Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

File Transfer Contexts

These attack objects and groups are designed to detect known attack patterns and protocol anomalies within the network traffic. You can configure attack objects and groups for FTP as match conditions in IDP policy rules.

Service Contexts: FTP

The table displays the security context details for FTP:

Table 1: Service Contexts: FTP

Context and Direction

Description

Example of Contexts

ftp-account (CTS)

Matches the FTP login account name.

ftp-banner (STC)

Matches the banner returned by the server at the start of an FTP session.

FTP server interaction with banner message indicating potential Solar_Trojan ECLYPSE activity and user login confirmation.

ftp-command (CTS)

Matches each of the FTP command names.

FTP command example with USER highlighted in yellow and response 331 Password required for none. Context pattern USER shown in highlighted box.

ftp-cwd-pathname (CTS)

Matches the directory name in the CWD command of an FTP session.

Restricted user logged in, changed directory to /www/system, confirmed as current directory.

ftp-dele-pathname (CTS)

Matches the file name in the DELE command of an FTP session.

FTP field example showing PWD command with response 257 is current directory, DELE command with long B string, and response 200 OK. Includes ftp-dele-pathname pattern BBB.*.

ftp-get-filename (CTS)

Matches the filename in the GET command of an FTP session.

FTP interaction showing commands and responses for transferring WinRun.exe. Highlights PORT command success and binary mode data connection for 811008-byte file.

ftp-list-pathname (CTS)

Matches the directory or file name in the LIST command of an FTP session.

FTP interaction example with commands 250 CWD command successful, LIST, and 200 OK. Shows corrupted directory listing and regex usage for parsing.

ftp-mkd-pathname (CTS)

Matches the directory name in the MKD command of an FTP session.

FTP command example showing MKD command with a long pathname of A characters. Server responds with code 257 and message Directory successfully created.

ftp-nlst-pathname (CTS)

Matches the directory or file name in the NLST command of an FTP session.

ftp-password (CTS)

Matches the FTP login password.

FTP interaction: Server requests password for user test, user enters password foobar, user test logs in successfully. Context highlights foo pattern in password foobar.

ftp-pathname (CTS)

Matches a directory or file name in any of the FTP commands.

User logs into FTP and changes directory to /www/system. Note highlights context usage of ftp-pathname pattern with keyword system.

ftp-put-filename (CTS)

Matches the filename in the PUT command of an FTP session.

FTP command example: STOR command with string ending in Y./me results in 500 Access denied. Context pattern: ftp-put-filename pattern: .*/.message.

ftp-reply-100-line (STC)

Matches the FTP 1yz Positive Preliminary reply.

FTP session showing PORT command with IP 192.168.1.105, successful connection, RETR request for WinRun.exe, and BINARY mode data transfer.

ftp-reply-200-line (STC)

Matches the FTP 2yz Positive Completion reply.

FTP interaction showing commands and responses: PORT command with IP and port, successful execution, RETR command to retrieve WinRun.exe, and binary mode data connection opening. Context: identifying successful PORT command execution in logs.

ftp-reply-300-line (STC)

Matches the FTP 3yz Positive Intermediate reply.

FTP session with server greeting as Eclypse's FTP Server, user command USER with username none, server response Password required for none, password command PASS, successful login confirmation User none logged in, and highlighted server response Password required for none.

ftp-reply-400-line (STC)

Matches the FTP 4yz Transient Negative Completion reply.

ftp-reply-500-line (STC)

Matches the FTP 5yz Permanent Negative Completion reply.

FTP response log showing commands RMD and MKD. Error 500 Access denied MKD is highlighted. Context usage example: ftp-reply-500-line pattern Access.

ftp-reply-line (STC)

Matches the FTP reply line.

FTP interaction showing USER command with none username and 331 server response requiring password for none; context notes ftp-reply-line with none pattern.

ftp-request (CTS)

Matches FTP request line (command and arguments).

FTP interaction showing user login attempt with username none, server requests password, and context usage highlighting ftp-request pattern none.

ftp-rmd-pathname (CTS)

Matches the directory name in the RMD command of an FTP session.

FTP operations example with Remove Directory command, error messages, and context pattern for FTP commands.

ftp-rnfr-pathname (CTS)

Matches a directory or file name in the RNFR command of an FTP session.

FTP command sequence showing RNFR and RNTO commands for renaming files. Includes response codes: 226 Transfer complete, 350 File ready, and 250 RNTO successful.

ftp-rnto-pathname (CTS)

Matches a directory or file name in the RNTO command of an FTP session.

FTP operation showing file renaming: RNFR command for file1, RNTO command changing name to ..\file2, and successful responses.

ftp-sitestring (CTS)

Matches the arguments of the SITE command in an FTP session.

FTP session showing password authentication, an FTP server response, and a highlighted line indicating a potential format string attack.

ftp-smnt-pathname (CTS)

Matches the directory or file name in the SMNT command of an FTP session.

ftp-stat-pathname (CTS)

Matches the directory or file name in the STAT command of an FTP session.

ftp-username (CTS)

Matches the FTP login user name.

FTP interaction showing username field set to none with server response 331 Password required for none and PASS command indicating next step.

Service Contexts: NFS

The table displays the security context details for NFS:

Table 2: Service Contexts: NFS

Context and Direction

Description

Example of Contexts

nfs-create-name (CTS)

Matches the name of a file or directory in the CREATE procedure.

NFS transaction showing UDP with source port 800, destination port 2049, RPC XID, NFS CREATE call with DH and name asd%nmv highlighted. Context pattern asd for nfs-create-name pattern.

nfs-dir-entry (STC)

Matches the name of each directory entry returned by the READDIR procedure.

nfs-link-target (CTS)

Matches the name of the hard link in the LINK procedure.

nfs-lookup-name (CTS)

Matches the name of a file or directory in the LOOKUP procedure.

NFS transaction example showing UDP protocol with source port 800, destination port 2049, XID 0x5aI0fIf6, and LOOKUP call for name asd%nmv in directory dir.

nfs-mkdir-name (CTS)

Matches the name of a directory in the MKDIR procedure.

nfs-mknod-name (CTS)

Matches the name of the special file in the MKNOD procedure.

nfs-readlink-name (STC)

Matches the name returned by the READLINK procedure

nfs-remove-name (CTS)

Matches the name of a file in the REMOVE procedure.

nfs-rename-from (CTS)

Matches the source file or directory name in the RENAME procedure.

nfs-rename-to (CTS)

Matches the destination file or directory name in the RENAME procedure.

nfs-rmdir-name (CTS)

Matches the name of a directory in the RMDIR procedure.

nfs-symlink-source (CTS)

Matches the source of the symbolic link in the SYMLINK procedure.

nfs-symlink-target (CTS)

Matches the target of the symbolic link in the SYMLINK procedure.

Service Contexts: SMB

The table displays the security context details for SMB:

Table 3: Service Contexts: SMB

Context and Direction

Description

Example of Contexts

smb-account-name (ANY)

Matches the SMB account name in the SESSION_SETUP_ANDX request of an SMB session.

SMB transaction field example detailing session setup request with parameters like NetBIOS Session Service, SMB Header (0x73), Account echoA, Primary Domain SOLARIUM, Native OS Unix, and Native LAN Manager Samba.

smb-atsvc-request (CTS)

Matches any AT Service requests sent as named pipe transactions over the SMB Transport Layer. The first 2 bytes of this context contains the opcode of the function.

Technical description of SMB transaction: SMB Pipe Protocol, DCE/RPC Request, Fragment Length 128, Call ID 1, NTLMSSP authentication with packet privacy, Microsoft AT-Scheduler Service, JobAdd operation.

smb-atsvc-response (STC)

Matches any AT Service responses received as named pipe transactions over the SMB Transport Layer. The first 2 bytes of this context contains the opcode of the function.

SMB transaction field example detailing protocol layers, Microsoft AT-Scheduler Service JobAdd operation, and smb-atsvc-response pattern.

smb-browser-request (CTS)

Matches any Browser requests sent as named pipe transactions over the SMB Transport Layer. The first 2 bytes of this context contains the opcode of the function.

smb-browser-response (STC)

Matches any Browser responses received as named pipe transactions over the SMB Transport Layer. The first two bytes of this context contains the opcode of the function.

smb-called-name (ANY)

Matches the NetBIOS name of the initiator of an SMB session.

smb-calling-name (ANY)

Matches the NetBIOS name of the receiver of an SMB session.

SMB transaction field example with TCP details source port 2376 destination port 139 packet length 72 bytes session request type 0x81 length 68 bytes called name SEPTU and calling name PEUGEOT-104Z00.

smb-connect-path (CTS)

Matches the connect path in the TREE_CONNECT_ANDX request of an SMB session.

SMB transaction field with NetBIOS Session message type 0x00, length 68, SMB Header, Tree Connect AndX Request 0x75, Path as \\*SMBSERVER\IPC$ highlighted in yellow.

smb-connect-service (CTS)

Matches the connect service in the TREE_CONNECT_ANDX request of an SMB session.

Example of a Tree Connect AndX Request in an SMB transaction showing missing Service field. Path is \\*SMBSERVER\IPC$ and Password is 00.

smb-copy-filename (CTS)

Matches the filename in the COPY request of an SMB session.

smb-data (ANY)

Matches any SMB data portion.

NetBIOS Session Service with SMB Header and Write AndX Request 0x2f. Data section contains 1024 bytes with repeated pattern 41414141, highlighted in yellow.

smb-dce-rpc (ANY)

Matches any DCE/RPC message sent over the SMB Transport Layer.

NetBIOS Session Service with SMB protocol shows DCE/RPC details: Bind_ack, Fragment: Single, FragLen: 274, Call: 1. Context: smb-dce-rpc, Pattern: JobAdd.

smb-dce-rpc-bind (CTS)

Matches any DCE/RPC bind message sent over the SMB Transport Layer.

SMB transaction field example detailing NetBIOS Session Service, SMB protocol, and DCE/RPC Bind with Fragment Single, FragLen 72, Call 1.

smb-dce-rpc-bind-ack (STC)

Matches any DCE/RPC bind-ack message sent over the SMB Transport Layer.

SMB transaction details with DCE/RPC Bind_ack field, NetBIOS session service, fragment length 274, single fragment, call number 1, and regex pattern for network analysis.

smb-dce-rpc-bind-nack (STC)

Matches any DCE/RPC bind-nack message sent over the SMB Transport Layer.

smb-dce-rpc-request (CTS)

Matches any DCE/RPC request message sent over the SMB Transport Layer.

Technical document slide on network protocols, focusing on SMB and DCE/RPC transactions. Highlighted DCE/RPC request: Single FragLen 128, Call 1, Ctx 0, Resp 23. References Microsoft AT-Scheduler Service and JobAdd. Context example shows smb-dce-rpc-request pattern.

smb-dce-rpc- request-obj-uuid (CTS)

Matches object UUID of any DCE/RPC request message.

SMB transaction field showing DCE/RPC Bind operation, including NetBIOS Session Service, SMB Protocol, and pipe protocol details. Packet details: Version 5, Bind type 11, Flags 0x03, Fragment length 72. Call ID 1, Max transmit and receive sizes 5840, Association group 0x00000000. Context ID 0, Abstract Syntax WKSSVC V1.0, Interface UUID 6bffd098-a112-3610-9833-46c3f87e345a.

smb-dce-rpc- response (STC)

Matches any DCE/RPC response message sent over the SMB Transport Layer.

SMB transaction example showing SMB Protocol, Pipe Protocol, DCE/RPC Response with details and highlighted context pattern `\x53415f\x`.

smb-delete- filename (CTS)

Matches the filename in the DELETE request of an SMB session.

smb-dialect (CTS)

Matches each SMB dialect string in the NEGOTIATE request of an SMB session.

smb-header

Matches any SMB header portion

SMB transaction fields include NetBIOS Session Service and SMB Protocol with highlighted SMB Header and Tree Connect AndX Response 0x75. Example of SMB header pattern is backslash x ff534d backslash x.

smb-lanman- request (CTS)

Matches any LANMAN requests sent as named pipe transactions over the SMB Transport Layer. The first 2 bytes of this context contains the opcode of the function.

Screenshot of a network packet capture showing an SMB transaction with details on frame size, MAC addresses, IP addresses, TCP ports, and payload data. Highlighted bytes 00 50 c3 in TCP segment.Snippet showing context use for smb-lanman-request with string \x680042\x in hexadecimal, related to network protocols.

smb-lanman- response (STC)

Matches any LANMAN responses received as named pipe transactions over the SMB Transport Layer. The first 2 bytes of this context contains the opcode of the function.

SMB Trans Response message details: NetBIOS Session Service, SMB Header, Word Count 10, Total Parameter Count 19, Total Data Count 0, Parameter Count 19, Parameter Offset 56, Data Count 0, Data Offset 76, Byte Count 21, Padding 00, Parameters as hex string. Used in SMB protocol analysis.

smb-lsarpc- request (CTS)

Matches any Local Security Authority requests sent as named pipe transactions over the SMB Transport Layer. The first 2 bytes of this context contains the opcode of the function.

smb-move- filename (CTS)

Matches the filename in the MOVE request of an SMB session.

smb-native- lanman (ANY)

Matches the native LANMAN in the SESSION_SETUP_ANDX request of an SMB session.

SMB transaction field example with NetBIOS Session Service, SMB Header, and Session Setup AndX Request. Native LAN Manager highlighted as pysmb.

smb-native-os (ANY)

Matches the native OS in the SESSION_SETUP_ANDX request of an SMB session.

SMB transaction field example with NetBIOS Session Service, SMB Header, Session Setup AndX Request. Key fields: Word Count 13, Max Buffer 65535, VC Number 408, Capabilities 0x00000001, Native OS nt.

smb-open-filename (CTS)

Matches the filename in the NT_CREATE_ANDX and OPEN_ANDX requests of an SMB session.

SMB NT Create AndX Request showing NetBIOS Session Service, SMB Header metadata, File Identifier 0x4000, Word Count 24, Filename wkssvc, Create Flags 0x00000016, Access Mask 0x0002019f, Share Access Read Write, Disposition, Impersonation level 2, Security Flags BCC 8. Used in network analysis and security research.

smb-primary-domain (ANY)

Matches the SMB primary domain name in the SESSION_SETUP_ANDX request of an SMB session.

smb-rename-filename (CTS)

Matches the filename in the RENAME request of an SMB session.

SMB Rename Request 0x07 structure: NetBIOS Session Service, SMB Header, highlighted Rename Request, Word Count 1, Search Attributes, Byte Count 23, Buffer Format, Old File Name test.txt, New File Name test2.txt. Context: pattern string for SMB rename operations x53415f.

smb-samr-request (CTS)

Matches any Security Account Manager requests sent as named pipe transactions over the SMB Transport Layer. The first 2 bytes of this context contains the opcode of the function.

SMB transaction breakdown with Session Setup AndX Request, showing NetBIOS Session Service, SMB Header, command details, security blob, and context usage example.

smb-samr-response (STC)

Matches any Security Account Manager responses received as named pipe transactions over the SMB Transport Layer. The first 2 bytes of this context contains the opcode of the function.

smb-session-header

Matches any SMB session header portion

SMB transaction field example showing NetBIOS Session Service with session request type 0x81, flags 0x00, length 68, called name SMBSERVER<20>, and calling name IMPACT<00>.

smb-srvsvc-request (CTS)

Matches any Server Service requests sent as named pipe transactions over the SMB Transport Layer. The first two bytes of this context contains the opcode of the function.

SMB transaction highlighting Server Service NetSessEnum and showcasing context pattern smb-srvsvc-request in network protocol analysis.

smb-svcctl-request (CTS)

Matches any Service Control Manager requests sent as named pipe transactions over the SMB Transport Layer. The first two bytes of this context contains the opcode of the function.

SMB transaction fields include NetBIOS Session Service, SMB Protocol, SMB Pipe Protocol, DCE/RPC Request, Fragment Single. FragLen 60, Call 1, Ctx 0, Resp 21. Highlighted: Microsoft Service Control, OpenSCManagerA. Context usage: smb-svcctl-request, Pattern: .OQRSVC..

smb-trans2-request (CTS)

Matches any SMB Transaction2 request.

Structure of SMB transaction showing NetBIOS Session Service, SMB Header, and Trans2 Request 0x32 highlighted in yellow. Includes context usage pattern smb-trans2-request with regex .*OQRSVC.*.

smb-trans2-response (STC)

Matches any SMB Transaction2 response.

SMB transaction field example with NetBIOS Session Service, SMB Header, and highlighted Trans2 Response 0x32. Shows smb-trans2-response pattern with hex values: \x00000000\x.

smb-trans2-set-path-info (CTS)

Matches any SMB Transaction2 SET-PATH-INFORMATION request.

Detailed SMB transaction field example focusing on Trans2 Request with subcommand SET_PATH_INFO, highlighting parameters and data attributes.

Service Contexts: TFTP

The table displays the security context details for TFTP:

Table 4: Service Contexts: TFTP

Context and Direction

Description

Example of Contexts

tftp-filename (CTS)

Matches any filename in a TFTP session.

TFTP transaction field example with Opcode Read Request 1, highlighted source file string ;]ApWm.T.T\T, truncated data type, context tftp-filename, pattern T\.IT.

tftp-get-filename (CTS)

Matches the get filename in a TFTP session.

TFTP transaction highlighting Opcode as Read Request 1 and Source File as ;]ApWm&T.IT. Context usage example shows pattern &T.IT for TFTP transactions.

tftp-put-filename (CTS)

Matches the put filename in a TFTP session.

Write request with Opcode 2, file name cbM5QqXgARCqAtKUUFhE2CBrYcJCwP$b highlighted, context tftp-put-filename pattern cbM5Qq.