Title: Guide to using Contexts in XKS Fingerprints
Release Date: 2015-07-01
Description: This undated NSA technical document provides detailed information for performing searches within XKeyScore: see the Intercept article XKEYSCORE: NSA’s Google for the World’s Private Communications, 1 July 2015.s
Document: SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Guide to using Contexts in XKS Fingerprints
Version 1.0
Example 1
$a = cc('pk') and (web_search('jihad') or document_body('planning
for jihad'))
Definition
(S//REL) Contextual expressions are those that restrict the search space for a particular
expression. In example 1 above, we are looking for the string "jihad’ only in the
normalized text of a web search, and "planning for jihad’ only in the context of the
UTF-8 normalized text of an office document.
GENESIS provides a number of different context types depending on the function of the
context:
• hash - exact match
• scan - perform a keyword/regex scan on contextual text
• latlong (geobox) - perform an R-tree geobox lookup on the latlong location
• prefix - matches the longest prefix of the context and tasked term
• appid/fingerprint/topic - triggers based on appids, fingerprints, and topic logic
• extracted_file - allows hooking on raw extracted files transmitted on the network
Technical Note
(U//FOUO) The difference between a “hash” and a “scan” context is that “scan” means that afull
keyword scan will be executed against that context’s data which means the keyword will still hit if
it’s a substring of a larger word (think of it as being wildcarded on both ends). A hash lookup
must be an exact match - which is much faster and less taxing on front-end resources._
(S//REL) For example, web_search is a scan so web_search("jihad’) will hit on web
searches like:
""I want to participate in jihad”
""How do I avoid jihad”
""jihadi”
""bigjihad”
What is Contextual Logic?
(S//REL) Contextual logic is the ability to look for keywords, regular expressions, geo-
boxes, and other events purely within a specified a scope (context). While this may not
sound like a big deal, currently the only context that current DNI processing sensors
provide is that of ""strong-selector” where an email address/chat handle/ip address is
extracted from a known application type and looked up against a list of known targets.
Derived From: NSA/CSSM 1-52
Dated: 20070108
Declassify On: 20350201
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
(S//REL) Contextual logic allows the creation of advanced analytics with extreme
precision. For example, if as an analyst needs to find all people in Kabul performing web
searches on Jihad, how could this be done? For starters, tasking the term Jihad in
CADENCE or other similar systems would result in voluminous collect as the keyword
hit on every news web page, blog entry, RSS feed etc. The result would be a ton of data
that would ultimately be useless to the analyst and waste precious exfil bandwidth.
(S//REL) So who could I ask the question “Show me all the people doing web searches
on Jihad from Kabul?” Well for starters, the system would need to understand web
searches. What protocol is used for relaying the text of a search from your browser to the
search site’s data centers? The system must not only be capable of identifying this traffic,
but also of processing it and extracting out the text of the web search. Well it turns out
that most search engines uses the HTTP protocol (just like every other web site out there)
and the search terms are url-encoded and are passed as the url argument “q”.
XKEYSCORE (or other equivalent system) will extract the “q” url argument and then
normalize the text by url-decoding it. After normalization, the text is passed to the
GENESIS context for scanning against all search terms NS A analysts are looking for.
(S//REL) So this is how we would task the web search:
fingerprint('web_search/extremist/jihad' ) =
web_search('jihad' or 'mojahadeen') ;
(S//REL) But wait - we’re not done yet. The analyst requested that the expression only
be true if the person was physically located in Kabul.
(S//SI//REL) To execute the geographic this part of the question, the GENESIS engine
performs an NKB IPGEO lookup against all sessions. The country and city codes are
then passed to the contexts relating to country and city. The city code tasking for Kabul
will fire.
This is the updated fingerprint:
fingerprint('web_search/extremist/jihad' ) =
web_search('jihad' or 'mojahadeen') and city('Kabul');
(S//SI//REL) So now, we have the web-search context for Jihad firing, and the city
tasking for Kabul firing. Both of these events are then combined in the GENESIS
engine’s Boolean evaluator where the “AND” is evaluated and the resulting fingerprint
fired, tagging the session as being potentially interesting.
(U//FOUO) This is a very simple example, but very powerful. The concept of contexts
gives analysts power that was never possible with CADENCE. It allows the tasking of
combinations of soft terms in context that together form a very strong event.
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
What is the syntax for Contextual Logic
(U//FOUO) The syntax for contexts is:
context_name(boolean_expression)
(U//FOUO) Contexts themselves are Boolean expressions that allow composition of
expressions involving the use of many contexts. The example in the previous section
demonstrated this use, which is very natural:
fingerprint('web_search/extremist/jihad' ) =
web_search('jihad' or 'mojahadeen') and city('Kabul');
Technical Note
(S//REL) You may not compose expressions that include one context inside of
another. For example the expression web search(‘jihad’ or city(‘Kabul*)) is
somewhat meaningless and not permitted.
Dynamic Contexts
(U//FOUO) Dynamic contexts in GENESIS are those that can be expressed by regular
expressions. For example, if you wanted to write expressions that operated on the HTML
title of a web page only and GENESIS didn’t have a pre-defined context to serve this
purpose (it does), then you could write the following expression:
my_html_title = scan {
/(.*?)/;
} ;
fingerprint('web_site/bad_guy') =
my_html_title('bomb' and 'making');
(U//FOUO) The first expression defines a context named “my_html_title”. The type of
the context is “scan” - i.e. perform a keyword scan of tasked terms against the extracted
text.
(U//FOUO) The fingerprint makes use of the dynamic context by looking for the
keywords ‘bomb’ and ‘making’ within the context of the extracted HTML title.
(S//REL) Here is another example - this time a dynamic expression for Yahoo chat:
yahoo_chat_notify = hash {
/49\xc0\x80typing\xc0\x801\xc0\x80(.{3,40})\xc0\x80/c;
/49\xc0\x80contactinfo\xc80\x801\x80(.{3,40})\xc0\x80/c;
} ;
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
fingerprint('badguy') =
yahoo_chat_notify('badguy');
(U//FOUO) In this case, we have given two regular expressions that will perform
extraction against the data stream. The type of the context is “hash” meaning that the
extracted text will be looked up in a hash table - in that hash table will be any tasking
applied to that context, in this case “badguy” has been used in that context below.
Technical Note
(S//REL) Notice that in the yahoo_chat_notify example above the “c” following the regular
expressions. It is a requirement that all expressions should have the same case sensitivity
setting. The same requirement applies for contexts of type “hash”. The case sensitivity applied
not only to the regular expression running against the raw traffic but also the actual lookup/scan
of the extracted text against terms tasked against that context._________________
Advanced Contexts
Context presence
(S//REL) Sometimes the presence of a context in traffic is all we need. For example, if
the GENESIS is to be used to filter traffic being forwarded to a site-store, we may want
to pass all chat sessions from Mumbai to Pakistan that have content. Anyone who has
looked at chat traffic very quickly realizes that there are volumes of presence messages
sent, much of which are not that interesting, and then there is the chat that has content.
How could we find all traffic with actual chat content? Well we have a “chat_body”
context, but how do I task “not null” in reference to a particular context? Well a hack
would be to task “chat_body(not ‘junk’)”, then every chat session that does not contain
the word “junk” will be selected, however that is not a very elegant solution, and in fact
is very inefficient. GENESIS allows tasking of a not null simply by providing an empty
context as follows:
f ingerprint ( 'mumbai/chat ' ) =
cc('pk') and city('mumbai') and chat_body();
Appendix A - Context Catalog
File Transfers
filename
Description:
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
(U//FOUO) Every utf-8 normalized filename seen in traffic is passed to this context.
Examples are (but not limited to) files transmitted in SMTP, POP3, IMAP, HTTP
Responses, HTTP Posts, FTP sessions, and MIME-encoded header. Note that the
filename refers to just the filename and not the entire path+ filename.
Aliases:
fname
Context Type:
Full Scan
Eample:
file name (/wimax. {0,30 Jsetup/)
file name (‘pa ssport.jpg’)
file_ext
Description:
(U//FOUO) Every utf-8 normalized file extension seen in traffic is passed to this context.
Examples (but not limited to) are files transmitted in SMTP, POP3, IMAP, HTTP
Responses, HTTP Posts, FTP sessions, and MIME-encoded header.
Aliases:
ext
Context Type:
Hash
Eample:
file_ext(‘jpg’ or ‘jpeg’)
Description:
(U//FOUO) Every utf-8 normalized file path seen in traffic is passed to this context.
Examples are (but not limited to) files transmitted in SMTP, POP3, IMAP, HTTP
Responses, HTTP Posts, FTP sessions, and MIME-encoded header.
Aliases:
dir
Context Type:
Full Scan
Eample:
path(/Document and Settings\\[a-z] {20}/ or ‘/home/test’)
HTTP Activity
web_search
Description:
(U//FOUO) The normalized extracted text from web searches. The system extracts
search terms from Google, Microsoft, News sites and search term leakage from the
Refeier line of HTTP headers. In addition it will extract and use spelling correction from
the HTML server response - so if the target mis-spells but the search engine corrects the
expression will still evaluate true.
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Aliases:
search
Context Type:
Full Scan
Eample:
web_search(‘ricin’ or ‘plague’)
html_title
Description:
(U//FOUO) The normalized extracted text web page titles.
Aliases:
http_title
Context Type:
Full Scan
Eample:
html_title(‘how to’ and ‘bomb’)
http_url
Description:
(U//FOUO) Every URL from HTTP GET and POST commands.
Aliases:
url
Context Type:
Full Scan
Eample:
http_url(‘/mail/inbox?action=delete’)
http_url_args
Description:
(U//FOUO) All arguments given as paît of a URL (ie. all text following the *?’ in a URL
string)
Aliases:
url
Context Type:
Full Scan
Eample:
http_url(‘action=delete’)
http_host
Description:
(U//FOUO) The “Host:” name given in the http header.
Aliases:
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Context Type:
Full Scan
Eample:
httpJiost(‘yahoo.com’)
http_server
Description:
(U//FOUO) The “Server:” type name in the http header.
Aliases:
Context Type:
Full Scan
Eample:
http_host(‘GWS/2.1 ’ or ‘Apache’)
http_referer
Description:
(U//FOUO) The “Referer:” URL given in the HTTP header.
Aliases:
Context Type:
Full Scan
Eample:
http_ieferer(‘http://badwebsite/cp?action=show’)
httpjanguage
Description:
(U//FOUO) The normalized two letter iso-6393 language code as inferred from any http
and or html header info.
Aliases:
Context Type:
Full Scan
Eample:
http_language(‘fa’ or ‘de’)
httpjanguage (not ‘en’)
http_cookie
Description:
(U//FOUO) The “Cookie:” field given in the http header.
Aliases:
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Context Type:
Full Scan
Eample:
http_cookie(/PREF=\d\d [a-z]/)
http_user_agent
Description:
(U//FOUO) The “User-Agent:” field given in the http header. This is the name of the
browser the client is using (eg Firefox, or Internet Explorer).
Aliases:
user_agent
http_browser
browser
Context Type:
Full Scan
Eample:
http_user_agent(/MozillaV[45]/ or ‘Chrome’)
Info
mapjatlong
Description:
(U//FOUO) A geo box around the location of a map view zoom on services such as
Google Earth, Google Maps, Microsoft Live Earth etc.
Aliases:
map, map_zoom, zoom
Context Type:
latlong box
Eample:
map_latlong(‘ 1, 2, 3, 4’)
to_cc
Description:
(S//REL) The destination country based on IP address - IPGEO lookup.
Aliases:
ip_to_cc
Context Type:
Hash
Eample:
to_cc(‘ir’ or ‘pk’)
from_cc
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Description:
(S//REL) The source country based on IP address - IPGEO lookup.
Aliases:
ip_from_cc
Context Type:
Hash
Eample:
from_cc(‘ir’ or ‘pk’)
Description:
(S//REL) The country (either to OR from) based on IP address - IPGEO lookup.
Aliases:
ip_cc
Context Type:
Hash
Aliased to from_cc and to_cc.
Eample:
cc(‘ir’ or ‘pk’)
tojatlong
Description:
(S//REL) A geo box around the destination latitude and longitude based on IP Address -
IPGEO lookup.
NOTE - this context is currently disabled for performance
Aliases:
Context Type:
latlong box
Eample:
to_latlong(‘l, 2, 3, 4’)
from_latlong
Description:
(S//REL) A geo box around the source latitude and longitude based on IP Address -
IPGEO lookup.
NOTE - this context is currently disabled for performance
Aliases:
Context Type:
latlong box
Eample:
to_latlong(‘l, 2, 3, 4’)
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
latlong
Description:
(S//REL) A geo box around the source or destination latitude and longitude based on IP
Address -IPGEO lookup.
NOTE - this context is currently disabled for performance
Aliases:
Context Type:
latlong box
Aliased to fromjatlong and to_latlong.
Eample:
latlong(‘l, 2, 3, 4’)
to_city
Description:
(S//REL) The destination city based on IP address - IPGEO IPGEO lookup.
Aliases:
to_town
Context Type:
Hash
Eample:
to_city(‘ Islamabad’)
from_city
Description:
(S//REL) The source city based on IP address - IPGEO lookup.
Aliases:
from_town
Context Type:
Hash
Eample:
from_city(‘ Islamabad’)
Description:
(S//REL) The source or destination city based on IP address - IPGEO lookup.
Aliases:
from_town
Context Type:
Hash
Aliased to from_city and to_city.
Eample:
from_city(‘ Islamabad’)
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
SRI Metadata
sigad
Description:
(S//REL) The site designator (SIGAD).
Aliases:
Context Type:
Scan
Eample:
sigad(‘US-1234’)
casenotation
Description:
(S//REL) The collection site casenotation (signal designator).
Aliases:
case_notation
Context Type:
Scan
Eample:
casenotation(‘ABC1234’)
block_num
Description:
(S//REL) The session block number. If a TCP/IP session exceeds a maximum size
(typically lOMbytes) the session is fragmented and assigned a one-up non-zero block
number. If a session is block zero it is the one and only fragment.
Aliases:
block
Context Type:
Scan
Eample:
block_num(‘r or ‘2’)
sigint_header
Description:
(S//REL) The tasked expression will only hit on terms in a USSID-124 SIGINT header,
and not in the body of the communications.
Aliases:
header
Context Type:
Scan
Eample:
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
sigint_header(‘ILCC’ and ‘FMIP’)
sigint_body
Description:
(S//REL) The tasked expression will only hit on terms in the communications content and
not in USSID-124 or protocol headers.
Aliases:
body
Context Type:
Scan
Eample:
sigint_header(‘ILCC’and ‘FMIP’)
sigint_body
Description:
(S//REL) The tasked expression will only hit on terms in the communications content and
not in USSID-124 or protocol headers.
Aliases:
body
Context Type:
Scan
Eample:
sigint_header(‘ILCC’and ‘FMIP’)
Targetting/Strong Selectors/Soft Selectors
realm
Description:
(S//REL) The selector and its corresponding realm. The syntax for this is in the standard
form of “badguy” where “badguy” is the username and “” is the realm.
realmQ tasking is
Aliases:
Context Type:
Hash
Eample:
realm(‘badguy”)
strong_selector
Description:
(S//REL) Automatically attempts to determine realm (selector could be email address,
cookie or other) and then creates DECODEORDAIN-style permutations to task in the
main scanner engine for the given target. Given the number of permutations for a single
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
target using this syntax can have a significant performance impact on the system if too
many targets are tasked this way.
NOTE: realm() tasking should be used in preference to strong_selector().
Aliases:
Context Type:
Hash
Eample:
strong_selector(‘badguy@yahoo.com”) // an email address
strong_selector(‘ABCDEF”) // a cookie value
email_address
Description:
(S//REL) Automatically attempts to determine realm for the given email address and then
creates DECODEORDAIN-style permutations to task in the main scanner engine for the
given target. Given the number of permutations for a single target using this syntax can
have a significant performance impact on the system if too many targets are tasked this
way.
NOTE: realm() tasking should be used in preference to email_address().
Aliases:
Context Type:
Hash
Eample:
email_address(‘badguy@yahoo.com”)
raw_email
Description:
(S//REL) Tasks the given email address with no permutations in the raw_email context.
The raw_email context is fed email addresses from the XKEYSCORE email address
extractor which scans all traffic looking for and then uses heuristics to determine if
the is part of an email address. Note that the output from STARPROC is also
scanned for email addresses, as is the fully UTF-8 normalized application-layer processed
content.
Aliases:
Context Type:
Hash
Eample:
email_address(‘badguy@yahoo.com”)
email_cc
Description:
(S//REL) The country code associated with an email address. For example if the email
address is badguv@vahoo.co.de the country code is ‘de’.
Aliases:
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Context Type:
Hash
Eample:
email_cc(‘ir’ or ‘sa’)
category
Description:
(S//REL) The CADENCE category that has evaluated true on this session. Note that the
CADENCE category must have a valid FIST entry for this context to fire.
Aliases:
cat
Context Type:
Hash
Eample:
category(‘2344’)
category_priority
Description:
(S//REL) The priority of the CADENCE category that generated a hit. Note that the
CADENCE category must have a valid FIST entry for this context to fire.
Aliases:
cat_pri
Context Type:
Hash
Eample:
category_priority(l)
Description:
(S//REL) Looks up all phone numbers found in signature blocks and other content as well
as phone numbers found in VoIP.
The TND field will accept traditional ‘X’ and ‘Y’ wildcards. ‘X’ will match any number
and ‘Y’ is permissible at the beginning and will match any number of digits at the
beginning of the number.
Aliases:
pstn
phone
mobile
cell
phone_number
msisdn
Context Type:
tnd_lookup
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Eample:
tnd(‘5551234’)
imei
Description:
(S//REL) All IMEIs found in network protocols or HTTP headers (as seen in many
cellular providers).
Aliases:
Context Type:
tnd_lookup
Eample:
imei(‘ 123456789012345)
imsi
Description:
(S//REL) All IMSIs found in network protocols or HTTP headers (as seen in many
cellular providers).
Aliases:
Context Type:
tnd_lookup
Eample:
imsi(T23456789012345)
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Office Documents
document_title
Description:
(U//FOUO) The title of the office document.
(U//FOUO) Office documents include (but are not limited to) Microsoft Office, Open
Office, Google Docs and Spreadsheets.
Aliases:
doc_title
Context Type:
Scan
Eample:
document_title(‘situation report’)
document_subject
Description:
(U//FOUO) The subject of the office document.
(U//FOUO) Office documents include (but are not limited to) Microsoft Office, Open
Office, Google Docs and Spreadsheets.
Aliases:
doc_subject
Context Type:
Scan
Eample:
document_subject(‘latest figures’)
document_author
Description:
(U//FOUO) The author of the office document. Office documents include (but are not
limited to) Microsoft Office, Open Office, Google Docs and Spreadsheets.
Aliases:
doc_author
Context Type:
Scan
Eample:
document_author(‘badguy’)
document_org
Description:
(U//FOUO) The authoring organization of the office document.
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
(U//FOUO) Office documents include (but are not limited to) Microsoft Office, Open
Office, Google Docs and Spreadsheets.
Aliases:
doc_org
Context Type:
Scan
Eample:
document_org(‘ PT CL’c)
document_hash
Description:
(U//FOUO) The MD5 sum the office document/images from within the document.
(U//FOUO) Office documents include (but are not limited to) Microsoft Office, Open
Office, Google Docs and Spreadsheets.
Aliases:
docjiash
Context Type:
Hash
Eample:
document_hash(‘cfd2c677a42bd0919dd8e37f7ac9bcf7’)
document_language
Description:
(U//FOUO) The language of the Office document. The language can be determined from
the document properties and or statistcal analysis of the underlying text. All languages
are normalized to two letter iso-6393 language codes.
(U//FOUO) Office documents include (but are not limited to) Microsoft Office, Open
Office, Google Docs and Spreadsheets.
Aliases:
doc_language
Context Type:
Hash
Eample:
document_language(‘de’)
document_body
Description:
(U//FOUO) The UTF-8 normalized text of the Office document.
(U//FOUO) Office documents include (but are not limited to) Microsoft Office, Open
Office, Google Docs and Spreadsheets.
Aliases:
doc_body
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Context Type:
Scan
Eample:
document_body(‘how to’ and ‘build’ and (‘bomb’ or ‘weapon’))
Communications Content
document_body
Description:
(U//FOUO) The UTF-8 normalized text of the Office document.
(U//FOUO) Office documents include (but are not limited to) Microsoft Office, Open
Office, Google Docs and Spreadsheets.
Aliases:
doc_body
Context Type:
Scan
Eample:
document_body(‘how to’ and ‘build’ and (‘bomb’ or ‘weapon’))
document_email_body
Description:
(U//FOUO) The UTF-8 normalized text of all office document and email bodies.
Aliases:
doc_email_body
Context Type:
Scan
Aliased to email_body and document_body.
Eample:
document_email_body(‘how to’ and ‘build’ and (‘bomb’ or ‘weapon’))
communication_body
Description:
(U//FOUO) The UTF-8 normalized text of all office document, email, and chat bodies.
Aliases:
doc_email_body
Context Type:
Scan
Aliased to email_body, chat_body and document_body.
Eample:
communication_body(‘how to’ and ‘build’ and (‘bomb’ or ‘weapon’))
email_body
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Description:
(U//FOUO) The UTF-8 normalized text of all email bodies.
Aliases:
email_body
Context Type:
Scan
Eample:
email_body(‘how to’ and ‘build’ and (‘bomb’ or ‘weapon’))
chat_body
Description:
(U//FOUO) The UTF-8 normalized text of all chat bodies.
Aliases:
chat_body
Context Type:
Scan
Eample:
chat_body(‘how' to’ and ‘build’ and (‘bomb’ or ‘weapon’))
calendar_body
Description:
(U//FOUO) The UTF-8 normalized text of all calendars. An example is Google
Calander.
Aliases:
chat_body
Context Type:
Scan
Eample:
calendar_body(‘w'edding’)
archive_files
Description:
(U//FOUO) Matches a list of files from wdthin an archive. For example is a ZIP file is
transmitted, all names of files w'ithin are passed to this context.
Aliases:
archive_body
compiessed_filenames
Context Type:
Scan
Eample:
archive_files(‘bad.dll’ or ‘virus.doc’)
http_post_body
Description:
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
(U//FOUO) The UTF-8 normalized text HTTP url-encoded POSTs.
Aliases:
Context Type:
Scan
Eample:
http_post_body(‘action=send’ and ‘badguy@yahoo’)
language
Description:
(U//FOUO) The iso-6393 language code for either documents or web activity.
Aliases:
Context Type:
Hash
Aliased to doc_language and http_language.
Eample:
language(‘ar’)
Description:
(U//FOUO) The title of either office documents or HTML pages.
Aliases:
Context Type:
Scan
Aliased to doc_title and html_title.
Eample:
title(‘bomb making’)
Protocol Metadata
protocol
Description:
(U//FOUO) The textual form of the IP next protocol.
Aliases:
Context Type:
internal
Eample:
protocol(TCP’)
protocol^ UDP’)
protocol^ ICMP’)
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
ip_next_protocol
Description:
(U//FOUO) The textual form of the IP next protocol.
Aliases:
Context Type:
internal
Eample:
ip_next_protocol(17)
fromjp
Description:
(U//FOUO) The source IP address of the session.
Aliases:
fromip
Context Type:
Scan
Eample:
from_ip(‘ 127.0.0.1 ’)
to_ip
Description:
(U//FOUO) The destination IP address of the session.
Aliases:
toip
Context Type:
Scan
Eample:
to jpC 127.0.0.1*)
ip
Description:
(U//FOUO) The source or destination IP address of the session.
Aliases:
Context Type:
Scan
Eample:
ipC 127.0.0.1*)
from_port
Description:
(U//FOUO) The source TCP or UDP port number.
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Aliases:
fromport
Context Type:
internal
Eample:
from_port(22)
to_port
Description:
(U//FOUO) The destination TCP or UDP port number.
Aliases:
toport
Context Type:
internal
Eample:
to port (2 2)
port
Description:
(U//FOUO) The source or destination TCP or UDP port number.
Aliases:
Context Type:
internal
Eample:
port (2 2)
ip_subnet
Description:
(U//FOUO) IP subnet in CIDR notation.
Aliases:
Context Type:
Scan
Eample:
ip_subnet(‘ 7.211.143.148/24’)
mac_address
Description:
(U//FOUO) The MAC address of the target network device.
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Aliases:
mac
Context Type:
Scan
Eample:
mac_address(‘00:16:3E:3F:BD:EF’)
Checkpoints
checkpoint
Description:
(S//REL) A system defined checkpoint to ensure guaranteed order-of-execution. This is
typically used when a follow-on-action must be performed after some predefined
processing step, for example access to pre-parsed HTTP header information is only
available after the internal XKEYSCORE http_parser plugin has executed.
Aliases:
Context Type:
Hash
Eample:
checkpoint(‘http_parser’)
Mise
appid
Description:
(U//FOUO) The application ID of the session.
NOTE: to prevent infinite recursion only one level of indirection is permitted when
including appidQ as part of another boolean expression.
Aliases:
Context Type:
internal
Eample:
appid(/mail.*/)
preappid
Description:
(U//FOUO) The pre-application ID of the session. A pæ-application ID is a boolean
expression for an application that fired on a session, but did not necessarily win (based on
priority). For example a Yahoo webmail session will probably first be identified as
HTTP, then Yahoo, and then finally we see a string indicating that the traffic is mail. As
the decision was being made each of the intermediate appids can generate a pre-appid
event.
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
NOTE: to prevent infinite recursion only one level of indirection is permitted when
including preappidQ as part of another boolean expression.
Aliases:
Context Type:
internal
Eample:
preappid(/mail.*/)
fingerprint
Description:
(U//FOUO) A fingerprint that fired on a session.
NOTE: to prevent infinite recursion only one level of indirection is permitted when
including fingerprintO as part of another boolean expression.
Aliases:
Context Type:
internal
Eample:
fingerprint(/encryptionVoffice.*/)
Description:
(U//FOUO) A topic that fired on a session based of a previous topic definition.
NOTE: to prevent infinite recursion only one level of indirection is permitted when
including topicQ as part of another boolean expression.
Aliases:
Context Type:
internal
Eample:
topic(‘wmd/pakistan’ and /wmdVbio.*/)
SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL