Service Metadata

The system detects applications running on the hosts in your network and inserts application protocol information into your network traffic; it does this regardless of the configuration of your discovery policy. You can use metadata keyword service arguments in a TCP or UDP rule to match application protocols and ports in your network traffic. You can combine one or more service application arguments in a rule with a single port argument.

Service Applications

You can use the metadata keyword with service as the key and an application as the value to match packets with the identified application protocol. For example, the following key value argument in a metadata keyword associates the rule with HTTP traffic: 

service http

You can identify multiple applications separated by commas. For example: 

service http, service smtp, service ftp
Caution
Adaptive profiling must be enabled (its default state) as described in Configuring Adaptive Profiles for intrusion rules to use service metadata.

The following table describes the most common application values used with the service keyword.

Note
Contact Support for assistance if you have difficulty identifying applications not in the table.
service Values

Value

Description

cvs

Concurrent Versions System

dcerpc

Distributed Computing Environment/Remote Procedure Calls System

dns

Domain Name System

finger

Finger user information protocol

ftp

File Transfer Protocol

ftp-data

File Transfer Protocol (Data Channel)

http

Hypertext Transfer Protocol

imap

Internet Message Access Protocol

isakmp

Internet Security Association and Key Management Protocol

mysql

My Structured Query Language

netbios-dgm

NETBIOS Datagram Service

netbios-ns

NETBIOS Name Service

netbios-ssn

NETBIOS Session Service

nntp

Network News Transfer Protocol

oracle

Oracle Net Services

shell

OS Shell

pop2

Post Office Protocol, version 2

pop3

Post Office Protocol, version 3

smtp

Simple Mail Transfer Protocol

snmp

Simple Network Management Protocol

ssh

Secure Shell network protocol

sunrpc

Sun Remote Procedure Call Protocol

telnet

Telnet network protocol

tftp

Trivial File Transfer Protocol

x11

X Window System

Service Ports

You can use the metadata keyword with service as the key and a specified port argument as the value to define how the rule matches ports in combination with applications.

You can specify any of the port values in the table below, one value per rule.

service Port Values

Value

Description

else-ports or unknown

The system applies the rule if either of the following conditions is met:

  • The packet application is known and matches the rule application.

  • The packet application is unknown and packet ports match the rule ports.

The else-ports and unknown values produce the default behavior that the system uses when service specifies an application protocol with no port modifier.

and-ports

The system applies the rule if the packet application is known and matches the rule application, and the packet port matches the ports in the rule header. You cannot use and-ports in a rule that does not specify an application.

or-ports

The system applies the rule if any of the following conditions are met:

  • The packet application is known and matches the rule application.

  • The packet application is unknown and packet port matches the rule ports.

  • The packet application does not match the rule application and packet ports match the rule ports.

  • The rule does not specify an application and packet ports match the rule ports.

Note the following:

  • You must include a service application argument with the service and-ports argument.

  • If a rule specifies more than one of the values in the table above, the system applies the last one that appears in the rule.

  • Port and application arguments can be in any order.

Except for the and-ports value, you can include a service port argument with or without one or more service application arguments. For example: 

service or-ports, service http, service smtp

Applications and Ports in Traffic

The diagrams below illustrate the application and port combinations that intrusion rules support, and the results of applying these rule constraints to packet data.

Host application protocol else source/destination ports:


Host application protocol and source/destination ports:


Host application protocol or source/destination ports:


Example Matches

The following sample rules using the metadata keyword with service arguments are shown with examples of data they match and do not match:

  • alert tcp any any -> any [80,8080] (metadata:service and-ports, service http, service smtp;)

    Example Matches

    Example Non-Matches

    • HTTP traffic over TCP port 80

    • HTTP traffic over TCP port 8080

    • SMTP traffic over TCP port 80

    • SMTP traffic over TCP port 8080

    • POP3 traffic on ports 80 or 8080

    • Traffic of unknown application on ports 80 or 8080

    • HTTP traffic on port 9999

  • alert tcp any any -> any [80,8080] (metadata:service or-ports, service http;)

    Example Matches

    Example Non-Matches

    • HTTP traffic on any port

    • SMTP traffic on port 80

    • SMTP traffic on port 8080

    • Traffic of unknown application on port 80 and 8080

    • Non-HTTP and non-SMTP traffic on ports other than 80 or 8080

  • Any of the following rules:

    • alert tcp any any -> any [80,8080] metadata:service else-ports, service http;)

    • alert tcp any any -> any [80,8080] metadata:service unknown, service http;)

    • alert tcp any any -> any [80,8080] metadata:service http;)

    Example Matches

    Example Non-Matches

    • HTTP traffic on any port

    • port 80 if packet application is unknown

    • port 8080 if packet application is unknown

    • SMTP traffic on ports 80 or 8080

    • POP3 traffic on ports 80 or 8080