data Section Data in a TNS session.

    tns-message-body (ANY)

    Matches any Message Body in a TNS session.

    tns-message-type (ANY)

    Matches the Message Type in a TNS session.

    tns-preamble (ANY)

    Matches the first 8 bytes of a TNS message.

    tns-redirect-section (STC)

    Matches the Redirect Section in a TNS session.

    Table 46: Service Contexts: VNC

    Context and Direction

    Description

    vnc-client-version (CTS)

    Matches the version number of the VNC protocol sent by the client.

    vnc-reason (STC)

    Matches the connection fail reason reported by the VNC server.

    vnc-server-version (STC)

    Matches the version number of the VNC protocol sent by the server.

    Table 47: Service Contexts: YMSG

    Context and Direction

    Description

    ymsg-alias (ANY)

    Matches the alternate name associated with the main username.

    ymsg-buddy-name (ANY)

    Matches the name of a user that appears on the friends list.

    ymsg-chatroom-chatter (ANY)

    Matches the name of a user participating in a chat session

    ymsg-chatroom-invitee (ANY)

    Matches the name of the user who is being invited to join a chatroom.

    ymsg-chatroom-message (ANY)

    Matches the messages exchanged in a chatroom.

    ymsg-chatroom-name (ANY)

    Matches the name of a chatroom in a YMSG session.

    ymsg-conf-host (ANY)

    Matches the name of the user who is hosting the conference.

    ymsg-conf-invitee (ANY)

    Matches the name of a user who is invited to a conference.

    ymsg-conf-join-msg (ANY)

    Matches the content of a message sent as part of a conference invitation.

    ymsg-conf-name (ANY)

    Matches the name of a conference session.

    ymsg-config-url (STC)

    Matches the URL at which the user can configure the password after the account is disabled.

    ymsg-contact-name (ANY)

    Matches the contact name in a friends list or invitation.

    ymsg-group-name (ANY)

    Matches the name of a group used to categorize friends.

    ymsg-header (ANY)

    Matches data in the protocol header.

    ymsg-ignored-user (ANY)

    Matches the name of the user being added to, or appearing on, the ignored users list.

    ymsg-mail-sender (STC)

    Matches the name of the user sending an e-mail message.

    ymsg-mail-sender-address (STC)

    Matches the e-mail address of sender.

    ymsg-mail-subject (STC)

    Matches the e-mail subject.

    ymsg-main-identity (ANY)

    Matches the main identity name of the user.

    ymsg-message (ANY)

    Matches the instant message that is sent from one client to another.

    ymsg-message-server-filename-url (STC)

    Matches the message with the name of the file on the client from which the server can download and transfer to peers.

    ymsg-nickname (ANY)

    Matches the nickname of a user.

    ymsg-p2p-get-filename (STC)

    Matches the name of the file on the peer from which the file can be downloaded.

    ymsg-p2p-get-filename-url (STC)

    Matches the location of a file on the peer from which the file can be downloaded.

    ymsg-p2p-put-filename (CTS)

    Matches the name of the file on the client that other peers can download.

    ymsg-p2p-put-filename-url (CTS)

    Matches the location of a file on the client from which other peers can download.

    ymsg-recipient (ANY)

    Matches the identity of the recipient of a message or file.

    ymsg-sender (ANY)

    Matches the identity of a sender of a message or file.

    ymsg-server-get-filename-url (STC)

    Matches the location of a file on the client from which the server can download and transfer to peers.

    ymsg-system-message (STC)

    Matches the content of a message sent from the server to the client.

    ymsg-user-name (ANY)

    Matches the identity of the login user or one of the user's alias.

    Published: 2011-08-03