Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Network Protocol Contexts

These attack objects and groups are designed to detect known attack patterns and protocol anomalies within the network traffic. You can configure attack objects and groups for network protocols as match conditions in IDP policy rules.

Service Contexts: BGP

The table displays the security context details for BGP:

Table 1: Service Contexts: BGP

Context and Direction

Description

Display Name

bgp-keepalive-msg (ANY)

Matches the BGP keep alive message.

BGP KeepAlive Message

bgp-message (ANY)

Matches any BGP message.

BGP Message

bgp-notification-msg (ANY)

Matches the BGP notification message.

BGP Notification Message

bgp-open-msg (ANY)

Matches the BFP open message.

BGP Open Message

bgp-open-no-parm (ANY)

Matches the BFP open message without optional parameters.

BGP Open Message without optional parameters

bgp-open-parm (ANY)

Matches the optional parameters in the BGP open message.

BGP Optional parameters in Open Message

bgp-route-refresh-msg (ANY)

Matches the BGP Route Refresh Message

BGP Route Refresh Message

bgp-update-attr-aggregator (ANY)

Matches the Aggregator path attribute data in the BGP update message.

BGP Aggregator Path Attribute in Update Message

bgp-update-attr-as-path (ANY)

Matches the AS path attribute data in the BGP update message.

BGP AS-Path Path Attribute in Update Message

bgp-update-attr-atomic-aggr (ANY)

Matches the atomic-aggregator path attribute data in the BGP update message.

BGP Atomic-Aggregator Path Attribute in Update Message

bgp-update-attr-cluster-list (ANY)

Matches the Cluster-List path attribute data in the BGP update message.

BGP Cluster-List Path Attribute in Update Message

bgp-update-attr-communities (ANY)

Matches the Communities path attribute data in the BGP update message.

BGP Communities Path Attribute in Update Message

bgp-update-attr-local-pref (ANY)

Matches the Local-Pref path attribute data in BGP update message.

BGP Local-Pref Path Attribute in Update Message

bgp-update-attr-med (ANY)

Matches the Multi-Exit-Disc path attribute data in the BGP update message.

BGP Multi-Exit-Disc Path Attribute in Update Message

bgp-update-attr-next-hop (ANY)

Matches the Next-Hop path attribute data in the BGP update message.

BGP Next-Hop Path Attribute in Update Message

bgp-update-attr-nonstd (ANY)

Matches any Non-Standard path attribute data in the BGP update message.

BGP Non-standard Path Attribute in Update Message

bgp-update-attr-rigin (ANY)

Matches the Origin path attribute date in the BGP update message.

BGP Origin Path Attribute in Update Message

bgp-updet-attr-originator (ANY)

Matches the Originator path attribute data in BFP update message.

BGP Originator Path Attribute in Update Message

bgp-update-msg (ANY)

Matches the BGP update message.

BGP Update Message

bgp-update-nlri_infor (ANY)

Matches the Network Layer Reachability Information in the BGP update message.

BGP Network Layer Reachability Information in Update Message

bgp-update-norm-unfeasible-rte (ANY)

Matches the unfeasible routes data in BFP update message. This context shows each route expanded to 4 bytes, prefixed by a delimiter.

BGP Unfeasible routes in Update Message (Normalized)

bgp-update-total-path-attribute (ANY)

Matches the Total Path Attribute data in the BGP update message.

BGP Total Path Attributes in Update Message

bgp-update-unfeasible-rts (ANY)

Matches the unfeasible routes data in the BGP update message.

BGP Unfeasible routes in Update Message

Service Contexts: DHCP

The table displays the security context details for DHCP:

Table 2: Service Contexts: DHCP

Context and Direction

Description

Example of Contexts

dhcp-file-name (ANY)

Matches the filename in a DHCP/bootp message.

dhcp-option (ANY)

Matches each option in a DHCP/bootp message. Each option context contains the type and length of the option.

Example of field in DHCP transaction:

Dynamic Host Configuration
Protocol Message type: Unknown
(144)
Hardware type: Unknown (0x90)
Hardware address length: 144 Hops: 144
Transaction ID: 0x90909090
Seconds elapsed: 37008
Bootp flags: 0x9090, Broadcast flag (Broadcast)
Client IP address: 144.144.144.144 Your (client) IP address: 144.144.144.144 Next server IP
address: 144.144.144.144 Relay agent IP address: 144.144.144.144 Client address not given
Server host name [truncated]:
\357\277\275\357\277\275\357\277\275\357\277\275\357\277\275\357\277\275\357\277\275\357\ 277\275\357\277\275\357\277\275357\277\275\357\277\275\357\277\275\357\277\275\357\277\2 75\357\277\275\357\277\275\357 Boot file name [truncated]:
\357\277\275\357\277\275\357\277\275\357\277\275\357\277\275\357\277\275\357\277\275\357\ 27 7\27 5\35 7\27 7\27 5\357\277\275\357\277\275\3572 77\2 75\35 7\27 7\27 5\35 7\27 7\27 5\357\277\2 751357\277\275\357\2772 7513 572
Bootp vendor specific options: 909090909090909090909090909090909090909090909090...
Option: (144) Geospatial Location [IODO:RFC6225]
Length: 144
Value: 909090909090909090909090909090909090909090909090...
Option: (144) Geospatial Location [TOdO:RFC6225]
Option: (144) Geospatial Location [T0D0:RFC6225]
Option: (144) Geospatial Location [T0D0:RFC6225]
Option: (141) SIP UA Configuration Domains Option: (192) Unassigned
[Malformed Packet: DHCP/BOOTP]

Example of context usage:
Context: dhcp-option pattern: "\x 909090 \x"

dhcp-server-name (ANY)

Matches the server name in a DHCP/bootp message.

Service Contexts: DNS

The table displays the security context details for DNS:

Table 3: Service Contexts: DNS

Context and Direction

Description

Example of Contexts

dns-cname (ANY)

Matches the CNAME in a DNS request or response.

dns-flags

Matches flags of a DNS request or response

dns-rr-a6-rdata (ANY)

Match the rdata of an A6 RR in a DNS request response.

dns-rr-afsdb-rdata (ANY)

Matches the rdata of an AFSDB RR in a DNS request or response.

dns-rr-apl-rdata (ANY)

Matches the rdata of an APL RR in a DNS request or response.

dns-rr-atma-rdata (ANY)

Matches the rdata of an ATMA RR in a DNS request or response.

dns-rr-cname-rdata (ANY)

Matches the rdata of a CNAME RR in a DNS request or response.

dns-rr-dnskey-rdata (ANY)

Matches the rdata of DNSKEY RR in a DNS request or response.

dns-rr-ds-rdata (ANY)

Matches the rdata of a DN RR in a DNS request or response.

dns-rr-eid-rdata (ANY)

Matches the rdata of an EID RR in a DNS request or response.

dns-rr-hinfo-rdata (ANY)

Matches the rdata of an HINFO RR in a DNS request or response.

dns-rr-key-rdata (ANY)

Matches the rdata of a KEY RR in a DNS request or response.

dns-rr-kx-rdata (ANY)

Matches the rdata of a KX RR in a DNS request or response.

dns-rr-mb-rdata (ANY)

Matches the rdata of an MB RR in a DNS request or response.

dns-rr-md-rdata (ANY)

Matches the rdata of an MD RR in a DNS request or response.

dns-rr-mf-rdata (ANY)

Matches the rdata of an MF RR in a DNS request or response.

dns-rr-mg-rdata (ANY)

Matches the rdata of an MG RR in a DNS request or response.

dns-rr-minfo-rdata (ANY)

Matches the rdata of an MINFO RR in a DNS request or response.

dns-rr-mr-rdata (ANY)

Matches the rdata of an MR RR in a DNS request or response.

dns-rr-mx-rdata (ANY)

Matches the rdata of an MX RR in a DNS request or response.

dns-rr-naptr-rdata (ANY)

Matches the rdata of a NAPTR RR in a DNS request or response.

dns-rr-nimloc-rdata (ANY)

Matches the rdata of an NIMLOC RR in a DNS request or response.

dns-rr-nsap-rdata (ANY)

Matches the rdata of an NSAP RR in a DNS request or response.

dns-rr-ns-rdata (ANY)

Matches the rdata of an NS RR in a DNS request or response.

dns-rr-nsapptr-rdata (ANY)

Matches the rdata of an NSAPPTR RR in a DNS request or response.

dns-rr-nsec-rdata (ANY)

Matches the rdata of an NSEC RR in a DNS request or response.

dns-rr-null-rdata (ANY)

Matches the rdata of a NULL RR in a DNS request or response.

dns-rr-nxt-rdata (ANY)

Matches the rdata of a NXT RR in a DNS request or response.

dns-rr-ptr-rdata (ANY)

Matches the rdata of a PTR RR in a DNS request or response.

dns-rr-px-rdata (ANY)

Matches the rdata of a PX RR in a DNS request or response.

dns-rr-rp-rdata (ANY)

Matches the rdata of an RP RR in a DNS request or response.

dns-rr-rrsig-rdata (ANY)

Matches the rdata of an RRSIG RR in a DNS request or response.

dns-rr-sig-rdata (ANY)

Matches the rdata of an SIG RR in a DNS request or response

dns-rr-soa-rdata (ANY)

Matches the rdata of an SOA RR in a DNS request or response.

dns-rr-sshfp-data (ANY)

Matches the rdata of an SSHFP RR in a DNS request or response.

dns-rr-tsip-rdata (ANY)

Matches the rdata of a TSIP RR in a DNS request or response.

dns-rr-txt-rdata (ANY)

Matches the rdata of a TXT RR in a DNS request or response.

dns-rr-type-rdata (ANY)

Matches the entire resource record in a DNS request or response, including the type and class.

dns-rr-wks-rdata (ANY)

Matches the rdata of a WKS RR in a DNS request or response.

dns-type-name (ANY)

Matches any name resource record in a DNS request or response. The first 2 bytes of the context contain the RFC-1035 type values.

dns-update-header

Matches the header of a DNS UPDATE request or response.

Service Contexts: IKE

The table displays the security context details for IKE:

Table 4: Service Contexts: IKE

Context and Direction

Description

Example of Contexts

ike-payload (ANY)

Matches the payload in an IKE transaction

Internet Security Association and Key Management Protocol

Initiator SPI: 1717171717171717
Responder SPI: 0000000000000000
Next payload: Notification (11)
Version: 1.0
Exchange type: Informational (5)
Flags: Ox00
Message ID: 0x00000000
Length: 40
Payload: Notification (11)

Example of context usage:
Context: ike-payload pattern: "\xOb00Oc0000000101006002\x”

Service Contexts: Modbus

The table displays the security context details for Modbus:

Table 5: Service Contexts: Modbus

Context and Direction

Description

Example of Contexts

modbus-except-resp (STC)

Matches a Modbus Exception Response.

Example of field in MODBUS transaction:

Transmission Control Protocol Sre Port: 502. Dst Port: 2578. Seq: 1894886683. Ack: 1637347727. Len: 9
Modbus/TCP
Transaction Identifier: 0 Protocol Identifier: 0 Length: 3 Unit
Identifier: 10
Functions: Diagnostics. Exception: Gateway target device failed to respond .000
1000 = Function Code: Diagnostics (8)
Exception Code: Gateway target device failed to respond (11)
00 20 78 00 62 Od 00 02 b3 ce 70 51 08 00 45 00 . x.b pQ.E.
00 31ffe5 40 00 80 06 6 a5 0a 00 00 03 0a 00 1.@
00 39 01 f6 0a 12 70 fl ad lb 61 97 fl 8f50 18 .9..p...a...P.
ff£3 08 ed 00 00 00 00 00 00 00 03 0a 88 Ob

Example of context usage:
Context: modbus-except-response pattern: “\xOa88\x”

modbus-request (CTS)

Matches a Modbus Request

Example of field in MODBUS transaction:
Modbus/TCP
Transaction Identifier: 0
Protocol Identifier: 0
Length: 6
Unit Identifier: 10
Modbus
.0001000 = Function Code: Diagnostics (8)
Diagnostic Code: Force Listen Only Mode (4)
Data: 0000
00 02 b3 ce 70 51 00 20 78 00 62 Od 08 00 45 00 ....
00 34 85 83 40 00 80 06 61 05 0a 00 00 39 0a 00 .4.
00 03 0a 12 01 f6 61 97 fl 83 70 fl ad lb 50 18
fa fO 19 52 00 00 00 00 00 00 00 06 0a 08 00 04 ...R.
00 00

Example of context usage:
Context: modbus-request pattern: “\x 060a x”

modbus-response (STC)

Matches a Modbus Response.

Example of field in MODBUS transaction:

Transmission Control Protocol. Src Port: 502. Port: 2578. Seq: 1894886719. Ack: 1637347775.Len: 12
Modbus/TCP
Transaction Identifier: 0
Protocol Identifier: 0
Length: 6
Unit Identifier: 10
Modbus
.0001000 = Function Code: Diagnostics (8)
[Request Frame: 17]
[Time from request: 0.002023000 seconds]
Diagnostic Code: Restart Communications Option (1)
Restart Communication Option: Leave Log (0x0000)
00 20 78 00 62 Od 00 02 b3 ce 70 51 08 00 45 00 . x.b pQ..E.
00 34 ff e9 40 00 80 06 e6 9e Oa 00 00 03 Oa 00 .4..@
00 39 01 f6 Oa 12 70 fl ad 3f 61 97 fl bf 50 18 .9....p..?a...P.
ff c3 14 22 00 00 00 00 00 00 00 06 0a 08 00 01 ..."
00 00

Example of context usage:
Context: modbus-response pattern: "\x 080001 \x"

modbus-trailing-data (ANY)

Matches trailing data after the first MODBUS PDU.

Service Contexts: MSRPC

The table displays the security context details for MSRPC:

Table 6: Service Contexts: MSRPC

Context and Direction

Description

Example of Contexts

msrpc-ans (STC)

Matches the response data in a MSRPC session

msrpc-call (CTS)

Matches the request data in a MSRPC session

msrpc-ifid-str (ANY)

Matches the interface ID string in an MSRPC session.

msrpc-raw (ANY)

Matches raw data in a MSRPC session

Service Contexts: NetBIOS

The table displays the security context details for NetBIOS:

Table 7: Service Contexts: NetBIOS

Context and Direction

Description

Display Name

nbds-browse-backup-server (ANY)

Matches the name of a backup server in a NetBIOS browse message.

NBDS Browse Backup Server

nbds-browse-server-name (ANY)

Matches the name of a server in a NetBIOS browse message.

NBDS Browse Server Name

nbds-destination-name (ANY)

Matches the destination name field in a NetBIOS message.

NBDS Destination Name

nbds-mailslot-name (ANY)

Matches the name of a mailslot in the NetBIOS mailslot message.

NBDS Mailslot Name

nbds-source-ip-address (ANY)

Matches the source IP field in the NetBIOS datagram header.

NBDS Source Ip Address

nbds-source-name (ANY)

Matches the source name field in a NetBIOS message.

NBDS Source Name

nbds-source-port (ANY)

Matches the source port fields in the NetBIOS datagram header.

NBDS Source Port

nbname-node-name (ANY)

Matches the node name in the status response message.

NBNAME Node Name

nbname-node-status (ANY)

Matches the statistics field of a node status response.

NBNAME Node Status

nbname-nsd-ip-address (ANY)

Matches the IP address of a NetBIOS name server specified in a redirect name query response message.

NBNAME Nsd IP Address

nbname-nsd-name (ANY)

Matches the name of a NetBIOS name server specified in a redirect name query response message.

NBNAME Nsd Name

nbname-resource-address (ANY)

Matches the IP address of a resource from the resource record.

NBNAME Resource Address

nbname-type-name (ANY)

Matches the type and name in a question or a resource record.

NBNAME Type Name

Service Contexts: NTP

The table displays the security context details for NTP:

Table 8: Service Contexts: NTP

Context and Direction

Description

Example of Contexts

ntp-ctrl-data-opt (ANY)

Matches the data field in an NTP control message.

Example of field in NTP transaction:
User Datagram Protocol, Src Port: 57629, Dst Port: 123
Network Time Protocol (NTP Version 2, control)
Flags: 0x16, Leap Indicator: no warning. Version number: NTP Version 2, Mode: reserved for NTP control message
Flags 2: 0x08, Response bit: Request, Opcode: runtime configuration
Sequence: 2 [Response In: 2]
Status: 0x0000
AssociationD: 0
Offset: 0 Count: 35
Data
Configuration: server 172.16.8.218 mode 3735928559
Padding: 00
Authenticator

Example of context usage:
Context: ntp-ctrl-data-opt pattern: "server"

ntp-ctrl- opcode-response -var (ANY)

Matches each of the name and value pairs found in the NTP control message data field. The context includes a 1-byte NTP control message opcode and a 1-byte NTP response type.

Example of field in NTP transaction:

User Datagram Protocol, Src Port: 49874, Dst Port: 123
Network Time Protocol (NTP Version 2, control)
Flags: 0x16, Leap Indicator: no warning. Version number: NTP Version 2, Mode: reserved for NTP control message
Flags 2: 0x02, Response bit: Request, Opcode: read variables
Sequence: 1
Status: 0x0000
Association ID: 0
Offset: 0
Count: 310
Data
stratum=
Padding: e2357a79727d Authenticator

Example of context usage:
Context: ntp-ctrl-opcode-response-var pattern: "stratum="

Service Contexts: SNMP

The table displays the security context details for SNMP:

Table 9: Service Contexts: SNMP

Context and Direction

Description

Example of Contexts

snmp-community (ANY)

Matches the community name in any SNMP request or response.

Example of field in SNMP transaction:

User Datagram Protocol, Src Port: 3301, Dst Port: 161
Simple Network Management Protocol
    version: version-1 (0)
    community: FirstBogus 
    data: get-request (0)

Example of context usage:
Context: snmp-community pattern: "First”

snmp-get- bulk-oid (CTS)

Matches the binary OID in any SNMP Get-Bulk request.

Example of field in SNMP transaction:

Simple Network Management Protocol 
    version: v2c (1) 
    community: public
    data: getBulkRequest (5)
        getBulkRequest
            request-id: 34487 
            non-repeaters 0 
            max-repetitions: 2147483647
            variable-bindings: 110 items
            1.3: Value (Null)
              Object Name: 1.3 (iso.3)
              Value (Null)
             1.3: Value (Null)
                Object Name: 1.3 (iso.3) 
                Value (Null)

Example of context usage:
Context: snmp-get-bulk-oid pattern: "1\.3”

snmp-get- bulk-oid-parsed (CTS)

Matches the human-readable OID in any SNMP Get-Bulk request.

snmp-get- next-oid (CTS)

Matches the binary OID in any SNMP Get-Next request.

snmp-get- next-oid-parsed (CTS)

Matches the human-readable OID in any SNMP Get-Next request.

snmp-get-oid (CTS)

Matches the binary OID in any SNMP Get request.

snmp-get- oid-parsed (CTS)

Matches the human-readable OID in any SNMP Get request.

Example of field in SNMP transaction:

Simple Network Management Protocol
    version: version-1 (0)
    community: FirstBogus
    data: get-request (0)
        get-request
            request-id: 29248
            error-status: noError (0)
            error-index: 0
            variable-bindings: 1 item
                1.3.6.1.2.1.1.1.0: Value (Null)    
                    Object Name: 1.3.6.1.2.1.1.1.0 (iso.3.6.1.2.1.1.1.0)
                    Value (Null)

Example of context usage:
Context: snmp-get-oid-parsed pattern: "iso\.3\.6"

snmp-oid (ANY)

Matches the binary OID in any SNMP request or response.

Example of field in SNMP transaction:

Simple Network Management Protocol
version: version-1 (0)
community: FirstBogus
data: get-request (0)
    get-request
        request-id: 29248
        error-status: noError (0)
        error-index: 0
        variable-bindings: 1 item
            1.3.6.1.2.1.1.1.0: Value (Null)
                Object Name: 1.3.6.1.2.1.1.1.0 (iso.3.6.1.2.1.1.1.0)
                Value (Null)

Example of context usage:
Context: snmp-oid pattern: "1\.3”

snmp-oid-parsed (ANY)

Matches the human-readable OID in any SNMP request or response.

Example of field in SNMP transaction:

Simple Network Management Protocol
version: version-1 (0)
community: FirstBogus
data: get-request (0)
    get-request
        request-id: 29248
        error-status: noError (0)
        error-index: 0
        variable-bindings: 1 item
            1.3.6.1.2.1.1.1.0: Value (Null)
                Object Name: 1.3.6.1.2.1.1.1.0 (iso.3.6.1.2.1.1.1.0)
                Value (Null)

Example of context usage:
Context: snmp-oid pattern: "1\.3”

snmp-set-oid (CTS)

Matches the binary OID in any SNMP Set request.

snmp-set-oid- parsed (CTS)

Matches the human-readable OID in any SNMP Set request.

snmptrap-community (CTS)

Matches the community name in any SNMPTRAP message.

snmptrap-eid (CTS)

Matches the binary EID (Enterprise-ID) in any SNMPTRAP message.

snmptrap-eid-parsed (CTS)

Matches the human-readable EID (Enterprise-ID) in any SNMPTRAP message.

snmptrap-inform-oid (CTS)

Matches the binary OID in any SNMPTRAP Inform message.

snmptrap- inform-oid-parsed (CTS)

Matches the human-readable OID in any SNMPTRAP Inform message.

snmptrap-oid (CTS)

Matches the binary OID in any SNMPTRAP message.

snmptrap-oid- parsed (CTS)

Matches the human-readable OID in any SNMPTRAP message.

snmptrap-v2- oid (CTS)

Matches the binary OID in any SNMPTRAP v2 message.

snmptrap-v2- oid-parsed (CTS)

Matches the human-readable OID in any SNMPTRAP v2 message.