Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Web Protocol Contexts

These attack objects and groups are designed to detect known attack patterns and protocol anomalies within the network traffic. You can configure attack objects and groups for web protocols as match conditions in IDP policy rules.

Service Contexts: HTTP

The table displays the security context details for HTTP:

Table 1: Service Contexts: HTTP

Context and Direction

Description

Example of Contexts

http-authorization (CTS)

Matches the username and password decoded from the Authorization: Basic header in an HTTP request.

HTTP request with Authorization header; Basic Authentication using Base64 encoding; highlights security risk if not using HTTPS.

http-data (ANY)

Matches any HTTP data in an HTTP transaction that is not text/html, text/plain, or FORM values in a POST request.

HTTP response example: Status code 200 OK, content type application/octet-stream, server Apache/2.0. Highlighted hexadecimal HTTP response body. Context usage pattern shown below.

http-first-data-chunk (ANY)

Matches the first data chunk in an HTTP transaction.

HTTP response snippet with status HTTP/1.0 200 OK, content type text/html, content length 300, last modified date Fri, 15 Jul 2016 16:26:13 GMT. HTML code highlighted in yellow shows html style equals display:flex, head, and script tags. Example context usage for detecting styles in HTML: dot asterisk style backslash s equals backslash s.

http-flash

Matches http payload when content type is flash video or application.

HTTP response with Flash file payload; headers: 200 Ok, Content-Type: application/x-shockwave-flash, Server: Apache, Content-Length: 660. Payload: binary data with SWF signature CWS, used in cybersecurity for detecting Flash files.

http-form-data (CTS)

Matches each of the form values in a POST request of an HTTP transaction.

http-get-url (CTS)

Matches the URL in an HTTP get request as it appears in the stream.

HTTP GET request to URL /fsc/secured\fsc.aspx from host 10.2.1.53. Pattern matches URLs with /fsc/secured.

http-get-url-parsed (CTS)

Matches the decoded, normalized URL in an HTTP get request.

URI normalization process: Decoding percent-encoded triplets to unreserved characters. Example: '%7E' to '~'. Context: HTTP request pattern '~foo'.

http-head-url (CTS)

Matches the URL in an HTTP head request as it appears in the stream.

HTTP HEAD request example showing request line and headers including Host: bt05 and User-Agent: Mozilla. Context pattern: http-head-url with URLs starting with //.

http-head-url-parsed (CTS)

Matches the decoded, normalized URL in an HTTP head request.

Examples of URL usage in HTTP requests and context. Normalization process for URI with context http-get-url-parsed. Context pattern http-head-url-parsed pattern fsc/secured.

http-header (ANY)

Matches any HTTP header.

HTTP request header fields example with GET request URL and headers: Accept all, Accept-Language English US, Accept-Encoding gzip deflate, User-Agent Mozilla 4.0 MSIE 6.0 Windows NT 5.1, Host www.liveprotection.net, Connection Keep-Alive.

http-header-accept (CTS)

Matches each Accept: header in an HTTP request.

HTTP request with GET method for /buy.php, query params advid=0, emla=1, lang blank. Accept header */*, Accept-Language en-us, Accept-Encoding gzip, deflate.

http-header- accept-encoding (CTS)

Matches each Accept-Encoding: header in an HTTP request.

Example of HTTP request header fields showing a GET request with URL and parameters, highlighted headers Accept: */*, Accept-Language: en-us, Accept-Encoding: gzip, deflate, and context usage with context http-header-accept-encoding pattern gzip.

http-header- accept-language (CTS)

Matches each Accept-Language: header in an HTTP request.

HTTP request header example showing GET request with highlighted Accept-Language header en-us and context usage pattern en-us.

http-header- content-encoding (ANY)

Matches each Content-Encoding: header in an HTTP transaction.

HTTP response headers with a focus on Content-Encoding field using Base64 encoding, decoded as VmbGF0ZQo.

http-header- content-language (ANY)

Matches each Content-Language: header in an HTTP transaction.

http-header- content-location (ANY)

Matches each Content-Location: header in an HTTP transaction.

http-header- content-md5 (ANY)

Matches each Content-MD5: header in an HTTP transaction.

http-header- content-type (ANY)

Matches each Content-Type: header in an HTTP transaction.

HTTP header fields example showing HTTP version, status code, date, content length, connection type, and content type. Highlights content type field as text slash html. Includes regex pattern for identifying content type header.

http-header- cookie (ANY)

Matches each Cookie: header in an HTTP transaction.

HTTP request header fields example with cookie header SESSIONsess_user_id1;no_http_headers1. Context usage for pattern matching no_http_headers1 value.

http-header- host (CTS)

Matches each Host: header in an HTTP request.

http-header- referer (CTS)

Matches each Referrer: header in an HTTP request.

http-header- soapaction (ANY)

Matches each soapaction: header in an HTTP transaction.

http-header- user-agent (CTS)

Matches each User-Agent: header in an HTTP request.

http-header- x-forwarded-for

 Pattern match for x-forwarded-for header in HTTP request includes digits, dots, and hexadecimal characters.

http-image (ANY)

Matches IMATE contents (BMP, PNG) in HTTP transaction.

HTTP response header example showing success code, server type, content type as BMP, and data pattern detection.

http-jpeg-raw (ANY)

Matches JPEG content in HTTP transaction.

HTTP response headers with JPEG content type and JPEG data snippet with JFIF marker, illustrating HTTP headers and JPEG identification.

http-jpeg-tag (ANY)

Matches JPEG tag of JPEG content in HTTP transaction.

JPEG image files provide an area for applications to store metadata such as title, date taken, shutter speed, and so on. There are several slots available, each of which holds a group of metadata tags.

A JPEG file contains several segments; each segment contains different kinds of data, delimited by two-byte codes called markers. The markers are hexadecimal; they begin with 0xFF and end with a code (1 byte) indicating the kind of marker.

HTTP response header with JPEG content type, hex data showing JPEG file structure, colored segments highlight JPEG tags like Start of Image, APP0, comment segment.

http-object-tag-clsid (STC)

Matches the CLSID of an object tag.

HTTP response with embedded HTML and VBScript highlighting a COM object classid C6A96E83-F5AF-4BD4-9BDD-7B18444F814F used to execute functionality.

http-ole

Matches Microsofts OLE contents in HTTP transaction.

OLE header signature highlighted in yellow in an HTTP response, indicating an Excel document file type.

http-param-parsed (CTS)

Matches the decoded CGI parameters in an HTTP request.

http-pdf

Matches PDF contents in HTTP transaction.

HTTP response example with status line HTTP/1.1 200 OK, content type application/pdf, server Apache/2.0, content length 1153, time 0.002751000 seconds, request URI http://118.78.98.50/BPmc0L4Oos7g, file data size 1153 bytes, media type application/pdf 1153 bytes.

http-png-chunk (ANY)

Matches contents of PNG chunk to HTTP transaction.

HTTP response showing PNG file transmission: HTTP 200 OK, Content-Type image/png, Server Apache/2.0, Content-Length 3424 bytes, potential malformed packet warning.

http-post-url (CTS)

Matches the URL in an HTTP post request as it appears in the stream.

HTTP POST URL

POST /index.html?crap=1085538798 HTTP/1.1

1.34. http-post-url pattern: ".*\?.*"

http-post-url-parsed (CTS)

Matches the decoded, normalized URL in an HTTP post request.

http-post-variable (CTS)

Matches each CGI variable in the form data of an HTTP POST request.

HTTP POST request to /mail/channel/bind with query parameters: at highlighted in yellow, VER 2, SID 5B974D2448624B32, RID 68492, zx jhspu7-sijvnz. HTTP version is 1.1. Note mentions context usage of at parameter in HTTP POST requests.

http-post- variable-parsed (CTS)

Matches each decoded CGI variable in the form data of an HTTP POST request.

http-request (CTS)

Matches each HTTP request line.

HTTP GET request example showing header fields for resource menurightarw.gif on mail.google.com.

http-request-method (CTS)

Matches the method name in an HTTP request.

HTTP GET request example showing method highlighted in yellow, resource path, version HTTP/1.1, and host mail.google.com.

http-status (STC)

Matches the status line in an HTTP reply.

HTTP response example with status line HTTP/1.1 200 OK and Last-Modified header Mon, 13 Feb 2006 21:10:30 UTC. Context usage of status code 200.

http-text-html (ANY)

Matches the text/html data in an HTTP transaction.

HTTP response with headers and VBScript exploiting MSWebDVD ActiveX control via AcceptParentalLevelChange method for buffer overflow.

http-text-html-body (ANY)

Matches the body of text/html data in an HTTP tranaction

http-text-html-head (ANY)

Matches the header of text/html data in an HTTP transaction.

HTTP response header example with 200 OK status, content length 1360, content type text/html UTF-8, and HTML section with title Admin Password Change.

http-text-html-script (ANY)

Matches the script tag of text/html data in an HTTP transaction.

HTTP header example with 200 OK status, content type text/html, and JavaScript function boom updating textContent and alerting.

http-text-html-style (ANY)

Matches the style tag of text/html data in an HTTP transaction.

HTTP response header with 200 OK, content length 127, keep-alive, content type text/html. HTML code includes root html, head with title CSS, style with font-size set to 1666666px, body with paragraph Sample. Demonstrates pattern for detecting large font-size in body.

http-text-html-tag (ANY)

Matches any tag inside text/html data in an HTTP transaction.

HTTP and HTML example with 200 OK status, Content-Length 1360, UTF-8, and HTML head meta charset iso-8859-1 highlighted

http-text-plain (ANY)

Matches the text/plain data in an HTTP transaction.

HTTP response header fields with a 200 OK status, content length 102400, and text/plain type; includes binary data reference to Standard Jet DB and a regex pattern using Unicode for parsing.

http-text-soap (ANY)

Matches the text/soap data in and HTTP transaction.

HTTP POST request example with XML data for a WebDAV LOCK operation. Highlights XML structure, potential XXE vulnerability via external entity RemoteX.

http-text-xml (ANY)

Matches the tex/xml data in an HTTP transaction.

LOCK request for WebDAV resource with XML data showing potential XXE attack. Highlights external entity definition with RemoteX reference.

http-url (CTS)

Matches the URL in an HTTP request as it appears in the stream.

HTTP GET request for Desktop.ini using version 1.1 with headers Host 192.168.160.129 and User-Agent Mozilla 5.0. Context pattern matches URLs with desktop.ini.

http-url-parsed (CTS)

Matches the decoded, normalized URL in an HTTP request.

GET request with encoded VBScript code creating XMLHTTP object, connecting to 192.168.200.2. Context pattern for URL parsing: .*\.[rmp]\.

http-url-parsed-param (CTS)

Matches the decoded, normalized URL in an HTTP request along with the CGI parameters, if any

Malicious payload in HTTP GET request using VBScript to execute remote code via Microsoft.XMLHTTP object.

http-url-parsed-param- parsed (CTS)

Matches the decoded, normalized URL in an HTTP request along with the decoded CGI parameters, if any

http-url-variable (CTS)

Matches each CGI variable in the URL of an HTTP GET request.

HTTP GET request targeting /Exoops/class/debug/highlight.php with file parameter c:\phpdev\www\Exoops\mainfile.php and line 151. Host is www.google.com. Regular expression for file parameter validation provided.

http-url- variable-parsed (CTS)

Matches each decoded CGI variable in the URL of an HTTP GET request.

http-variable (CTS)

Matches each CGI variable in an HTTP GET or POST request.

HTTP GET request example with URL path /Exoops/class/debug/highlight.php. Query parameters: file=c:\phpdev\www\Exoops\mainfile.php and line=151. Host: www.google.com. Shows context usage pattern for file parameters starting with c: indicating potential security risks.

http-variable-parsed (CTS)

Matches each decoded CGI variable in an HTTP GET or POST request.

Service Contexts: SSL

The table displays the security context details for SSL:

Table 2: Service Contexts: SSL

Context and Direction

Description

Example of Contexts

ssl-cert- common-name (ANY)

Matches the common name attribute of the SSL certificate.

TLS 1.2 handshake protocol certificate showing CN Server Self-Signed Root CA highlighted. Contains certificate version, serial number, and signature algorithm.

ssl-cert- organization-name (ANY)

Matches the organization name in the SSL certificate.

SSL transaction field showing TLS handshake protocol version TLS 1.0, certificate details, issuer info, and organizationName extraction pattern gEf2xu.

ssl-cert- organizational-unit- name (ANY)

Matches the organizational unit name in the SSL certificate.

SSL transaction example highlighting TLS handshake protocol and certificate details. Organization name gEf2xu is highlighted for pattern matching.

ssl-certificate (ANY)

Matches the entire SSL certificate content.

TLS 1.2 handshake with a certificate showing sha256WithRSAEncryption, Server Self-Signed Root CA, and encrypted data.

ssl-change-cipher-spec (ANY)

Matches the Change-Cipher-Spec Message Content

ssl-client-hello (CTS)

Matches SSL client hello message content.

TLS 1.2 Client Hello message structure in a handshake, featuring version, random value, session ID length, 61 cipher suites, 1 compression method, and extensions like server_name, ec_point_formats, supported_groups, session_ticket, signature_algorithms, and heartbeat.

ssl-client-key- exchange (CTS)

Matches SSL client key exchange message content.

TLS handshake process highlighting Client Key Exchange with RSA Encrypted PreMaster Secret in hexadecimal format.

ssl-client-version (CTS)

Matches the client SSL version.

Client Hello message in TLS handshake detailing protocol versions TLS 1.0 and TLS 1.2, Handshake content type, message length, random value, session ID length as 0, and SSL client version in hexadecimal.

ssl-selected- cipher-suite (STC)

Matches the selected cipher suite in the server hello message.

TLS 1.2 Server Hello message showing cipher suite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 highlighted in yellow with no session resumption.

ssl-server-hello (STC)

Matches SSL server hello message content.

Server Hello message details in TLS handshake: Version TLS 1.2, Random value, Session ID 0, Cipher Suite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, Compression Method null, Extensions: renegotiationinfo, ec_point_formats, session_ticket, heartbeat.

ssl-server- key-exchange (STC)

Matches SSL server key exchange message content.

SSL transaction showing Server Key Exchange protocol with TLS version, content type, handshake type, and message length. EC Diffie-Hellman used.

ssl-server- version (STC)

Matches the SSL server version.

TLSv1.2 Record Layer details in SSL transaction: Handshake Protocol Server Hello; Content Type: Handshake 22; Version: TLS 1.2 0x0303; Length: 66; Random data.