Documents
Guide to Using Contexts in XKS Fingerprints
Jul. 1 2015 — 9:51 a.m.

SEGRETHGGIMINTHREL TGI USA, AUS, GAN, GER, NZL
Guide ta using Cantexts in XKS Fingerprints
Versian 1.[i
Example 1
$a cct'pk'} and ar
far jihad'}}
De?nitian
Gantextual expressians are thase that restrict the search space far a particular
expressian. In example 1 abay'e, we are leaking far the string ?jihad? anly in the
narmalised text af a web search, and ?planning far jihad? anly in the cantext cf the
UTF-8 narmalised text af an affice dacument.
GENESIS pray'ides a number af different cantext types depending an the functian cf the
cantext:
I hash exact match
scan perfarm a kejasardfregex scan an cantextual text
latlang [geabax) perfarm an R-tree geabax laakup an the latlang lacatian
prefix matches the langest prefix cf the cantext and tasked term
appid??ngerprintrtapic triggers based an appids, fingerprints, and tapic lagic
extracted jile allaws haaking an raw extracted f?es transmitted an the netwark
Technical Nate
(UHFDUD) The difference bemeen a ?hash? and a ?scan? cantext is that ?scan? means that afall
keysnurard scan will be executed against that cantext's data which means the keysnrard will still hit if
it's a sabstring at a larger ward (think at it as being wildcarded an bath ends]. A hash laakap
must be an exact match which is much faster and less taxing an frant-end resaarces.
Far example, web_search is a scan sa will hit an web
searches like:
want ta participate in jihad?
?Haw da I avaid jihad?
?jihadi?
?bigjihad?
What is llantexmal Lagic?
(SHREL) Gantextual lagic is the ability ta laak far keywards, regular expressians, gea-
baxes, and ather events purely within a specified a scape [cantext). While this may act
saund like a big deal, currently the anly cantext that current DN I pracessing sensars
praside is that af ?strang-selectar? where an email handlefip address is
extracted fram a knawn applicatian type and lacked up against a list af knawn targets.
Derived Pram: NSAEGSSM L52
Dated: EDWDIDS
Declassify Dn: 2D35?2?l
TD USA, AUS, CAN, GER, NZL

TGI USA, ALIS, CAN, GER, NZL
Gentestual legie allews the ereatien ef advaneed analytics with extreme
preeisien. Fer example, if as an analyst needs te find all peeple in Kabul perferming web
searches en Jihad, hew eeuld this be dene? Fer starters, tasking the term Jihad in
GADEN GE er ether similar systems weuld result in velumineus eelleet as the keywerd
hit en every news web page, bleg entry, RSS feed etc. The result weuld be a ten ef data
that weuld ultimately be useless te the analyst and waste esfil bandwidth.
Se whe eeuld I ask the questien ?Shew me all the peeple deing web searches
en Jihad frem Kabul?" Well fer starters, the system weuld need te understand web
searches. What is used fer relaying the test ef a search frem yeur brewser te the
search site?s data centers? The system must net enly be capable ef identifying this traffic,
but alse ef it and estraeting eut the test ef the web search. Well it tums eut
that mest search engines uses the HTTP [just like every ether web site eut there)
and the search terms are url-eneeded and are passed as the url argument
XKEYSGGIRE [er ether equivalent system) will extract the url argument and then
nermalise the test by it. After nermaliaatien, the test is passed te the
GENESIS eenteat fer seanning against all search terms SA are leeking fer.
Se this is hew we weuld task the web search:
er ?mejahadeen?j
But wait we?re net dene yet. The analyst requested that the espressien enly
be true if the persen was physically leeated in Kabul.
Te execute the geegraphie this part ef the questien, the GENESIS engine
perferms an NKE IPGEGI leekup against all sessiens. The eeuntry and city eedes are
then passed te the eenteats relating te eeuntry and City. The City eede tasking fer Kabul
w?l fire.
This is the up dated fingerprint:
er ?mejahadeen?j and cityt?Kanul?l;
Se new, we have the web-seareh eenteat fer Jihad firing, and the city
tasking fer Kabul firing. Eeth ef these events are then eembined in the GENESIS
engine?s Beelean evaluater where the is evaluated and the resulting fingerprint
fired, tagging the sessien as being petentially interesting.
This is a very simple example, but very pewerful. The eeneept ef
gives pewer that was never pessible with GADEN GE. It allews the tasking ef
eembinatiens ef seft terms in that tegether ferm a very streng event.
TG USA, HUS, CAN, GER, NZL

TD USA, AUS, CAN, GER, NZL
What is the syntax for Contextual Logic
The syntax for contexts is:
(UHFDUD) Contexts themselves are Boolean expressions that allow composition of
expressions involving the use of many contexts. The example in the previous section
demonstrated this use, which is very natural:
or ?mojahadeen?j and oityt?Kabul?);
Technical Note
(SHE EL) You may not compose expressions that include one oontext inside of
another. For example the expression or is
somewhat meaningless and not permitted.
Dynamic Contexts
(UHFUUD) Dynamic contexts in GENES IS are those that can be expressed by regular
expressions. For example, if you wanted to write expressions that operated on the HTML
title of a web page only and GENESIS didn?t have a pre-defined context to serve this
purpose [it does), then you could write the following expression:
my_html_title scan
and ?making?l;
The first expression defines a context named ?my_h tml_title?. The type of
the context is ?scan? i.e. perform a keyword scan of tasked terms against the extracted
text.
The fingerprint makes use of the dynamic context by looking for the
keywords ?bomb? and ?making? within the context of the extracted HTML title.
Here is another example this time a dynamic expression for Yahoo chat:
yahoo_ohat_notify hash
TD USA, AUS, CAN, GER, NZL

TU USA, AUS, CAN, GER, NZL
fingerprintt?badgny?}
In this case, we have given two regular expressions that will perform
extraction against the data stream. The type of the context is ?hash? meaning that the
extracted text will be leaked up in a hash table in that hash table w?l be any tasking
applied to that context, in this case ?badguy? has been used in that context below.
Technical Note
(SHREL) Notice that in the yahoo_chat_notify example above the following the regular
expressions. It is a requirement that all expressions should have the same case sensitivity
setting. The same requirement applies for contexts of type ?hash?. The case sensitivity applied
not only to the regular expression mnning against the raw traffic but also the actual lookUplscan
of the extracted text against terms tasked against that context.
Advanced lilontexts
Context presence
Sometimes the presence of a context in traffic is all we need. For example, if
the GENESIS is to be used to filter traffic being forwarded to a site- store, we may want
to pass all Chat sessions from Mumbai to Pakistan that have content. Anyone who has
looked at chat traffic very quickly realises that there are volumes of presence messages
sent, much of which are not that interesting, and then there is the chat that has content.
How could we find all traffic with actual chat content? Well we have a ?Chat_body"
context, but how do I task ?not null" in reference to a particular context? Well a hack
would be to task ?chat_body[not then every chat session that does not contain
the word ?junk? will be selected, however that is not a very elegant solution, and in fact
is very inefficient. GENESIS allows tasking of a not null simply by providing an empty
context as follows:
fingerprint[?mnmcaifchat?l
cct?pk?l and cityt?mnmcai?l and chat;cody[l;
Appendix A Context Catalog
File Transfers
filename
Description:
TD USA, AUS, CAN, GER, NZL

TD USA, AUS, CAN, GER, NZL
Eyery I1th nermalixed filename seen in traffic is passed te this eentext.
Examples are (but net ]imited te) files transmitted in EMTP, PDPE, IMAP, HTTP
Eespenses, HTTP Pests, ETP sessiens, and MllyiE?eneeded header. Nete that the
filename refers te just the filename and net the entire path+filename.
Aliases:
fna me
Centext Type:
Full Sean
Eample:
file name 1wimax. {13,313 }setupf)
file_ext
Deseriptien:
Eyery utf?B nermalixed file extensien seen in traffic is passed te this eentext.
Examples (but net ]imited te) are files transmitted in SMTP, PCIPB, IMAP, HTTP
Eespenses, HTTP Pests, FTP sessiens, and Mh?eneeded header.
Aliases:
ext
Centext Type:
Hash
Eample:
?lexarips' aw ?ist
path
Deseriptien:
Eyery utf?B nermalized file path seen in traffic is passed te this eentext.
Examples are (but net ]imited te) files transmitted in SMTP, PCIPE, IMAP, HTTP
Eespenses, HTTP Pests, FTP sessiens, and h?MEeneeded header.
Aliases:
dir
Centext Type:
Full Sean
Eample:
pathUDeeume nt and Settings?Ma er ?fhemeftestj
HTTP Activity
weh_seareh
Deseriptien:
The nermalized extraeted text frem web searches. The system extraets
search terms Geegle, Miereseft, News sites and search term leakage frem the
Referer line ef HTTP headers. In additien it will extract and use spelling eerreetien
the HTML seryer respense se if the target mis?spells but the search engine eerreets the
expressien will still eyalnate true.
TD USA, AUS, CAN, GER, NZL

TD USA, AUS, CAN, GER, NZL
Aliases:
sea reh
Cnnteat Type:
Full Sean
Eanlple:
weh_sea reh[? ric'tn? ar plague
Deseriptinn:
The narntah?zed extracted test web page titles.
Aliases:
http_tit1e
Contest Type:
Full Sean
Eanlple:
tal and ?hernh?)
http_url
Deseriptinn:
Every URL hunt HTTP GET and PEST cantntands.
Aliases:
url
Cnnteat Type:
Full Sean
Eanlple:
http_url_args
Deseriptinn:
arguments given as part at a URL (1e. a]l test fa?awing the in a URL
string)
Aliases:
url
Cnnteat Type:
Full Sean
Eanlple:
http_hnst
Description:
The ?Hash? name given in the header.
Aliases:
TD USA, AUS, CAN, GER, NZL

TD USA, AUS, CAN, GER, NZL
Context Type:
Fu? Scan
Eanlple:
http_host[? yahoo.con1?)
http_senrer*
Description:
The type name in the header.
Aliases:
inane}
Context Type:
Fu? Scan
Eanlple:
http_host(? CWSIZ. 1? or ?Apache
http_referer*
Description:
The ?Referee? URL given in the HTTP header.
Aliases:
{none}
Context Type:
Fu? Scan
Eanlple:
http_language
Description:
The normah?zed two letter lad?5393 language code as inferred from any
and or header info.
Aliases:
{none}
Context Type:
Fu? Scan
Eanlple:
http_1angua ge[i fa or ?de
http_1angnage[not
http_cooltie
Description:
(momma) The ?Cookie? field given in the header.
Aliases:
{none}
TD USA, AUS, CAN, GER, NZL

TD USA, AUS, CAN, GER, NZL
Contest Type:
Fqu Scan
Eanlple:
http_coohie [f
http_user_agent
GEO Info
Description:
The ?User?Agent" field given in the header. This is the name of the
hrovvser the c]ient is using [eg Firefos, or Internet Explorer).
Aliases:
use r_age nt
http_hrowser
browser
Contest Type:
Full Scan
Eanlple:
http_user_a gentUIvIoziJlavT-d?h or ?Chro nte
rnap_latlong
Description:
A geo has around the location of a map view zoom on services such as
[Boogie Earth, Google Maps, Microsoft Live Earth etc.
Aliases:
ntap, map_aoont, soont
Contest Type:
latlong hos
Eanlple:
2, 3,
Description:
The destination country based on IP address IPGED loohup.
Aliases:
ip_to_cc
Contest Type:
Hash
Eanlple:
or
from_cc
TD USA, AUS, CAN, GER, NZL

CE
TD USA, AUS, CAN, GER, NZL
Description:
The sduree eauntry hased an IP address IPGED ladhup.
Aliases:
ip_frd m_ee
Cantest Type:
Hash
Eample:
dr
Deseriptian:
The eauntry [either ta CIR tram) hased an IP address ?IPEECI1erahup.
Aliases:
ip_ee
Cantest Type:
Hash
Aliased ta frdm_ee and td_ee.
Eample:
ee(?ir? dr iph?)
te_latlang
Deseriptien:
A gee has ardund the destinatidn latitude and langitude hased an IP Address
IPEED lac-Imp.
this centeart is eurrertdy disahfed fer perfermanee
Aliases:
inane}
Cantest Type:
has
Eample:
2, 3,
framJatlang
Deseriptien:
A gee: has ardund the sduree latitude and langitude hased an IP Address
IPEED lddhup.
NQTE this centeart is eurrendy disubfed far perfermrmee
Aliases:
snanea
Cantest Type:
has
Eample:
2, 3,
TD USA, AUS, CAN, GER, NZL

latlang
ta_e ity
TD USA, AUS, CAN, GER, NZL
Deseriptian:
[Sift?{EL} A gee bas araurtd the sauree ar destinatian latitude and langitude based an IP
Address ?IPGED1aahup.
NQTE this centeart is eurrendy disubfed fer perfermrmee
Aliases:
inane}
Cantest Type:
latlang be}:
Ahased ta fram_1atlang and ta_1atlang.
Eample:
latlangfl, 2, 3,
Deseriptian:
The destinatiart city based an IP address leahup.
Aliases:
Cantest Type:
Hash
Eample:
fram_eity
city
Deseriptian:
The sauree City based an IP address IPGED lee-1:11p.
Aliases:
fram_tdwn
Cantest Type:
Hash
Eample:
fram_etty[? Islamabad
Deseriptian:
The sauree ar destinatiart City based an IP address IPGED laahup.
Aliases:
fram_tdwn
Cantest Type:
Hash
Aliased ta fram_eity and ta_eity.
Eample:
Islamabad
TD USA, AUS, CAN, GER, NZL

TD USA, AUS, CAN, GER, NZL
Metadata
sigad
Deseriptiun:
The site designate-r
Aliases:
inane}
Sean
Eample:
sigad[?US?1234?)
easenntatinn
Deseriptiun:
The enlleetidn site easenetatinn [signal designatdr).
Aliases:
ease_ndtatidn
Sean
Eample:
easenutatien[?ABC 1234?)
hlnelt_num
Description:
The sessidn hldeh number. If a TCPIIP sessidn exceeds a maximum size
[typriealltr the sessidn is fragmented and assigned a une?up nun?aerd hldeh
number. If a sessidn is black aerd it is the dne and only fragment.
Aliases:
hldeh
Sean
Eample:
sigint_heatler
Deseriptiun:
The tasked eapressiun will hit an terms in a SIGINT header,
and net in the had},r at the enmmunieatiens.
Aliases:
header
Sean
Eample:
TD USA, AUS, CAN, GER, NZL

TD USA, AUS, CAN, GER, NZL
and
sigint_h ndy
Description:
The tasked espressian 1will anly hit an terms in the eammnnieatians eantent and
net in ar [irate-eel headers.
Aliases:
hddy
Contest Type:
Sean
Eample:
and
sigint_h ndy
Deseriptinn:
The tasked espressian 1will anly hit an terms in the eammnnieatians content and
net in ar prataeal headers.
Aliases:
hddy
Cantest Type:
Sean
Eample:
and
realm
Deseriptinn:
The seleetar and its realm. The syntax far this is in the standard
farm df ?hadguysyahda?a? where ?hadguy? is the usemame and ?syahaa?a? is the realm.
realmO tasking is
Aliases:
inane}
Contest Type:
Hash
Eample:
realm[?had guysyahaa?a?)
streng_seleetnr
Deseriptinn:
Autamatieally attempts ta determine realm [selectar eauld he email address,
eaakie ar ether) and then creates permutatians ta task in the
main seanner engine far the given target. Given the number df permutatians far a single
TD USA, AUS, CAN, GER, NZL

TD USA, AUS, CAN, GER, NZL
target using this syntax can have a significant perfermance impact an the system if tea
many targets are tasked this way.
NUT E: realmQ tasking shauld he used in preference ta
Aliases:
inane}
Cnnteat Type:
Hash
Eample:
If an email address
If a caakie yalue
email_addr'ess
Description:
Autamatica]ly attempts ta determine realm far the given email address and then
creates permutaticms tc- task in the main scanner engine far the
given target. Given the number nf permutatic-ns far a single target using this syntax can
have a significant perfermance impact an the system if tee many targets are tasked this
way.
NUT E: realmf) tasking shnuld he used in preference ta
Aliases:
inane}
IEIIJrnteat Type:
Hash
Eample:
raw_email
Descriptiun:
Tasks the given email address with nu pennutatipns in the raw_email cement.
The raw_email cantest is fed email addresses the email address
extractar which scans all traffic lac-king far and then uses heuristics ta determine if
the is part af an email address. Hate that the nutput is alsn
scanned far email addresses, as is the fully nc-rmalized applicatian?layer pmcessed
cantent.
Aliases:
Ennteat Type:
Hash
Eample:
email_cc
Descriptiun:
[Sift?{EL} The cauntry cade assaciated with an email address. Far example if the email
address is the cauntry cede is
Aliases:
TD USA, AUS, CAN, GER, NZL

TD USA, AUS, CAN, GER, NZL
Ennteat Type:
Hash
Eample:
ur
categury
Descriptiun:
The CADENCE categary that has evaluated true an this sessian. Hate that the
CADENCE categc-ry must have a valid FIST entry far this cantest ta fire.
Aliases:
cat
Ennteat Type:
Hash
Eample:
categaryCEE-LH?)
categnry_prinrity
tan
Description:
[Sift?{EL} The priurity bf the CADENCE categury that generated a hit. Hate that the
CADENCE categary must have a valid FIST entry far this cantest ta fire.
Aliases:
cat_pri
Ennteat Type:
Hash
Eample:
categary_pric- rity[1)
Descriptiun:
Luuhs up all phune numbers fuuncl in signature blacks and uther content as
as phune numbers found in
The TND field will accept traditiunal and 1wildcarcls. will match any number
and is permissible at the beginning and 1will match any number af cligits at the
beginning af the number.
Aliases:
phune
mubile
cell
phu ne_number
msisdn
Cnnteat Type:
tnd_lc:uhup
TD USA, AUS, CAN, GER, NZL

SECRETHCCIMINTHREL TCI USA, AUS, CAN, GER, NZL
Eample:
tnd[?5551234?)
irnei
Deseriptinn:
All IMEIs fannd in netwerk pretaeals er HTTP headers [as seen in many
cellular preyiders).
Aliases:
snanea
Contest Type:
tnd_1aakup
Eanlple:
inlei[? 12345 12345)
inlsi
Deseriptinn:
All IMSIs fennel in netwerk pretaeals er HTTP headers [as seen in many
cellular prayiders).
Aliases:
snanea
Canteat Type:
tnd_1aakup
Eample:
inlsi[? 12345)
TU USA, AUS, CAN, GER, NZL

TD USA, AUS, CAN, GER, NZL
Of?ce Deeuments
deeuntenLtitle
Description:
The title ef the effiee deennient.
[Srftiee deeunients include (but are net ]in1ited te) Miereseh Dime, [tip-en
C?dfiee, [Seegie Bees and Spreadsheets.
Aliases:
dee_title
Sean
Eanlple:
dee nn1ent_title[? situatien repert')
deeunteanuhjeet
Description:
The subject ef the effiee deennient.
[Zrh?iee deeunients include (but are net Jiniited te) Miereseft [Clrl?i?iee, Open
Dhiee, [Seegle Bees and Spreadsheets.
Aliases:
dee_suhjeet
Centest Type:
Sean
Eanlple:
dee nn1ent_s uhjeet[?1ate st figures
deeuntenLauther
Deseriptien:
The anther ef the effiee foiee inelede (but are net
]in1ited te) h?ereseh (Suitcase, Uttiee, Eeegle Bees and Spreadsheets.
Aliases:
dee_auther
Centeat Type:
Sean
Eanlple:
deennient_a etherf?hadguy')
deeuntenLei-g
Deseriptien:
The authering erganiaatien ef the effiee deennient
TD USA, AUS, CAN, GER, NZL

TD USA, AUS, CAN, GER, NZL
Office decuments include (but are net limited tan Micmsc-ft Office, Open
Office, Oeegle Decs and Spreadsheets.
Aliases:
dec_drg
Ennteat Type:
Scan
Eample:
ducumenLhash
Descriptiun:
The It.?an sum the nffice dncumentfimages frem within the decument.
Office decuments include (but are net limited tan Micmsc-ft Office, Open
Office, [Sc-c-gle Decs and Spreadsheets.
Aliases:
dec_hash
Ennteat Type:
Hash
Eample:
decument_ha sh[?cfd2cE??a42hd?El IdeSeS?f?acElhcf?
ducument_language
Descriptiun:
The language df the Office decument. The language can he determined
the decument pmperties and er statistcal analysis ef the underlying test. All languages
are nc-rmalized th twc- letter language cudes.
Office dncuments include (but are net limited ta) Micmsc-ft Office, Open
Office, Decs and Spreadsheets.
Aliases:
dec_langua ge
Cnnteat Type:
Hash
Eample:
Descriptiun:
The nc-rmalized teth df the Office decument.
Office dncuments include (but are net limited ta) Micmsc-ft Office, Open
Office, Oeegle Decs and Spreadsheets.
Aliases:
dec_hcrd
TD USA, AUS, CAN, GER, NZL

TD USA, AUS, CAN, GER, NZL
Sean
tn? and ?hujld? and er
C?mmunicatinns Cantent
Deseriptinn:
The test at the foiee dnenntent.
foiee dneuntents include (but are net hntited tn) foiee, Open
[Ethics Enngle Bees and Spreadsheets.
Aliases:
dne_hed
Enntest Type:
Sean
tnI and ?hujlel' and (?he-nth? nr
tlneuntenLentniLhn-jy
Deseriptinn:
The test nf s]l nffiee dnenntent and email hndies.
Aliases:
Centest Type:
Sean
Missed tn and d?ClJtIl-E?Lh?dy.
tn? and ?build? and er
Deseriptinn:
The test nf s]l nffiee dnenntent, email, and chat hndies.
Aliases:
Enntest Type:
Sean
Alia sed tn ehst_hndy and d?ClltIlE?Lh?dy.
eemmunieetienjedyfhew te? and ?hujld? and [?hemh? er
emaiLh ntly
TD USA, AUS, CAN, GER, NZL

TD USA, AUS, CAN, GER, NZL
Description:
The test at? all email lac-dies.
Aliases:
email_hdd
Type:
Scan
Eample:
ten? and ?huild' and [?hdmh' pr ?weapan'))
chat_h tidy
Descriptinn:
The test pf all chat hddies.
Aliases:
Cantest Type:
Scan
Eample:
to? and ?build? and [?hdmh? cur
calendar_hpdy
Descriptinn:
The nc-rmaliaed test pf all calendars. An example is Gadgle
Calander.
Aliases:
Cantest Type:
Scan
Eample:
cale nda 1wedding?)
archiyejiles
Descriptinn:
Matches a list at files within an archive. Far example is a ZIP file is
transmitted, all names pf files within are passed th this canteirt.
Aliases:
campressedjilenames
Cantest Type:
Scan
Eample:
cur ?yims.dcrc?)
http_p nst_hndy
Descriptinn:
TD USA, AUS, CAN, GER, NZL

TD USA, AUS, CAN, GER, NZL
The nernislised test HTTP urleneeded
Aliases:
inane}
Centest Type:
Sean
Eanlple:
n= send: and ?had guy@ yahee
language
Deseriptinn:
The language cede fer either deeuntents er 1weh activity.
Aliases:
inane:
Cnntest Type:
Hash
Alia sed te dee_langua ge and http_language.
Eanlple:
language[?ar?)
title
Deseriptinn:
The title at either effiee deennients er HTML pages.
Aliases:
inane}
Centest Type:
Sean
Alia sed te dee_title and html_title.
Eanlple:
title[?hen1h melting?)
Fraternal Metadata
Deseriptinn:
The textual fern: ef the IP nest
Aliases:
?nenee
Centest Type:
internal
Eanlple:
UDP
ICMP
TD USA, AUS, CAN, GER, NZL

TD USA, AUS, CAN, GER, NZL
ip_next_pratn=enl
Deseriptinn:
The textual farm at the IP next prataeal.
Aliases:
snanea
Cnntext Type:
internal
Eanlple:
tn_ip
in
Description:
The sauree IP address at the sessian.
Aliases:
frantip
Cnntext Type:
Sean
Eanlple:
Deseriptinn:
The destinatian IP address at the sessian.
Aliases:
teip
IEIIJrntext Type:
Sean
Eample:
ta_ip[?
Deseriptinn:
The sauree er destinatien IP address at the sessian.
Aliases:
snanea
Cnntext Type:
Sean
Eanlple:
frnm_p art
Deseriptinn:
The sauree TCP ar UDP part number.
TD USA, AUS, CAN, GER, NZL

TD USA, AUS, CAN, GER, NZL
Aliases:
Centext Type:
inte mal
Eample:
frdm_pdrt(2 2)
tn_pert
Deseriptien:
The destinatidn TCP dr UDP part number.
Aliases:
tdp-Drt
Context Type:
inte [n31
Eample:
tap-an2)
pert
Deseriptien:
The Eduree dr destinatidn TCP dr UDP part number.
Aliases:
?ndnee
Context Type:
inte [n31
Eample:
e?nt?)
ip_suhnet
Deseriptien:
IP suhnet in CIDR ndtatidn.
Aliases:
Sean
Eample:
mae_adtlress
Deseriptien:
The MAC address at the target device.
TD USA, AUS, CAN, GER, NZL

TD USA, AUS, CAN, GER, NZL
Aliases:
mac
Scan
Eample:
ts
Misc
checkpoint
appid
Descriptinn:
A system defined checkpoint ta ensure gnarenteed arder?af?eitecntian. This is
typically used when a fa?awcn?ac?an must he perfarmed after same prede?ned
pmcessing step, far example access ta pre?parsed HTTP header infarmatian is anly
available after the internal http_parser plngin has executed.
Aliases:
snanea
Cantest Type:
Hash
Eample:
Descriptinn:
The applicatian ID af the sessian.
NUT E: ta prevent infinite recursian anly ane leyel af indirectian is permitted when
including appidQ as part af anather haplean espressian.
Aliases:
snanea
Cantest Type:
inte mal
Eample:
appid [fmail.*f)
preappid
Descriptinn:
The pre?applicatian ID of the sessian. A pre?applicatian is a haalean
espressian far an applicatian that fired an a sessian, but did nat necessarily win (based an
priarity). Far example a Yahaa wehmail sessian will pmhahly first be identi?ed as
HTTP, then Yahaa, and then finally we see a string indicating that the traffic is mail. As
the decisian was being made each af the intermediate appids can generate a pre?appid
event.
TD USA, AUS, CAN, GER, NZL

SECRETHCCIMINTHREL TCI USA, AUS, CAN, GER, NZL
NUT E: ta prevent infinite reenrsinn nnly nne level of indirectian is permitted when
inelnding preappidf) as part ef anather hanlean expressinn.
Aliases:
snanea
Cnnteat Type:
internal
Eanrple:
prea
fingerprint
tnpie
Description:
A fingerprint that fired an a sessinn.
NUT E: ta prevent infinite reenrsinn dnly dne level nf indirectian is permitted when
including fingerprintf) as part df anather haelean espressian.
Aliases:
Cnntest Type:
internal
Earnple:
Deseriptinn:
A tapie that fired an a sessian hased df a previaus tapie definitian.
NUT E: ta prevent infinite reenrsian dnly dne level nf indirectian is permitted vvhen
inelnding tnpieQ as part nf anather her-lean espressian.
Aliases:
Cnnteat Type:
internal
Eanlple:
tapie[?vvn1dfpalristan' and nrd?thin.
USA, AUS, CAN, GER, NZL