Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Identity and Access Contexts

These attack objects and groups are designed to detect known attack patterns and protocol anomalies within the network traffic. You can configure attack objects and groups for identity and access as match conditions in IDP policy rules.

Service Contexts: LDAP

The table displays the security context details for LDAP:

Table 1: Service Contexts: LDAP

Context and Direction

Description

Example of Contexts

ldap-abandon-request (CTS)

Matches the entire Abandon Request message.

ldap-add-request (CTS)

Matches the entire Add Request message.

LDAP transaction field with reassembled TCP segments. Message ID 1 with addRequest operation code 8. Highlighted term addRequest. Context usage shows ldap-add-request pattern addRequest.

ldap-add- request-attribute (CTS)

Matches each attribute in an Add Request message. The values are NULL delimited and the type, and values are newline delimited.

ldap-add- request-attributetype (CTS)

Matches the type each attribute in an Add Request message.

ldap-add-request- attributevalue (CTS)

Matches the value of each attribute in an Add Request message.

ldap-add- request-entry (CTS)

Matches the object in an Add Request message.

ldap-bind- request (CTS)

Matches the entire LDAP Bind Request message.

LDAP transaction field with bindRequest operation highlighted in yellow. Shows messageID 1, protocolOp bindRequest 0, version 3, name DN. Context usage pattern foo.

ldap-bind- request-authentication (CTS)

Matches the authentication information in a Bind Request message including the 1-byte type.

LDAP bindRequest operation with SASL authentication is highlighted, showing raw hexadecimal data for educational or debugging purposes.

ldap-bind- request-ldapDN (CTS)

Matches the name of the directory object to which the client wants to bind.

ldap-bind- request-version (CTS)

Matches the LDAP version in a Bind Request message.

LDAP transaction example with TCP details including source and destination ports, sequence and acknowledgment numbers. Bind request message ID 1 with simple authentication, version 3, and admin DN. Context usage example with LDAP pattern as \x03\x.

ldap-compare-request (CTS)

Matches the entire Compare Request message.

ldap-compare-request- assertionvalue (CTS)

Matches the value against which the attribute value is compared in a Compare Request message.

ldap-compare-request- attributedesc (CTS)

Matches the attribute type of an entry in a Compare Request message.

ldap-compare-request- entry (CTS)

Matches the entry of the DN to be compared in a Compare Request message.

ldap-delete- request (CTS)

Matches the entire Delete Request message.

ldap-extended-request (CTS)

Matches the entire Extended Request message.

LDAP transaction field example showing message ID, protocol operation, and request name with highlighted extendedReq field. Hexadecimal data and BER errors noted.

ldap-extended-request- requestName (CTS)

Matches the request name in the Extended Request message.

LDAP transaction example highlighting requestName field with value 2.16.840.1.113719.1.142.100.1 and BER errors beyond sequence definition.

ldap-extended-request- requestValue (CTS)

Matches the request value in the Extended Request message.

LDAP transaction example showing extendedReq operation with messageID 2. Highlights requestValue field with OID 2.16.840.1.113719.1.27.100.79 and hexadecimal string.

ldap-extended-response- response (STC)

Matches the response field in the Extended Request message.

ldap-extended-response- responseName (STC)

Matches the response name in the Extended Response message.

ldap-modify-request (CTS)

Matches the entire Modify Request message.

LDAP modifyRequest operation structure with messageID 10 and 3 modifications for CN attribute in context usage example.

ldap-modify- request-attribute (CTS)

Matches each attribute in a Modify Request message including the 1-byte modify operation. The values are NULL delimited, and the type and values are newline delimited.

ldap-modify- request-attributetype (CTS)

Matches each attribute type in a Modify Request message.

ldap-modify- request-attributevalue (CTS)

Matches each attribute value in a Modify Request message.

LDAP transaction example showing a modifyRequest operation with message ID 10 and DN CN=SomeTHING,O=SomeOtherThmg. Modification includes replace operation for attribute someattname with value AAAAAA. Context usage shows ldap-modify-request-attributevalue pattern referencing someattrvalue.

ldap-modify- request-object (CTS)

Matches the object in the Modify Request message.

LDAP transaction example showing modifyRequest operation. Message ID 10, modifying CN=SomeTHING,O=SomeOtherThmg. Three items modified.

ldap- modifyDN-request (CTS)

Matches the entire Modify-DN Request message.

LDAP transaction example with modDNRequest field, highlighting LDAP message type, message ID, protocol operation, entry, newrdn, and deleteoldrdn status.

ldap- modifyDN-request- entry (CTS)

Matches the DN of the entry in a Modify-DN Request message.

LDAP transaction showing modDNRequest operation with entry field value dcsomething,dcanything. Includes fields messageID: 2, protocolOp: modDNRequest 12, newrdn: dc, deleteoldrdn: False. Context pattern for ldap-modifyDN-request-entry field is something.

ldap- modifyDN-request- newRDN (CTS)

Matches the new DN that replaces the old DN in a Modify-DN Request message.

LDAP transaction example showing modDNRequest operation with messageID 2, entry dc=something,dc=anything, newrdn dc, deleteoldrdn False.

ldap- modifyDN-request- newsuperior (CTS)

Matches the new DN that becomes the parent of the existing DN entry in a Modify-DN Request message.

ldap-result (STC)

Matches the entire Result message, including the 1-byte response type.

LDAP transaction example showing TCP packet details with source port 389, destination port 42258, sequence and acknowledgment numbers, a bindResponse with success result code 0, and LDAP result context dc=Some.

ldap-result- errorMessage (STC)

Matches the error message in the result.

ldap-result- matchedDN (STC)

Matches the base object in the Result message, including the 1-byte tag.

ldap-result- referral (STC)

Matches each referral URL in the result.

ldap-search- request (CTS)

Matches the entire LDAP Search Request message.

LDAP transaction example with searchRequest querying DC=TSL,DC=EXAMPLE,DC=COM. Context pattern focuses on DC.

ldap-search-request-attribute (CTS)

Matches each attribute in a Search Request message.

ldap-search-request-attributelist (CTS)

Matches all the attributes in a Search Request message.

ldap-search-request-baseObject (CTS)

Matches the base object entry against which the search is performed. This includes the 1-byte scope, which can represent baseObject, singleLevel or wholeSubtree.

LDAP search request example showing base object DC=TSL,DC=EXAMPLE,DC=COM, scope wholeSubtree, filter sAMAccountName=Admin*tor, and no attribute requests.

ldap-search-request-filter (CTS)

Matches the contents of the search filter.

LDAP transaction filter example showing sAMAccountName matching Admin*tor with context usage in ldap-search-request-filter pattern Account.

ldap-search- request-sizeLimit (CTS)

Matches the sizeLimit field of the search request.

ldap-search- request-timeLimit (CTS)

Matches the timeLimit field of the search request.

ldap-search- resentry (STC)

Matches the entire Search Result message.

LDAP message showing operation searchResEntry 4 with DN CN=Administrator.CN=Users.DC=tsl.DC=example.DC=com and message ID 2.

ldap-search- resentry-attribute (STC)

Matches each attribute in the search result. The values are NULL delimited, and the type and value list are newline delimited.

ldap-search- resentry-attributetype (STC)

Matches each attribute type in the search result.

ldap-search- resentry-attributevalue (STC)

Matches each attribute value in the search result.

ldap-search- resentry-objectname (STC)

Matches the base object of the search result.

LDAP transaction field showing search result entry with Message ID, Protocol Operation, and Object Name: CN=Administrator.CN=Users.DC=tsl.DC=example.DC=com. Context pattern: ldap-search-resentry-objectname with pattern Admin.

ldap-search- resref (STC)

Matches the entire Search Result Reference message.

ldap-search- resref-referral (STC)

Matches each referral URL in the Search Result Reference message.

Service Contexts: Radius

The table displays the security context details for Radius:

Table 2: Service Contexts: RADIUS

Context and Direction

Description

Example of Contexts

radius-access-accept (STC)

Matches the attribute fields of a RADIUS Access-Accept message.

Example of field in RADIUS transaction:

User Datagram Protocol, Src Port: 1812, Dst Port: 1645
RADIUS Protocol
    Code: Access-Accept (2)
    Packet identifier: 0x9 (9)    
    Length: 26
    Authenticator: 9469c5c2dI01244ee93ellel0cObf219 [This is a
    response to a request in frame 1]
    [Time from request: 0.002822000 seconds]
    Attribute Value Pairs
        AVP: t=Service-Type(6) 1=6 val=Login(I)

Example of context usage:

Context: radius-access-accept pattern: “Service-Type”

radius-access-challenge (STC)

Matches the attribute fields of a RADIUS Access-Challenge message.

radius-access-reject (STC)

Matches the attribute fields of a RADIUS Access-Reject message.

radius-access-request (CTS)

Matches the attribute fields of a RADIUS Access-Request message.

Example of field in RADIUS transaction:

User Datagram Protocol, Src Port: 1645, Dst Port: 1812 
RADIUS Protocol Code: Access-Request (1)
 Packet identifier: 0x9 (9)
 Length: 137
 Authenticator:el0b7f33831bfe36009b5f477eff41b3 [The response to this request is in frame 2]
 Attribute Value Pairs

Example of context usage:

Context: radius-access-request pattern: "rpjY"

radius-acct-request (CTS)

Matches the attribute fields of a RADIUS Accounting-Request message.

radius-acct-response (STC)

Matches the attribute fields of a RADIUS Accounting-Response message.

radius-attr- acct-multi-session-id (CTS)

Matches the value of an Account-Multi-Session-Id attribute.

radius-attr- acct-session-id (CTS)

Matches the value of an Account-Session-Id attribute.

radius-attr- acct-tunnel-connection (CTS)

Matches the value of an Account-Tunnel-Connection attribute.

radius-attr- arap-features (STC)

Matches the value of an ARAP-Features attribute.

radius-attr- arap-password (CTS)

Matches the value of an ARAP-Password attribute.

radius-attr- arap-security-data (ANY)

Matches the value of an ARAP-Security-Data attribute.

radius-attr- callback-number (ANY)

Matches the value of a Callback-Number attribute.

radius-attr- called-station-id (CTS)

Matches the value of a Caller-Station-Id attribute.

radius-attr- calling-station-id (CTS)

Matches the value of a Calling-Station-Id attribute.

radius-attr- chap-challenge (CTS)

Matches the value of a Chap-Challenge attribute.

radius-attr- chap-password (CTS)

Matches the value of a Chap-Password attribute.

radius-attr- configuration-token (STC)

Matches the value of a Configuration-Token attribute.

radius-attr- connect-info (CTS)

Matches the value of a Connect-Info attribute.

radius-attr- eap-message (ANY)

Matches the value of an EAP-Message attribute.

Example of field in RADIUS transaction:

User Datagram Protocol, Src Port: 8984, Dst Port: 1812 
RADIUS Protocol Code: Access-Request (1)
    Packet identifier: Oxl (1)    
    Length: 179
    Authenticator: 8edb32a9c4dfef622b72f0bl82715e42
    [The response to this request is in frame 2]    
    Attribute Value Pairs
        AVP: t=Message-Authenticator(80) 1=18 val=78a24bddla9d2462743c7d829e45f783 
        AVP: t=Service-Type(6) 1=6 val-Framed(2)
        AVP: t=User-Name(l) 1=15 val=example\user\000
        AVP: t=Framed-MTU(12) 1=6 val=1496
        AVP: t=Called-Station-Id(30) 1=28 val=00-19-E2-AI-4B-95:testtest
        AVP: t=Calling-Station-Id(31) 1=19 val=00-16-CE-68-B7-A0
        AVP: t=NAS-Identifier(32) 1=16 val=netscreen-ssg5
        AVP: t=NAS-Port-Type(61) 1-6 val-Wireless-802.11(19) 
        AVP: t=EAP-Message(79) 1=19 Last Segment[!]
            Type:79 Length: 19
            EAP fragment: 02010011016578616d706c655c75736572
            Extensible Authentication Protocol
        AVP: t=NAS-IP-Address(4) 1=6 val=172.16.8.216 
        AVP: t=NAS-Port(5) 1=6 val=l AVP: t=NAS-Port-ld(87) 1=14 val=STA port # 1

Example of context usage:

Context: radius-attr-eap-message pattern: "\x02010011\x"

radius-attr- filter-id (ANY)

Matches the value of a Filter-Id attribute.

radius-attr- framed-appletalk-zone (ANY)

Matches the value of a Framed-Appletalk-Zone attribute.

radius-attr- framed-pool (STC)

Matches the value of a Framed-Pool attribute.

radius-attr- framed-route (ANY)

Matches the value of a Framed-Route attribute.

radius-attr- login-lat-group (ANY)

Matches the value of a Login-LAT-Group attribute.

radius-attr- login-lat-node (ANY)

Matches the value of a Login-LAT-Node attribute.

radius-attr- login-lat-port (ANY)

Matches the value of a Login-LAT-Port attribute.

radius-attr- login-lat-service (ANY)

Matches the value of a Login-LAT-Service attribute.

radius-attr- message-authenticator (ANY)

Matches the value of a Message-Authenticator attribute.

radius-attr- nas-identifier (CTS)

Matches the value of a NAS-Identifier attribute.

radius-attr- nas-port-id (CTS)

Matches the value of a NAS-Port-Id attribute.

radius-attr- proxy-state (ANY)

Matches the value of a Proxy-State attribute.

radius-attr- reply-message (STC)

Matches the value of a Reply-Message attribute.

radius-attr- state (ANY)

Matches the value of a State attribute

radius-attr- tunnel-assignment-id (ANY)

Matches the value of a Tunnel-Assignemnt-Id attribute.

radius-attr- tunnel-client-auth-id (ANY)

Matches the value of a Tunnel-Client-Auth-Id attribute

radius-attr- tunnel-client-endpoint (ANY)

Matches the value of a Tunnel-Client-Endpoint attribute.

radius-attr- tunnel-password (STC)

Matches the value of a Tunnel-Password attribute.

radius-attr- tunnel-private-group-id (ANY)

Matches the value of a Tunnel-Private-Group-Id attribute.

radius-attr- tunnel-server-auth-id (ANY)

Matches the value of a Tunnel-Server-Auth-Id attribute.

radius-attr- tunnel-server-endpoint (ANY)

Matches the value of a Tunnel-Server-Endpoint attribute.

radius-attr- user-name (ANY)

Matches the value of a User-Name attribute.

Example of field in RADIUS transaction:

User Datagram Protocol, Src Port: 1645, Dst Port: 1812 
RADIUS Protocol Code: Access-Request (1)
    Packet identifier: 0x9 (9)
    Length: 137
    Authenticator: el0b7f33831bfe36009b5f477eff41b3
    [The response to this request is in frame 2] Attribute Value Pairs
        AVP: t=NAS-IP-Address(4) 1=6 val=10.2.1.96 A VP: t=NAS-Port(5) 1=6 val=2
        AVP: t=NAS-Port-Type(61) 1-6 val=Virtual(5)
        AVP: t=User-Name(1) 1=70
        val=testaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
        AVP: t=Calling-Station-Id(31) 1-11 val=10.2.1.50
        AVP: t=User-Password(2) 1=18 val=Encrypted

Example of context usage:

Context: radius-attr-user-name pattern: "test"

radius-attr- user-password (CTS)

Matches the value of a User-Password attribute.

radius-attr- vendor-specific (ANY)

Matches the value of a Vendor-Specific attribute.

radius-attribute (ANY)

Matches any RADIUS attribute, including the type, length and value.

Example of field in RADIUS transaction:

User Datagram Protocol, Src Port: 1645, Dst Port: 1812 
RADIUS Protocol Code: Access-Request (1)
    Packet identifier: 0x9 (9)
    Length: 137
    Authenticator: el0b7f33831bfe36009b5f477eff41b3
    [The response to this request is in frame 2] 
    Attribute Value Pairs
        AVP: t=NAS-IP-Address(4) 1=6 val=10.2.1.96

Example of context usage:

Context: radius-attribute pattern: "NAS-IP-Address"