What L7 signature options are there?

Some Layer 7 signatures have additional options that allow you to define application objects based on specific parts of that L7layer 7, the application layer of the OSI Signature. When configuring new application object, the L7 signatures followed by '--->' in the drop-down list have additional options. Most provide options that you simply select from. Some require a selection plus additional information. The following table explains the various options that require more than simply picking an option.

NOTE

Citrix-based sub-types are no longer supported.

Layer 7 Signature Sub-Type Description
(direct download link) host Allows you to define an Application Object based on the 'host' field in the HTTP header.
flash host Allows you to define an Application Object based on the 'host' field in the HTTP header (where flash is running over http).
http content_type Allows you to define an Application Object based on the 'content-type' field in the HTTP header.
file Allows you to define an Application Object based on the filename requested in the HTTP URL.
host Allows you to define an Application Object based on the 'host' field in the HTTP header.
method Allows you to define an Application Object based on the HTTP method (e.g. GET PUT HEAD DELETE).
user_agent Allows you to define an Application Object based on the 'user-agent' field in the HTTP header.
advanced

Define custom criteria with the following syntax:

  • A string literal is enclosed in quotes (").
  • A backslash can be included in the string by escaping it with another backslash (\\).
  • Keywords are bare (common_name) with no quotes.
  • Keywords are bare (host) with no quotes.
  • Grouping is supporting using parenthesis
  • Operators supported are or and andand has higher precedence than or
  • The comparison operators that are available are:
Description Syntax Example
equals

<keyword> = <value>

host = "example.com"

does not equal

<keyword> != <value>

host != "example.com"

contains substring

<keyword> =% <value>

host =% "example.com"

does not contain substring

<keyword> !% <value>

host !% "example.com"

Right side is a regular expression and it matches the full left side

<keyword> =~ <value>

host =~ "example.*"

Right side is a regular expression and it does not match the full left side

<keyword> !~ <value>

host !~ "example.*"

  • Regular expressions use the perl syntax
  • The keywords for HTTP are: host, file, user_agent, content_type, method, content_len and encoding

Examples:

  • (url =% "index" or file =% "login") and host =% "example.org" and content_type.case = "MyContentType"
  • (host =% "facebook.com" and file !% "cgi-bin/abcd") or host =% "facebook2.com"
mpeg host Allows you to define an Application Object based on the 'host' field in the HTTP header (where mpeg is running over http).
quicktime host Allows you to define an Application Object based on the 'host' field in the HTTP header (where quicktime is running over http).
silverlight host Allows you to define an Application Object based on the 'host' field in the HTTP header (where silverlight is running over http).
ssl common_name Allows you to define an Application Object based on the 'common name' field in the SSL certificate.
advanced

Define custom criteria with the following syntax:

  • A string literal is enclosed in quotes (").
  • Internal quotes can be escaped with the backslash (\") character.
  • A backslash can be included in the string by escaping it with another backslash (\\).
  • Keywords are bare (common_name) with no quotes.
  • Grouping is supporting using parenthesis
  • Operators supported are OR and AND. AND has higher precedence than OR.
  • The keywords for SSL are common_name (cn) and organization_name (o)
  • The comparison operators that are available are:
Description Syntax Example
equals

<keyword> = <value>

common_name = "John"

does not equal

<keyword> != <value>

common_name != "John"

contains substring

<keyword> =% <value>

common_name =% "John"

does not contain substring

<keyword> !% <value>

common_name !% "John"

Right side is a regular expression and it matches the full left side

<keyword> =~ <value>

common_name =~ "John*"

Right side is a regular expression and it does not match the full left side

<keyword> !~ <value>

common_name !~ "John*"
  • Regular expressions use the perl syntax
organization_name Allows you to define an Application Object based on the 'organization' name field in the SSL certificate.
spdy This field should remain empty as any values typed here are ignored.
rtp codec Allows you to define an Application Object based on the 'codec' used in a RTP stream.
windowsmedia host Allows you to define an Application Object based on the 'host' field in the HTTP header (where windowsmedia is running over http).