Title: Writing XKS Fingerprints
Release Date: 2015-07-01
Document Date: 2010-11-22
Description: This 67-page NSA presentation from November 2010 explains how to create the “Fingerprints” which enable analysts to trace individuals within XKeyScore: see the Intercept article XKEYSCORE: NSA’s Google for the World’s Private Communications, 1 July 2015.
Document: writing-xks-fingerprints-p1-normal.gif:
Writing XKS Fingerprints
November 2010
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZLwriting-xks-fingerprints-p2-normal.gif:
Agenda
• Naming Fingerprints
• Simple Keywords
° Boolean Logic
• Variables
• Context-Sensitive
TOP SECRET//COM1NTwriting-xks-fingerprints-p3-normal.gif:
Fingerprints 101
• What’s in a name?
• The XKS Fingerprint naming convention
can help organize fingerprints and make
searching easier so its important to make
sure you name your fingerprint inline with
the existing convention
TOP SECRET//COM1NTwriting-xks-fingerprints-p4-normal.gif:
• For example, fingerprint names look like this:
• encryption/archive/rar
• encryption/archive/pkzip
• encryption/archive/pkzip •
• Notice the directory-like structure so that all
encryption fingerprints are within the same
“folder” and allencryption/archive fingerprints
are within the same Tolder”
TOP SECRET//COM1NTwriting-xks-fingerprints-p5-normal.gif:
What's in a name
This allows for smarter searching because
you could look for all encryption
fingerprints by searching for encryption/*
search for all encryption/archive
fingerprints by searching for
encryption/archive/* and etc.
TOP SECRET//COM1NTwriting-xks-fingerprints-p6-normal.gif:
• When you want to submit a new fingerprint,
look to see if it would fit into any existing
fingerprint folders.
• Best way to do this is to use either the “Field
Builder” or “Tree Field Builder” next to the
AppID+Fingeprints field in the search forms
TOP SECRET//COM1NTwriting-xks-fingerprints-p7-normal.gif:
TOP SECRET STRAPi
What's in a name
The field builders allow
you to browse existing
fingerprint directories to
see if one already exists for
your new fingerprint
R.ul.W
* , Apple (♦Fira«ipnritii
> (_JA>pllc-a1lcr«s
:• Qct_mo
> GPSjuAhfl
2 HTMLD_cjtion
P QlCBM
P OQUWTUM0OT
p Qtao
P L jOv«ltl»KI’l«llt
p i_3
P (_l analytic*
> L an»
j anonym*«'
> LJ anIMius
P [_J app
__| applet on
pQ application*
S Jisociatc
»atAsoor
:> Q_jPjcPCooo
p JMog
:• _DPotn«t
TOP SECRET//COM1NTwriting-xks-fingerprints-p8-normal.gif:
botnQtA'lad<6nergytx)V'comni¿ind/icrrip
botnetyblackenergybof/comniand/strip
botnet^lackenergytotAommancl/syri
botnet>lDlackenergybot/comrrand/*/ait
TOP SECRET//CÜM1NT
3 a s a a e 6 F » rë
TJ 13 TJ TJ "O 13 n n n n n n 13 n ■c 15 ■3 C.
1 1 t ^ 1 t ? S 5 ?
mm f. 1 T S IX
•K T n T «< j. : j.1 _ : j.1 1. ^ ^ >. %. > % ■» S I m'
V) OT V> Vt m v> V?
S" rfi" ro* ¡o’ 5- ro" CL CL CL CL CL CL ü) Ri H W H H c- Ss S- S: è 11 i il 'I ! £ G O CL ro Q. t-* I *cr r $ < 5 6
[CR BT Sl'RAPiwriting-xks-fingerprints-p9-normal.gif:
What s in a name
If no existing directory makes sense for your
fingerprint, you can always create a new
one.
TOP SECRET//COM1NTwriting-xks-fingerprints-p10-normal.gif:
Fingerprints 101: Getting Started
• The first step is to define the name of the
fingerprint.
• To do that, follow the syntax below:
fingerprint(encryption/archive/test_new’)
TOP SECRET//COM1NTwriting-xks-fingerprints-p11-normal.gif:
Fingerprints 101: Getting Started
• Note that fingerprint names can not have
spaces or any other punctuation other than
/ which denote directories and _ which can
be used in the place of spaces to make
fingerprint names easier to read
•fingerprint( encryption/archive/test_new’)
TOP SECRET//COM1NTwriting-xks-fingerprints-p12-normal.gif:
TOP SECRET STRAFi
Fingerprints 101
As an example, let’s say we want to fingerprint
traffic like this:
. ¿***\kJ^ *IL*j
(^120^
)-cr [ yp
WOWH - ni-ini? C* |
tawab
ft» Btg'r ASRAR □ Mc||tfwd««r *2.0 EncryptedNitiiK 11»
ifRflTiT/ATRHH2E12jfl1 C^VQyfrfrRIMmEZZTdlNzZniZQhKJQUxZYVZhVDP' ICj YwtfVIZGUQ
ZiYWMjd
*OeYiY]c1ZDolMOAihfTQi7jn\'1NDV(Y2,ryMGJJYJ|.200K/ll4NiTt*nM2)1Mjc5OOk./ZGfJhOjRrn’%\%JrrNjVZjP0W‘jVtkY~'i4MiMit2iRiN2r Mi 13 M C1NGJ3UTA3ZDQ4 NAVR-n Yr MyOTU r Z ¡2Vj:j3NiQ10G04\ITA3N
rU2S2ZHN25YlU2YlYimFlOOiWiK2VW«2U6MT2iNCY2MirM2Z^/rijQ2Ya0C-Ga2ODUxMW
VVM.UMWVINDAyOSIOMm MTdnfiTY' YtfxMDgyOGZMawZWZI U OawV2CM MlNMOfllOD
UxZTUOOc1MTY2M?ONJU67JR» 7^»\jM>n-nh\flF i OTbmYVM HriiFI2]»yNn*l/*7nA3wnMO
N>.*ZDhhNrrl4ZmRhY'ic3NrrZH0Fk0DZ#lMZE«Z3Q5Nir#»TZDQxCTIWi NIBM|e3WzB OV/twZWb1 N)k3Yj gxY2VfnQ10WULnoiM>
UUJIbjUPqr*Oi;VKH»e«K aZjU2yqEmKbl-HHji*Mh*f-Urtf-AJwMS*i-KokUKfcc*Xh
I
Gut3juYTwlEOiG«20s3f>lS5kfRXXH-DiTnb70/ufeer6trA1>Q6
♦$ECSRUIdU€YVupr0bhac4Dof
$BbFR3i>vgOS>pUxPYgmEOf)HA*rm7tuH0NI>*cynZoati;NdnRUr«|EpFqFC3*PHSnaniqo
♦ 1C«fli*icr62XE2q>V.1XJWnM«VHAJy2n*L*«2TC1IHbae2J«t(V37
k1 X yO N7V 9YVR- ~ V.3 »VA’P XI» ytntw *,0 X WTqP HI I J1.IWA7ti2NKi.:3X»nMrr::i:l>4c jRJ6“Ery7t03xPfiB3loaf4*30aUkZHLEiivJlAvfl/B6Rri«JAhSqk5rMH(Xfc«VJc>3umWOmRtcCjz3
PW>!zrFCC»B4SK4HxIl»2Z(^2KttU8VMyNtrrls!U4Xl,*saK4iNxVL8•■Z1o\Y2fcA4N4y)niqfJ2FNftiAON$Ej»irKoggVrnkxl>jGaui*Tufpx3gatlg
tt9 End ASRAR □ Maja-wd««- «2.0 ErKiypted Message 11»writing-xks-fingerprints-p13-normal.gif:
TOP SECRET STRAPi
ro
4—»
ro
’U
C
CC
o
"Ö
C/D
a
<3J
X)
2
o
o
u
txO
c
• y-*
X
KV» .»< i r*v:writing-xks-fingerprints-p14-normal.gif:
Fingerprints 101: Keywords
• So let’s create a fingerprint to tag any data
that contains that string
ASRAR El Mojahdeen V2.0 Encrypted Message
TOP SECRET//COM1NTwriting-xks-fingerprints-p15-normal.gif:
Fingerprints 101: Keywords
First we’d define the fingerprint with a
name:
fingerprint(‘encryption/mojahdeen2’)
TOP SECRET//COM1NTwriting-xks-fingerprints-p16-normal.gif:
Fingerprints 101: Keywords
•Then, simply put the string in single quotes
to denote that XKS needs to look for it as a
keyword:
Fingerprint(encryption/mojahdeen2’) =
ASRAR El Mojahdeen V2.0 Encrypted Message’
TOP SECRET//COM1NTwriting-xks-fingerprints-p17-normal.gif:
Fingerprints 101: Keywords
Finally, all fingerprint definitions need to
end with a semi colon to tell XKS that the
definition is finished
fingerprint(encryption/mojahdeen2’) =
‘ASRAR El Mojahdeen V2.0 Encrypted Message
TOP SECRET//COM1NTwriting-xks-fingerprints-p18-normal.gif:
TOP SECRET STRAPi
Fingerprints 101: Keywords
• Using the fingerprint GUI on XKS Central, we can
test to see if this compiles:
Fingerprint Validation / Submittal
Stop #1 iCompilo Stop *2 i laet Agjintt Saexmn 0*1* Stop Ki IdSav* W Help
Signature
fingerprint (* encryption/moj ahdeen2 7) = 7A9RAR
El Mojahdeen v2.0 Encrypted Message7;
Success!
Results
SUCCESS!
Congratulations, your fingerprint was successfully compiledl
Now use the lest button to run it against the designated session datawriting-xks-fingerprints-p19-normal.gif:
y-wj i >» *'-<
CL o
cu ^
cu n
_ rD
^ Q-
2. «
5- a
• ss
cn rD
•• O-
=r
o
D
:CRET STRAFiwriting-xks-fingerprints-p20-normal.gif:
TOP SECRET STRAPi
Fingerprints 101
•Asa second example, let’s say we want to find
data like this:
la i Atu&ä ad.
Attn:
A.X Purchase
SUBJECT : QUOTATION AGAINST YOU?. ENQUIRY PXF: Purchase of P.TV Silicon DATED:
16/05/2010
Dear Sic,
91th reference to your subject enquiry, oe are pleased to enclose ouc Quotation No: Q-02153-03-5C7
dated: 07/06/2010, for your perusal.
Please see the ‘Terms of Sole' ottoched »ich our quote for any further details.
9e hope our offer suits your requirements and we loofc forward to your valuable purchase order In due
Ref: June 07, 201000803/0-02135 Islamabad:
National Development Cowp^x
Plot No reee No:
Sector:
TOP SECRLT//COM1NTwriting-xks-fingerprints-p21-normal.gif:
TOP SECRET STRAPi
Fingerprints 101
• Look for keywords that could be used to find
traffic like tnis in the future.
SUBJECT : QUOTATION AGAINST TOUR ENQUIRY PIT: Purchase o' RTV Silicon DATED:
18/05/2010
Dear Sit,
Uith reference to your subject enquiry, we are pleased to enclose our Quotation No: Q-02133-03-5C7
dated: 07/06/2010, for your perusal.
Please see the 'Terse of Sole' attached »ith our quote for any further details.
Be hope our offer suits your requirements and we loolt forward to your valuable purchase order In due
Ref: June 07, 201000803/0-02135 Islamabad:
National Development Complex
13 lairaceri.
■ - - B||||§!
AX Purchase
TOP SECRET//COM1NTwriting-xks-fingerprints-p22-normal.gif:
TOP SECRET STRA.Fi
Fingerprints 101
• What if we looked for “National Development
Complex” and “Quotation”
Dear Sic,
With reference to your subject enquiry, dated: 07/06/2010, for your perusal.
Please see the 'Terse of Sole' attached nith our quote for any further details.
Be hope our offer suits your requirements and we look forward to your valuable purchase order In duewriting-xks-fingerprints-p23-normal.gif:
Fingerprints 101: Boolean Logic
Starting with these two keywords, we’d
to use Boolean Logic to create our new
fingerprint
• national development complex
• quotation
TOP SECRET//COM1NTwriting-xks-fingerprints-p24-normal.gif:
TOP SECRET STRAPi
Fingerprints 101: Boolean Logic
• Again, step one think of a name:
fingerprint( cp/pakistan/agencies/ndc’)
TOP SECRET//COMINTwriting-xks-fingerprints-p25-normal.gif:
Fingerprints 101: Boolean Logic
• Step two, put single quotes around all
keywords:
fingerprint (‘cp/pakistan/agencies/ndc’)
‘National Development Complex’
‘quotation’
TOP SECRET//COM1NTwriting-xks-fingerprints-p26-normal.gif:
Fingerprints 101: Boolean Logic
• Use the Boolean operator and
fingerprint(‘cp/pakistan/agencies/ndc’)
‘National Development Complex’ and
‘quotation’
TOP SECRET//COM1NTwriting-xks-fingerprints-p27-normal.gif:
Fingerprints 101: Boolean Logic
• Finish the expression with the semi-colon
fingerprint(‘cp/pakistan/agencies/ndc’) =
‘National Development Complex’ and
‘quotation’;
TOP SECRET//COM1NTwriting-xks-fingerprints-p28-normal.gif:
TOP SECRET STRAPi
Fingerprints 101: Boolean Logic
• Use the fingerprint GUI to confirm the
fingerprint definition compiles
Fingerprint Validation / Submitt.il
Slep #1 Step#? Step #3
Compi «! 1 T»< Against Sessicn Data g Saw*
Signature
fingerprint('cp/pakistan/agencies/ndcT)
'national development complex' and
'quotation';
© Success!
Results
W Help
SUCCLSS!
Congratulations, your fingerprint was successfully compiled!
Now use the Test button to run it against the designated session cata.writing-xks-fingerprints-p29-normal.gif:
Fingerprints 101
• This fingerprint will now successfully find all
sessions like this in the future!
Usir tj TX" “c
Pcf: June 07, 2O10COB0 VO-02135 Is lair**»ad:
Nation*! Ccer
Plot Tfor^^^^^treet No:
Sector:
tele*
Attnr
AH Purchase
SUBJECT : QU07ATICfC JLOAHCST TOUR »QUIRT RET: Pucchtxo Of RTV Silicon DATED:
ia/os/2010
Desc Sit,
With reference to your subject enquiry, nc ore plcooed to enclose our Cwtotion No: Q-02135-05-567
dated: 07/06/2010, for your perusal.
Please see the ‘Terrs of Self ecteched with our quote for eny further decells.
tope our offer suits your requirements and ve look forward to your valuable purchase order in due
TOP SECRET//COM1NTwriting-xks-fingerprints-p30-normal.gif:
TOP SECRET SI'RAPi
Fingerprints 101
• However, how can we account for variations of how
the traffic might be seen? Maybe “National
Development Complex” will be listed as “NDC”. Or
maybe instead of a “Quotation” it will be a “Invoice”
and etc.
Pcf: June 07, 2O10COB0VO-02135 Isl-urehad
Nation*! Devglopeaent Complex
Plot Tfo: Street. No:
Sector s
131 m*r\Y. nr I.
Attn!
AH Purchase
SUBJECT : QUOTATXCfC AGAINST TOUR ENQUIRY REF: Punch**«* of RTV Silicon DATED:
18/OS/2010
I^eac Sic,
With reference to your subject enquiry, we arc pleased to enclose our Cwtation No: Q-02135-05-567
dated: 07/06/2010, for your perusal.
Pi«we see the ‘Terrs of Sftl«1 extmehed with our quote for any lurcher d«c*ila.
hope our offer suits your requirements and ve look forward to your valuable purchase order in due
A
TOP SECRET//COMJN7writing-xks-fingerprints-p31-normal.gif:
Fingerprints 101:
Boolean Logic
• Keywords can also be grouped together by
parentheses to form more complex Boolean
logic:
TOP SECRET//COM1NTwriting-xks-fingerprints-p32-normal.gif:
Fingerprints 101: Boolean Logic
For example, we can expand on our previous
fingerprint like so
fingerprint (‘cp/pakistan/agencies/ndc’) =
(‘National Development Complex’ or ‘NDC’)
and (‘quotation or ‘invoice’) ;
TOP SECRET//COM1NTwriting-xks-fingerprints-p33-normal.gif:
Quick Aside 1: Context Sensitivity
• All keywords in X-KEYSCORE are case-
insensitive by default.
• So in the previous fingerprint ‘NDC’ will
match on ride, NdC, nDC etc.
TOP SECRET//COM1NTwriting-xks-fingerprints-p34-normal.gif:
Quick Aside 1: Context Sensitivity
• If you want to force a keyword to be case
sensitive, simply append a c after the single
quotes.
• Ex: ‘NDC c will only hit when NDC is found
in all caps, or ‘ndcc will hit only when ride is
found in all lower case and etc.
TOP SECRET//COM1NTwriting-xks-fingerprints-p35-normal.gif:
Quick Aside 2: Keyword Scanning
By default keywords in fingerprints can hit in substrings
since for example ‘ndc’ is found within grandchildren.
So this fingerprint
fingerprint(‘cp/pakistan/agencies/ndc’) =
‘NDC’;
Will hit on terms like:
• grandchildren
• handcard
• handcuffs
• etc.
TOP SECRET//COM1NTwriting-xks-fingerprints-p36-normal.gif:
TOP SECRET SI'RAPl
• In specific cases to avoid false hits you can use the ‘word’
context.
• Or force there to be a space on either or both ends of the term
by including them inside the single quotes
• So this fingerprint becomes:
fingerprint(‘cp/pakistan/agencies/ndc’) =
‘ NDC
OR:
fingerprint(‘cp/pakistan/agencies/ndc’) =
word(‘NDC’);
TOP SECRET//COM1NTwriting-xks-fingerprints-p37-normal.gif:
Fingerprints 101:
Boolean Logic
• Let’s say that this fingerprint is producing
good hits, but it also hitting on spam E-
mails.
fingerprint(‘cp/pakistan/agencies/ndc’) =
(‘National Development Complex’ or ‘NDC’)
and (‘quotation’ or ‘invoice’);
TOP SECRET//COM1NTwriting-xks-fingerprints-p38-normal.gif:
Fingerprints 101: Boolean Logic
• We can use the Boolean and not to defeat
unwanted traffic like below:
fingerprint (‘cp/pakistan/agencies/ndc’) =
((‘National Development Complex’ or ‘NDC’)
and (‘quotation or ‘invoice’)) and not
(‘viagra’ or ‘herbal supplement’);
TOP SECRET//COM1NTwriting-xks-fingerprints-p39-normal.gif:
Fingerprints 101: Variables
• Variables allow you to link to a list of keywords.
• For example, working with this fingerprint, we
could create variables to each grouping of terms.
fingerprint(‘cp/pakistan/agencies/ndc’) =
((‘National Development Complex’ or ‘NDC’) and
(‘quotation or ‘invoice’)) and not (‘viagra’ or
‘herbal supplement’);
TOP SECRET//COM1NTwriting-xks-fingerprints-p40-normal.gif:
Fingerprints 101: Variables
Variables use the same syntax as fingerprints
$NDC_terms = ‘National Development Complex’ or
‘NDC’;
$procurement_terms = ‘quotation’ or ‘invoice’;
$spam_defeats = ‘viagra’ or ‘herbal supplement’;
fingerprint(‘cp/pakistan/agencies/ndc’) =
($NDC_terms and $procurement_terms) and not
$spam_defeats;
TOP SECRET//COM1NTwriting-xks-fingerprints-p41-normal.gif:
Fingerprints 101: Variables
• Variables can be re-used in multiple fingerprints.
• For example, we could have:
fingerprint (‘cp/pakistan/agencies/ndc’) =
($NDC_terms and $procurement_terms) and not
$spam_defeats;
fingerprint(‘cp/pakistan/angencies/ndc/testing’) =
$NDC_terms and (‘missile launch’ or ‘tactical
radio’);
TOP SECRET//COM1NTwriting-xks-fingerprints-p42-normal.gif:
Fingerprints 101: Variables
In the future, you can modify the
variable $NDC_terms and it will
automatically affect both fingerprints
since they use that variable in their
definition.
TOP SECRET//COM1NTwriting-xks-fingerprints-p43-normal.gif:
TOP SECRET STRAPi
When that's not enough...
For example, take the first scenario:
I want to look for documents from Iran that mention a banned item”
Just using keywords with Boolean equations, how could we
restrict the term to only a document body and only coming
from Iran?
TOP SECRET//COM1NTwriting-xks-fingerprints-p44-normal.gif:
top secret strapi
Context Sensitive Scanning
• X-KEYSCORE’s context sensitive scanning engine
allows you to explicitly say where you want a term to
hit.
As an early example, the Tech Strings in Documents
capability allowed analysts to restrict terms to only
Email, Chat or Documents Bodies
The full XKS Context Sensitive Scanning engine
allows for over 70 unique contexts to be used as part of
an fingerprint
TOP SECRET//COM1NTwriting-xks-fingerprints-p45-normal.gif:
TOP SECRET STRAPl
Context Sensitive Scanning
For example, take the first scenario:
I want to look for documents from Iran that mention a banned item”
Using the XKS context for Country Code (based on NKB
information) and the XKS context for Document Bodies,
this easily becomes:
fingerprint(‘demo/scenarioi’) =
cc(‘ir’) and doc_body(‘banned item’)
TOP SECRET//CÜM1NTwriting-xks-fingerprints-p46-normal.gif:
Context Sensitive Scanning
• As another example, let’s say we want to tag all Iphonc usage
• Using the XKS context for User Agent this easily becomes
fingerprint(‘demo/scenario2’) =
user_agent(‘iphone’);
TOP SECRET//COM1NTwriting-xks-fingerprints-p47-normal.gif:
TOP SECRET STRAPi
USSID18/HRA Considerations
XKS Fingerprints may not be USSID18 or HRA
compliant if they are queried on by themselves
For example, we may want to fingerprint the use of
mobile web devices like the IPhone, so that attribute
could be used as part of a more complex query.
But querying for the IPhone fingerprint itself would
be a USSID18 and HRA violation.
TOP SECRET//COM1NTwriting-xks-fingerprints-p48-normal.gif:
USSID18/HRA Considerations
But if you want to look for an IPhone user from
an Iranian Proxy accessing his Mail.ru account:
IP Address:
Either v
AppID
(+Fingefprints) ifulltextl:
Field Builder
ApplL) (+Fingerprints)
browser/re I |phrriR/iphm»|
Add to =ield
Field Umlder
Close
AppID ( Hinqerpnnts)
mailAvebmail/mailrj
mail/v/ebmail/rrailru
mali/v/etomali/irailru/attachme'it
mail/v/ebmail/mailru/post
TOP SECRET//COM1NTwriting-xks-fingerprints-p49-normal.gif:
What contexts are available for use in XKS Fingerprints?
TOP SECRET//COM1NTwriting-xks-fingerprints-p50-normal.gif:
TOP SECRET STRAPi
HTTP Activity Contexts (1 of 2)
html_title(expr) The normalized extracted text web page titles html_title(‘how to’ and ‘bomb’)
http_host(expr) The “Host:” name given in the http header. http_host( yahoo.com')
http_url(expr) Every URL from HTTP GET and POST commands. http_url(7mail/inbox?action=delete’)
http_url_args(expr) All arguments given as part of a URL (ie. all text following the ‘?’ in a URL string) http url(‘action=delete’)
http_referer(expr) The “Referer:” URL given in the HTTP header http referer(,http://badwebsite/cp?action=show’)
http_language(expr) The normalized two letter iso-6393 language code as inferred from any http and or html header info httplanguageffa' or ‘de')
TOP SECRET//COM1NTwriting-xks-fingerprints-p51-normal.gif:
TOR SECRET STRAPi
HTTP Activity Contexts (2 of 2)
http_cookie(expr) The “Cookie:” field given in the http header. http_cookie(/PREF=\d\d[a-z]/)
http server(expr) The “Server:” type name in the http header. http_server(‘GWS/2.1 ’ or ‘Apache’)
http_user_agent(expr) The “User-Agent:” field given in the http header. http_user_agent(/MozillaV[45]/ or ‘Chrome’)
web_search(expr) The normalized extracted text from web searches web searchfricin’ or ‘plague’)
X forwarded for(expr) The X-h'orw'arded Tor IP address from the HTTP I leader x_forwarded_for(‘i.2.3-4’)
TOP SECRET//COM1NTwriting-xks-fingerprints-p52-normal.gif:
TOP SECRET STRAPi
Protocol Contexts 1 of 2
ip(expr) The source or destination IP address of the session ipf 127.0.0.1*)
from Jp(expr) The source IP address of the session from_ip(‘l 27.0.0. V)
to ip(expr) Every URL from HTTP GET and POST commands. toJpC 127.0.0.1*)
ip subnet(expr) IP subnet in CIDR notation, ip subneti‘7.211.143.148/24’)
port(expr) The source or destination TCP or L DP port number. port(*22’)
from_port(expr) The source TCP or UDP port number. from_port(’22’)
to_port(expr) The destination TCP or UDP port number. to_port(’22>)
TOP SECRET//COM1NTwriting-xks-fingerprints-p53-normal.gif:
TOPSliCRETSTRAPi
Protocol Contexts 1 of 2
cc(expr) The country (either to OR from) based on IP address cc(‘ir or 4pk')
from_cc(expr) The source country based on IP address from_cc(‘ir’ or ‘pk’)
to_cc(expr) The destination country based on IP address to cc(V or ‘pk’)
protocol(expr) The textual form of the IP next protocol, protocol (‘TCP’)
next_protocol(expr) The textual form of the IP next protocol. ip_next_protocol(’ 1T)
mac address(expr) fhe MAC address of the target network device. mac_address(‘00:16:3E:3F:BD:EF’)
TOP SECRET//COM1NTwriting-xks-fingerprints-p54-normal.gif:
TOP SECRET SI’RAPi
ommunication Based Contexts
email_body(cxpr) The UTF-8 normalized text of all email bodies. email_body(‘how to’ and ‘build’ and (‘bomb’ or ‘weapon’))
chat_body(expr) The UTF-8 normalized text of all chat bodies. chat_body(‘how to’ and ‘build’ and (‘bomb’ or ‘weapon’))
document_body(expr) The UTF-8 normalized text of the Office document. - Office documents include (but are not limited to) Microsoft Office. Open Office. Google Docs and Spreadsheets. document_body(‘how to’ and ‘build’ and (‘bomb’ or ‘weapon’))
calendar_body(expr) The UTF-8 normalized text of all calendars. An example is Google Calendar, calendar body(‘wedding’)
archive_flles(expr) Matches a list of files from within an archive. For example is a ZIP file is transmitted, all names of files within are passed to this context. archive_files(‘bad.dU’ or ‘virus.doc’)
http_post_body( expr) The UTF-8 normalized text HTTP url-encoded POSTs, http post body(‘action=send’ and ‘badguy@yahoo’)writing-xks-fingerprints-p55-normal.gif:
TOP SECRET SIRAPi
Communication Based Contexts
Aliases
doc email body(expr) This covers the email_body and document_body contexts doc email body(‘how to’ and ‘build’ and (‘bomb’ or ‘weapon’))
communication_body(expr) This covers the email body, document body and chat_body contexts chat body(‘how to’ and ‘build’ and (‘bomb’ or ‘weapon’))
A guide to XKS contexts can be found
TOP SECRET//COM1NTwriting-xks-fingerprints-p56-normal.gif:
TOP SECRET STRAPl
Context sensitivity
Why use context-sensitive scanning?
• More intuitive - you can say what you mean
• More accurate - ifmaps.google.com' is mentioned in a
blog post, you don't want to try processing it as a Google
Maps session
• Better performance for XKEYSCORE
TOP SECRET//COM1NTwriting-xks-fingerprints-p57-normal.gif:
Examples
• “I want to look for people doing web searches on Jihad from
Kabul”
• Using the from_city() and web^search() context this
becomes
fingerprint(‘demo/scenario3’) =
from_city('kabur) and web_search(‘jihad’);
TOP SECRET//COM1NTwriting-xks-fingerprints-p58-normal.gif:
top secret strapi
Examples
• “I want to look for people using Mojahedeen Secrets encryption
from an IPhone”
• You can even use existing fingerprints in a fingerprint
definition! So this becomes:
fingerprint(‘demo/scenario4’) =
fingerprint(‘encryption/mojahdeen2’ and
fingerprint(‘browser/cellphone/iphone’)
TOP SECRET//COM1NTwriting-xks-fingerprints-p59-normal.gif:
top secret strapi
Example 4
• “I want to look for E-mails that mention words from various
categories of interest to CP”
• You can use multiple variables in an equation like this
topic('wmd/acw/govtorgs') =
email_body($acwitems and Sacwpositions and
($acwcountries or Sacwbrokers or Sacwports));
TOP SECRET//COM1NTwriting-xks-fingerprints-p60-normal.gif:
TOPSECRETSTRAPi
• $acwitems = ‘machine gun’ or ‘grenade’ or ‘AK 47’
• $acwpositions = ‘minister of defence’ or ‘defense minister
• Sacwcountries = ‘Somalia’ or ‘liberia’ or ‘sudan
• Sacwbrokers = ‘south africa’ or ‘serbia’ or ‘bulgaria’
• $acwports = ‘rangood’ or ‘albasra’ or ‘dar es salam’
topic('wmd/acw/govtorgs') =
email_body($acwitems and Sacwpositions and
($acwcountries or Sacwbrokers or Sacwports));
TOP SECRET//COM1NTwriting-xks-fingerprints-p61-normal.gif:
New XKS Fingerprint GUI allows analysts to directly
test, submit and manage Fingerprints through the web
rvavKwtion Menu « Fnqpipnnt Valdition J Submittal
d —jFmoeipnnw d validate' Submit Step *1 Slap tl Step *3 ... , W
d App«WWl
H Pending Global Variable Dcriaratloiw ■ 1 *}
d Signature* Type or paste any global variable declarations here.
SHxutiie
Type or paste a FINGERPRINT definition here.
Pibss Compile wtien done eoilr u * Wi WAaV4VAJ a / f vv/kTOP SECRET STRAPi
New Fingerprint GUI
New XKS Fingerprint GUI allows analysts to directly
test, submit and manage fingerprints through the web
►reiffiMint VoWoiian ■ :>’Jbnittil
£up>i
(IHmI V«ut4r Ofrlc«tmi
^rest = ’bomb* or 'nissl*'
Si» p#3
H5**
or 'icd';
Ognatin
fingerprint < *test/testl'> = e-rvail bodyiStest?;
Q 5o.w*!
SUCCESS!
UOngretUaton*. voa Inge-pm*, succewMv cc«npl?d!
us* the Test but fen ta run it agarct tho ccsqnatQd sasacn dita.writing-xks-fingerprints-p63-normal.gif:
TOP SECRET SI'KAPi
Questions?
TOP SECRET//COM1NTwriting-xks-fingerprints-p64-normal.gif:
TOP SECRET STRAPi
Syntax Rules
• The definition of the fingerprint will look like this:
fingerprint(‘test/blah/something’, owner = =
Note the single quotes needed for the fingerprint name
and owner
TOP SECRET//COM1NTwriting-xks-fingerprints-p65-normal.gif:
Syntax Rules
• Secondly every fingerprint definition must be
completed by a semi-colon.
fingerprint(‘test/blah/something’, owner =
‘badguy’;
TOP SECRET//COM1NTwriting-xks-fingerprints-p66-normal.gif:
TOP SECRET STRAPi
Syntax Rules
• Variables also must be completed by a semi-colon
Sbadguy =
‘bomb’ or ‘gun’ or ‘weapon’;
fingerprint(‘test/blah/something’, owner =
Sbadguy;
TOP SECRET//COM1NTwriting-xks-fingerprints-p67-normal.gif:
TOP SECRET STRAPi
Syntax Rules
Definitions and Variables can span multiple lines
Sbadguy =
‘bomb’ or
‘gun’ or
‘weapon’;
fingerprint(‘test/blah/something’, owner =
Sbadguy;
TOP SECRET//COM1NT
