Become A Member

© THE INTERCEPT

ALL RIGHTS RESERVED

Terms of Use Privacy
Documents

XKS Application IDs Brief

Jul. 1 2015 — 9:52 a.m.

1/21
Download
Page 1 from XKS Application IDs Brief
Classificati?n: TOP INTHORCUNHREL TO USE3.1.35.{gitClassifi?aitj?ljafg?l? TO USA, FVEYH20291123
Page 2 from XKS Application IDs Brief
Classificati?n: TOP SECRETHCOMINTHORCUNHREL TO USE, M72591. 1 - Basic ntax Syntax: I Very C-Iike. function( "name?, level, {optional infer- ?search terms and pattern?; Two valid search functions appid and fingerprint: - appidfchat/icq?, 8.5, wireshark=?icq?, and $icq; 7. O) ?user-agent: nokia' or 'profile: TOP TO
Page 3 from XKS Application IDs Brief
Classification: TOP SECRETHCOMINTHORCUNHREL TO USE, . Namin .- Conventions XKS Appid?s are named using a pseudo directory convention. /application_ type/sub_ type/name TOP TO
Page 4 from XKS Application IDs Brief
Classification: TOP SECRETHCOMINTHORCUNHREL TO USE, M72591. 1 - Levels Levels are 1.0 9.9 with lower numbers having a higher priority. This allows multiple signatures to match a piece of traffic and only the most specific appicl will be applied. An example might be: 9.9 Yahoo 9.8 Yahoo/chat 9.7 Yahoo/chat/incoming Since the Yahoo/chat/incoming has the lowest level, the traffic will be labeled as yahoo/chat/incoming Classification: TOP TO USA,
Page 5 from XKS Application IDs Brief
Classification: TOP SECRETHCOMINTHORCUNHREL TO USE, M72591. 1 - Basic Search Patterns XKEYSCORE supports Boolean operations and regular expressions Raw text must be encapsulated between single quotes - ?search term? Terms can be combined with Boolean logic - ?search term?ano? ?enother term" - ?search term? or ?another term? Classification: TOP TO
Page 6 from XKS Application IDs Brief
Classificatien: TOP SECRETHCOMINTHORCUNHREL TO USE, FVEYKEZQ - Binar and Re ex Patte. Binary patterns can be represented by putting a \x in front of each binary value '\Xff\Xff\X00\X02' Note: Unlike C, no double back slashing required /regex/ Classificatien: TOP TO
Page 7 from XKS Application IDs Brief
Classificati?n: TOP SECRETHCOMINTHORCUNHREL TO USE, M72591. 1 - You can assign a pattern to a variable (CHAINWORD) and reuse the variable in many patterns. - $sip ?via: sip' and ?cseq." and Now we can use this variable in future definitions: I 7.2 $sip; - 6.9) $sip and Classificatien: TOP TO
Page 8 from XKS Application IDs Brief
ip( expr toport( expr fromport( expr port( expr next_protocol( expr protocol ('text') Classification: TOP SECRETHCOMINTHORCUNHREL TO f. - Built in functions Matches against an IP Address looks in to address and from address in the session headere - ipif Matches against the Destination/To port. Note this must be a numeric representation of a port. - toport{ 192i] Matches against the Source/From port. Note this must be a numeric representation of a port. - fromport( 80 Matches against the either port. Note this must be a numeric representation of a port. Iliport? 666? Matches against the integer version of the next protocol. I next_protocol( 250 Will only work for IP next protocol names as defined in the IANA next protocol numbers document I protocol Classification: TOP TO
Page 9 from XKS Application IDs Brief
mae_address(addr) smae(addr) dmae(addr) ip(add r) frem_ip(addr) te_ip(addr) Classificatien: TOP SECRETHCOMINTHORCUNHREL TO USE, f. Built in functions permutes just like streng_seleeter (just like DECODEORDAIN Tasks a mac address tasks this IP address (either td er frem) tasks this IP address enly when it is the eriginater tasks this IP address only when it is the destination CIassifieatien: TOP TO
Page 10 from XKS Application IDs Brief
Classification: TOP SECRETHCOMINTHORCUNHREL TO USE, Mail f. i . "u ,r More built in functions} first(e}tpr) lpos(expr) pos( expr between( expr ?term?c ?term?u Matches against a pattern at the beginning of the session Matches against a pattern at the beginning of each line expression occurs at offset in the session I posf?Hello?} 5, - e: 10 I betweenf?Hello?, ?Worlcl?, 10, 100} Separation between ?Hello? and ?World? is greater than or equal to 10 bytes and less than or equal to 100 bytes This is the same as using the following regular expression: - Does a case sensitive match of the term Treats the term as Classification: TOP TO
Page 11 from XKS Application IDs Brief
Classificati?n: TOP SECRETHCOMINTHORCUNHREL TO USE, M72591. 1 - Predefined Chainwords There are a number of chainwords predefined for convenience: - $http_delete - $udp - $http_trace $iCmP - $http_head - $http_options I $http_partia - $vbulletin $55 I $mirne_type $httl3_CmC $user_agent - $http - $http_get - $http_put - $http_post TOP TO
Page 12 from XKS Application IDs Brief
Classificatinn: TOP SECRETHCOMINTHORCUNHREL TO USA, . Exa - Ie appideoip/sip/IMS', 6.0, wireshark='sip') (?via: Sip' or sip') and 'cseq:? and ?p-access-network-info:' or or ?p-charging-vector:? or ?p?charging?vector?addresses:? or ?p-media-authorization:' or ?security?server:? or ?security-client:' or ?service?route:' or ?record-route:' and or ?record?route:' and or ?contact:? and or ?contact:? and or ?proxy?authorization:? and or ?proxy-authorization:? and or ?path:' and or ?path:' and TOP TO
Page 13 from XKS Application IDs Brief
Classificati?n: TOP SECRETHCOMINTHORCUNHREL TO USE, . Examle 3.0, toport(2000) and I 3.0, fromport(2000) and I 9.9, port(2000); TOP TO USA,
Page 14 from XKS Application IDs Brief
Classificati?n: TOP SECRETHCOMINTHORCUNHREL TO USE, f, - Examle 6.0, chatproc=?Yahoo?) and $yahoo_chat) or and not port(5050); 8.5, wireshark='icq', chatproc='ICQ') and $icq; 9.0, chatproc='ICQ') and not port(25), 7.0) or 'begin gimf asrar el moujahedeen?; TOP TO USA,
Page 15 from XKS Application IDs Brief
Classificati?n: TOP SECRETHCOMINTHORCUNHREL TO USA, FVEYKEZG - Examle 8.5, wireshark='smtp') toport(25) and or or first('data') or and or or from:?) or Ipos('rcpt TOP TO
Page 16 from XKS Application IDs Brief
Classificati?n: TOP SECRETHCOMINTHORCUNHREL TO USE, f. Examle $gmail or first('POST lgmail'c) first('GET /gmai ?c) or Gr or 0r Gr 'Szgmailz?c or 0r Dr 0r Ur '\nSeruer: appid('mailfwebmailjgmail', 8.0, $gmail; TOP TO
Page 17 from XKS Application IDs Brief
Classificati?n: TOP SECRETHCOMINTHORCUNHREL TO USE, f, - I end tion append the mime_type and HTML title to any of these appids.. PARAMS $web "web"; 9.1, $web, $webpr0xy_t0_Seruer, 9.1, $web, $webproxy_to_client, TOP TO USA,
Page 18 from XKS Application IDs Brief
Classificati?n: TOP SECRETHCOMINTHORCUNHREL TO USE, 2.91] - I tion Third parameter is the type; if missing, it takes up to the first slash as thetype 9.2, $web) $http and not ('x-cache? er 'X-ferward? or ?get er 'pest or 'get http' or 'pest http'); 9.1, $web) $http and Classificatien: TOP TO USA,
Page 19 from XKS Application IDs Brief
Classification: TOP SECRETHCOMINTHORCUNHREL TO f. appid options: ??help this help message list all the application/fingerprint names and levels ist-appids list all the application names (no fingerprints) ist-fingerprints list all the application names (no appids) ist-types list all the application types ist-levels list all the application levels ??unit?test perform unit tests with data in the heirachy 'datadir', with files matching 'filespec' ??quiet don't print any:r load messages --appid_fname arg location of ??input-file arg input file to test --datadir arg The test data directory. Defaults to ??filespec arg A regular expression to match against files to check ??noexit arg do not stop on the first error Classification: TOP TO
Page 20 from XKS Application IDs Brief
Classificatien: TOP SECRETHCOMINTHORCUNHREL TO f. I - id Validation appicl aample.u124 Leading appicls -::Leacling -::-Leai:ling ?aw-Leading -::~Li:iaclirig Finished leading appicle FilenaiTie: eample.u124 Appid: enewptian/httpa Tetal Size: 19.36Kbite Tetal TiiTie: U.Dlaeea Rate: 1.936Mbitefe Overall perfermance: Tetal Time: 0.015eca Tetal Bits: 0.01936Mbita Overall Rate: 1.936MbitaXe Classifieatien: TOP TO USA,
Page 21 from XKS Application IDs Brief
Classificati?n: TOP SECRETHCOMINTHORCUNHREL TO USE, FVEYHZOZQIIZJE TOP TO USA