Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Legacy Contexts

These attack objects and groups are designed to detect known attack patterns and protocol anomalies within the network traffic. You can configure attack objects and groups for legacy contexts as match conditions in IDP policy rules.

Service Contexts: AIM

The table displays the security context details for AIM:

Table 1: Service Contexts: AIM

Context and Direction

Description

Display Name

aim-auth-request-msg (ANY)

Matches the message sent from one user to another when requesting authorization to add to the buddy list.

AIM Auth Request Msg

aim-away-message (CTS)

Matches the message sent to other clients when a user changes status to 'away'.

AIM Away Message

aim-buddy-comment (ANY)

Matches the comment stored for a buddy in the contact list.

AIM Buddy Comment

aim-capabilities (ANY)

Matches the set of features supported by the client.

AIM Capabilities

aim-chat-info (STC)

Matches the information about a chatroom.

AIM Chat Info

aim-chat-interests (STC)

Matches the categories of personal interests in a user's profile.

AIM Chat Interests

aim-chat-room-desc (STC)

Matches the description of a chatroom.

AIM Chat Room Desc

aim-chat-room-name (STC)

Matches the name of a chatroom in an AIM/ICQ session.

AIM Chat Room Name

aim-client-ip (STC)

Matches the IP address of the client for direct P2P communication.

AIM Client Ip

aim-client-port (STC)

Matches the port that the client is listening on for P2P communication.

AIM Client Port

aim-client-status (STC)

Matches the user's online status.

AIM Client Status

aim-decline-reason (ANY)

Matches the decline reason when a client refuses to be added to another user's contact list.

AIM Decline Reason

aim-descripted-url (ANY)

Matches the description and URL when sending a Web page to another address.

AIM Descripted Url

aim-email-address (STC)

Matches the e-mail address of a user as it appears in the profile.

AIM Email Address

aim-error-url (STC)

Matches the URL on the server where the user can reconfigure the account password.

AIM Error Url

aim-gcard-message (ANY)

Matches the message associated with a greeting card.

AIM Gcard Message

aim-gcard-recipient (ANY)

Matches the screen name of a greeting card recipient.

AIM Gcard Recipient

aim-gcard-sender (ANY)

Matches the screen name of a greeting card sender.

AIM Gcard Sender

aim-gcard-theme (ANY)

Matches the theme of a greeting card sent from one client to another.

AIM Gcard Theme

aim-gcard-title (ANY)

Matches the title of a greeting card sent from one user to another.

AIM Gcard Title

aim-gcard-url (ANY)

Matches the URL of the greeting card sent from one user to another.

AIM Gcard Url

aim-get-file (STC)

Matches the name of a file that the user is transferring from a peer.

AIM Get File

aim-group (ANY)

Matches the name of a group of items (usually buddies).

AIM Group

aim-info-text (STC)

Matches additional information text that appears in a user's profile.

AIM Info Text

aim-local-ip (CTS)

Matches the IP address of a client used for P2P communication.

AIM Local Ip

aim-local-port (CTS)

Matches the local port that the client is listening on for P2P communication.

AIM Local Port

aim-message-block (ANY)

Matches the instant message sent from one user to another.

AIM Message Block

aim-message-description (ANY)

Matches the description of a message.

AIM Message Description

aim-nick-name (ANY)

Matches the nickname of an AIM/ICQ user.

AIM Nick Name

aim-oft-content (ANY)

Matches the contents of a file being transferred between peers.

AIM Oft Content

aim-oft-name (ANY)

Matches the name of a file being transferred between peers.

AIM Oft Name

aim-peer-ip (STC)

Matches the IP address of a peer for direct P2P communication.

AIM Peer Ip

aim-peer-port (STC)

Matches the port of a peer for direct P2P communication.

AIM Peer Port

aim-put-file (CTS)

Matches the name of a file that the user is transferring to a peer.

AIM Put File

aim-screen-name (ANY)

Matches the screen name of a user.

AIM Screen Name

aim-server-ip (STC)

Matches the IP address of a server. Typically used when the main server redirects the client to another server.

AIM Server Ip

aim-server-url (STC)

Matches any URL on the server.

AIM Server Url

aim-url (ANY)

Matches the URL of a user's profile.

AIM Url

aim-xml-value (STC)

Matches the XML string sent by the server with the value of a requested URL.

AIM Xml Value

Service Contexts: Finger

The table displays the security context details for Finger:

Table 2: Service Contexts: Finger

Context and Direction

Description

Example of Contexts

finger-host (CTS)

Matches each hostname in a FINGER request.

Examples of FINGER protocol fields and context usage with root at microsoft.com at american query format and finger-user pattern american.

finger-s2c-data (STC)

finger-s2c-data

finger-user (CTS)

Matches the username in a FINGER request.

FINGER protocol example: Query format with root at microsoft.com at american. Root user is highlighted. Context shows finger-user pattern with root usage.

Service Contexts: Gnutella

The table displays the security context details for Gnutella:

Table 3: Service Contexts: Gnutella

Context and Direction

Description

Display Name

gnutella-connect-fail-reason (STC)

Matches the connection fail reason string in a Gnutella connection.

GNUTELLA Connect Fail Reason

gnutella-connect-header (ANY)

Matches the contents of the HTTP style CONNECT message in a Gnutella session.

GNUTELLA Connect Header

gnutella-http-get-filename (CTS)

Matches the name of the file that the client intends to retrieve.

GNUTELLA Http Get Filename

gnutella-http-header (ANY)

Matches any HTTP style headers in a Gnutella session.

GNUTELLA Http Header

gnutella-queryhit-vendor (STC)

Matches the 4-byte vendor code in the reply for the QUERYHIT message.

GNUTELLA Queryhit Vendor

gnutella-search-criteria (CTS)

Matches the search criteria in a QUERY message of a Gnutella session.

GNUTELLA Search Criteria

gnutella-user-agent (ANY)

Matches the name of the user agent in a Gnutella session.

GNUTELLA User Agent

Service Contexts: Gopher

The table displays the security context details for Gopher:

Table 4: Service Contexts: Gopher

Context and Direction

Description

Display Name

gopher-display (STC)

Matches the display string of a Gopher item.

GOPHER Display

gopher-file (STC)

Matches the contents of a Gopher item/file.

GOPHER File

gopher-host-port (STC)

Matches the host and port used to get an item.

GOPHER Host Port

gopher-selector (STC)

Matches the selector string of a Gopher item.

GOPHER Selector

Service Contexts: IEC

The table displays the security context details for IEC:

Table 5: Service Contexts: IEC

Context and Direction

Description

Display Name

iec104-message-type-i (ANY)

Matches the Type-I message of IEC104.

IEC104 Message Type I

iec104-message-type-s (ANY)

Matches the Type-S message of IEC104.

IEC104 Message Type S

iec104-message-type-u (ANY)

Matches the Type-U message of IEC104.

IEC104 Message Type U

Service Contexts: IRC

The table displays the security context details for IRC:

Table 6: Service Contexts: IRC

Context and Direction

Description

Example of Contexts

irc-command (ANY)

Matches any IRC command name.

IRC transaction field example illustrating USER command structure with request, command parameters, and trailer metadata.

irc-join-chan (ANY)

Matches the channel name in the JOIN command of an IRC session.

IRC transaction showing a JOIN request to channel xx16-testing with context usage irc-join-chan pattern testing.

irc-nick-name (ANY)

Matches the name in the NICK command of an IRC session.

IRC transaction field example highlighting USER command with nickname pattern 00_USA_XP_0773972 and context usage USA_XP.

irc-notice-msg (ANY)

Matches the message in the NOTICE command of an IRC session.

IRC response message structure from server anthony.freenode.net with command NOTICE and message Looking up your hostname.

irc-oper-name (ANY)

Matches the name in the OPER command of an IRC session.

irc-oper-password (ANY)

Matches the password in the OPER command of an IRC session.

irc-part-chan (ANY)

Matches the channel name in the PART command of an IRC session.

irc-password (ANY)

Matches the password in the PASS command of an IRC session.

irc-priv-msg (ANY)

Matches the message in the PRIVMSG command of an IRC session.

IRC transaction example showing a message structure with prefix frigg, command PRIVMSG, and parameters 00_USA_XP_07739 and VERSION trailer. Context pattern USA_XP.

irc-real-name (ANY)

Matches the real name in the USER command of an IRC session.

IRC transaction field with command USER, parameters winxpprosp3 and irc.freenode.net, and trailer 00_USA_XP_0773972.

irc-topic (ANY)

Matches the arguments of the TOPIC command of an IRC session.

irc-user-name (ANY)

Matches the name in the USER command of an IRC session.

IRC transaction example with USER command showing user identifier 00_USA_XP_0773972 and context pattern SA_XP for usernames.

Service Contexts: LPR

The table displays the security context details for LPR:

Table 7: Service Contexts: LPR

Context and Direction

Description

Example of Contexts

lpr-cfile-command (CTS)

Matches the entire CFILE subcommand line, including the first byte of the subcommand type.

lpr-cfile-name (CTS)

Matches the name of the control filename that is sent as part of the RECEIVE-JOB command.

lpr-command (CTS)

Matches the entire command line, including the first byte of the command code.

LPD protocol example showing command structure for receiving control file with hexadecimal data 026f4c33313732343933353831393460 representing printer options oL317249358194 and COMMAND.

lpr-dfile-name (CTS)

Matches the name of the data filename that is sent as part of the RECEIVE-JOB command.

Service Contexts: MSN

The table displays the security context details for MSN:

Table 8: Service Contexts: MSN

Context and Direction

Description

Display Name

msn-addrbook-url (STC)

Matches the URL for a user's address book.

MSN Addrbook Url

msn-compose-url (STC)

Matches the URL for composing an e-mail.

MSN Compose Url

msn-display-name (ANY)

Matches the display name of a user.

MSN Display Name

msn-get-file (STC)

Matches the name of a file that the client is downloading from a peer.

MSN Get File

msn-group-name (ANY)

Matches the name of a group of contacts.

MSN Group Name

msn-inbox-url (STC)

Matches the URL for a user's Inbox.

MSN Inbox Url

msn-ip-port (STC)

Matches the address and port of a switchboard server.

MSN IP Port

msn-message (ANY)

Matches the instant message text.

MSN Message

msn-message-application (ANY)

Matches the line of an application message (like file transfer).

MSN Message Application

msn-message-email-notification (STC)

Matches the line sent by the server to notify a client of new or unread e-mail.

MSN Message Email Notification

msn-message-header (ANY)

Matches the header line of an instant message.

MSN Message Header

msn-message-profile (STC)

Matches the line containing the profile of a message sender.

MSN Message Profile

msn-passport-url (STC)

Matches login passport URL.

MSN Passport Url

msn-phone-number (ANY)

Matches the user's phone number.

MSN Phone Number

msn-png-chunk (ANY)

Matches contents of PNG chunk in MSN transaction.

MSN PNG CHUNK

msn-profile-url (STC)

Matches the URL of a user's passport profile.

MSN Profile Url

msn-put-file (CTS)

Matches the name of a file that the client is sending to a peer.

MSN Put File

msn-sign-in-name (ANY)

Matches the screen name (login name) of a user.

MSN Sign In Name

msn-url (STC)

Matches any URL in an MSN session

MSN URL

msn-user-state (ANY)

Matches the user's online state.

MSN User State

Service Contexts: NNTP

The table displays the security context details for NNTP:

Table 9: Service Contexts: NNTP

Context and Direction

Description

Example of Contexts

nntp-banner (STC)

Matches the NNTP banner.

NNTP transaction field showing TCP connection details. NNTP server nfeed.gw.nagoya-u.ac.jp running InterNetNews 2.2.1 as of 25-Aug-1999.

nntp-body (ANY)

Matches each line of an NNTP message body.

NNTP transaction example showing message structure with headers and metadata TCP details sender info newsgroup target and file attachment.

nntp-cmd-line (CTS)

Matches the entire NNTP command line.

NNTP transaction showing TCP packet details with source port 3620, destination port 119, sequence number 1894101608, acknowledgment number 2026416476, length 13, and highlighted NNTP command mode stream\r\n.

nntp-header (ANY)

Matches any header in an NNTP session.

NNTP transaction example showing TCP connection details. X-Proxy-User field highlighted with value $$t6aqbb. Context usage example references nntp-header pattern aqbb.

nntp-ihave-msgid (CTS)

Matches the message ID that appears in the IHAVE command of an NNTP session.

nntp-mode (CTS)

Matches the NNTP mode.

Field in NNTP transaction showing TCP packet details and NNTP command mode stream. Context usage highlights the word stream in yellow.

nntp-msgid (ANY)

Matches the message ID that appears in various commands of an NNTP session.

NNTP transaction field with TCP data: source port, destination port, sequence, acknowledgment, length. Highlighted message ID: 42093d65$0$489$626aI4ce$S$news.free.fr associated with news.

nntp-newsgroup (ANY)

Matches the name of news groups in an NNTP session.

Service Contexts: REXEC

The table displays the security context details for REXEC:

Table 10: Service Contexts: REXEC

Context and Direction

Description

Display Name

rexec-remote-command (CTS)

Matches the remote command in an REXEC session.

REXEC Remote Command

rexec-remote-user (CTS)

Matches the remote username in an REXEC session.

REXEC Remote Username

Service Contexts: RLOGIN

The table displays the security context details for RLOGIN:

Table 11: Service Contexts: RLOGIN

Context and Direction

Description

Example of Contexts

rlogin-local-user (CTS)

Matches the local username in an RLOGIN session.

RLOGIN transaction example showing TCP communication details and user info: root highlighted, server-user-name bin, terminal-type xterm-color, terminal-speed 38400.

rlogin-remote-user (CTS)

Matches the remote username in an RLOGIN session.

RLOGIN transaction field example with TCP details: source port, destination port, sequence and acknowledgment numbers, length. User info: Client-user-name: root, Server-user-name: bin, highlighted in yellow. Terminal-type: xterm-color, Terminal-speed: 38400. Context usage example: rlogin-remote-user pattern: bin, highlighted in beige.

Service Contexts: RSH

The table displays the security context details for RSH:

Table 12: Service Contexts: RSH

Context and Direction

Description

Example of Contexts

rsh-local-user (CTS)

Matches the local username in an RSH session.

Remote Shell transaction field showing client-server data exchange with server data as hexadecimal string. Highlights pattern \x5d\x in rsh-local-user context for data parsing.

rsh-remote-command (CTS)

Matches the remote command in an RSH session.

Remote Shell RSH transaction example with client to server data in hex 36557d23475349304d70704b5a26547a272554 highlighted for analysis.

rsh-remote-user (CTS)

Matches the remote username in an RSH session.

Remote Shell transaction field example showing data exchange with client and server. Hexadecimal value 5d highlighted in server data. Context usage explanation below defines pattern for identifying rsh-remote-user using value \x5d.

Service Contexts: RUSERS

The table displays the security context details for RUSERS:

Table 13: Service Contexts: RUSERS

Context and Direction

Description

Display Name

rusers-device (STC)

Matches the name of the device in an RUSERS session.

RUSERS Device

rusers-host (STC)

Matches the name of the host in an RUSERS session.

RUSERS Host

rusers-user (STC)

Matches the name of the user in an RUSERS session.

RUSERS User

Service Contexts: TNS

The table displays the security context details for TNS:

Table 14: Service Contexts: TNS

Context and Direction

Description

Example of Contexts

tns-accept-section (STC)

Matches the Accept Section Data in a TNS session.

tns-connect-addr-dev (CTS)

Matches the Connect Address-Dev in a TNS session.

tns-connect-addr-host (CTS)

Matches the Connect Address-Host in a TNS session.

tns-connect-addr-key (CTS)

Matches the Connect Address-Key in a TNS session.

tns-connect-addr-port (CTS)

Matches the Connect Address-Port in a TNS session.

tns-connect-addr-proto (CTS)

Matches the Connect Address-Protocol in an TNS session.

tns-connect-cid-host (CTS)

Matches the Connect Data CID Host in a TNS session.

tns-connect-cid-user (CTS)

Matches the Connect Data CID User in a TNS session.

tns-connect-data-cid-prog (CTS)

Matches the Connect Data CID Program in a TNS session.

tns-connect-data-sid (CTS)

Matches the Connect Data SID in a TNS session.

tns-connect- data-svcname (CTS)

Matches the Connect Data Service Name in an TNS session.

tns-connect-section (CTS)

Matches the Connect Section Data in a TNS session.

TNS transaction packet analysis showing structure and fields: 453 length, connect type, TCP host IO.150.9.37, port 1521, connect command STATUS.

tns-data-flags (ANY)

Matches 2 bytes flags of Data Section in an TNS session

tns-data-section (ANY)

Matches the Data Section Data in a TNS session.

tns-message-body (ANY)

Matches any Message Body in a TNS session.

Transparent Network Substrate TNS Connect packet details with packet length, checksum, connection flags, trace info, and connection data.

tns-message-type (ANY)

Matches the Message Type in a TNS session.

Transparent Network Substrate packet structure example: Packet Length 453, Packet Type Connect highlighted in yellow, Version 3129.

tns-preamble (ANY)

Matches the first 8 bytes of a TNS message.

tns-redirect-section (STC)

Matches the Redirect Section in a TNS session.

Service Contexts: YMSG

The table displays the security context details for YMSG:

Table 15: Service Contexts: YMSG

Context and Direction

Description

Example of Contexts

ymsg-alias (ANY)

Matches the alternate name associated with the main username.

ymsg-buddy-name (ANY)

Matches the name of a user that appears on the friends list.

ymsg-chatroom-chatter (ANY)

Matches the name of a user participating in a chat session

ymsg-chatroom-invitee (ANY)

Matches the name of the user who is being invited to join a chatroom.

ymsg-chatroom-message (ANY)

Matches the messages exchanged in a chatroom.

ymsg-chatroom-name (ANY)

Matches the name of a chatroom in a YMSG session.

ymsg-conf-host (ANY)

Matches the name of the user who is hosting the conference.

ymsg-conf-invitee (ANY)

Matches the name of a user who is invited to a conference.

ymsg-conf-join-msg (ANY)

Matches the content of a message sent as part of a conference invitation.

ymsg-conf-name (ANY)

Matches the name of a conference session.

ymsg-config-url (STC)

Matches the URL at which the user can configure the password after the account is disabled.

ymsg-contact-name (ANY)

Matches the contact name in a friends list or invitation.

ymsg-group-name (ANY)

Matches the name of a group used to categorize friends.

ymsg-header (ANY)

Matches data in the protocol header.

Yahoo YMSG Messenger Protocol Verify with Version 11 Vendor ID 0 Packet Length 0 Service Verify 76 Status Default 0 Session ID 0x00000000 Context ymsg-header Pattern 0b\

ymsg-ignored-user (ANY)

Matches the name of the user being added to, or appearing on, the ignored users list.

ymsg-mail-sender (STC)

Matches the name of the user sending an e-mail message.

ymsg-mail- sender-address (STC)

Matches the e-mail address of sender.

ymsg-mail-subject (STC)

Matches the e-mail subject.

ymsg-main-identity (ANY)

Matches the main identity name of the user.

ymsg-message (ANY)

Matches the instant message that is sent from one client to another.

Yahoo Messenger protocol field with details: Version 16, Vendor ID 0, Packet Length 94, Service Message 6, Status Offline 1515563606, Session ID 0xdd4c47b0, Content is a hexadecimal string. Key-value pairs include Key 1 bryanrburns, Key 5 yim_black_mage, Key 97 1, Key 14 ok I got yours. Context usage example shows pattern yours in YMSG message context.

ymsg-message-server- filename-url (STC)

Matches the message with the name of the file on the client from which the server can download and transfer to peers.

ymsg-nickname (ANY)

Matches the nickname of a user.

ymsg-p2p- get-filename (STC)

Matches the name of the file on the peer from which the file can be downloaded.

YMSG file transfer example showing metadata: Version 16, Vendor ID 0, Packet Length 2037, Service Y7 File Transfer 220, Status Server Ack 1, Session ID 0xd4c4d7b0, Filename C0adf90452a70a3f129747b3be64bc66.png.

ymsg-p2p-get-filename-url (STC)

Matches the location of a file on the peer from which the file can be downloaded.

ymsg-p2p-put-filename (CTS)

Matches the name of the file on the client that other peers can download.

YMSG file transfer packet showing protocol version 16, vendor ID 0, packet length 2037 bytes, service 220, status 1, session ID 0xd4c447b0, filename c0adf90452a70a3f129747b3be64bc66.png.

ymsg-p2p- put-filename-url (CTS)

Matches the location of a file on the client from which other peers can download.

ymsg-recipient (ANY)

Matches the identity of the recipient of a message or file.

ymsg-sender (ANY)

Matches the identity of a sender of a message or file.

ymsg-server- get-filename-url (STC)

Matches the location of a file on the client from which the server can download and transfer to peers.

ymsg-system- message (STC)

Matches the content of a message sent from the server to the client.

ymsg-user-name (ANY)

Matches the identity of the login user or one of the user's alias.

YMSG transaction field example with version 11, vendor ID 0, packet length 14, authentication service 87, default status 0, session ID 0x00000000, content 31c0806a75736f6232303030c080, key 1, value jusob2000 highlighted in yellow, pattern for YMSG username jusob.