- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
-
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
-
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
-
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
-
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
-
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
-
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
-
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
-
- Support Widget
Understanding Match Objects
05/11/2020 
5 People found this article helpful
90,125 Views
Description
Match objects represent the set of conditions which must be matched for actions to take place. This includes the object type, the match type (exact, partial, regex, prefix, or suffix), the input representation (text or hexadecimal), and the actual content to match. Match objects were referred to as application objects in previous releases.
Hexadecimal input representation is used to match binary content such as executable files, while alphanumeric (text) input representation is used to match things like file or email content. You can also use hexadecimal input representation for binary content found in a graphic image. Text input representation could be used to match the same graphic if it contains a certain string in one of its properties’ fields. Regular expressions (regex) are used to match a pattern rather than a specific string or value and use alphanumeric input representation.
The File Content match object type provides a way to match a pattern or keyword within a file. This type of match object can only be used with FTP Data Transfer, HTTP Server, or SMTP Client policies.
Cause
We have the following Supported Match Object Types:
| Object Type | Description | Match Types | Negative Matching | Extra Properties |
| ActiveX ClassID | Class ID of an Active-X component. For example, ClassID of Gator Active-X component is “c1fb8842-5281-45ce-a 271-8fd5f117ba5f” | Exact | No | None |
| Application Category List | Allows specification of application categories, such as Multimedia., P2P, or Social Networking | N/A | No | None |
| Application List | Allows specification of individual applications within the application category that you select | N/A | No | None |
| Application Signature List | Allows specification of individual signatures for the application and category that you select | N/A | No | None |
| Custom Object | Allows specification of an IPS-style custom set of conditions | Exact | No | There are 4 additional, optional parameters that can be set: offset (describes from what byte in packet payload we should start matching the pattern – starts with 1; helps minimize false positives in matching), depth (describes at what byte in the packet payload we should stop matching the pattern – starts with 1), minimum payload size and maximum payload size. |
| Email Body | Any content in the body of an email. | Partial | No | None |
| Email CC (MIME Header) | Any content in the CC MIME Header. | Exact, Partial, Prefix, Suffix | Yes | None |
| Email From (MIME Header) | Any content in the From MIME Header. | Exact, Partial, Prefix, Suffix | Yes | None |
| Email Size | Allows specification of the maximum email size that can be sent. | N/A | No | None |
| Email Subject (MIME Header) | Any content in the Subject MIME Header. | Exact, Partial, Prefix, Suffix | Yes | None |
| Email To (MIME Header) | Any content in the To MIME Header. | Exact, Partial, Prefix, Suffix | Yes | None |
| MIME Custom Header | Allows for creation of MIME custom headers. | Exact, Partial, Prefix, Suffix | Yes | A Custom header name needs to be specified. |
| File Content | Allows specification of a pattern to match in the content of a file. The pattern will be matched even if the file is compressed. | Partial | No | ‘Disable attachment’ action should never be applied to this object. |
| Filename | In cases of email, this is an attachment name. In cases of HTTP, this is a filename of an uploaded attachment to the Web mail account. In cases of FTP, this is a filename of an uploaded or downloaded file. | Exact, Partial, Prefix, Suffix | Yes | None |
| Filename Extension | In cases of email, this is an attachment filename extension. In cases of HTTP, this is a filename extension of an uploaded attachment to the Web mail account. In cases of FTP, this is a filename extension of an uploaded or downloaded file. | Exact | Yes | None |
| FTP Command | Allows selection of specific FTP commands. | N/A | No | None |
| FTP Command + Value | Allows selection of specific FTP commands and their values. | Exact, Partial, Prefix, Suffix | Yes | None |
| HTTP Cookie Header | Allows specification of a Cookie sent by a browser. | Exact, Partial, Prefix, Suffix | Yes | None |
| HTTP Host Header | Content found inside of the HTTP Host header. Represents hostname of the destination server in the HTTP request, such as www.google.com. | Exact, Partial, Prefix, Suffix | Yes | None |
| HTTP Referrer Header | Allows specification of content of a Referrer header sent by a browser – this can be useful to control or keep stats of which Web sites redirected a user to customer’s Web site. | Exact, Partial, Prefix, Suffix | Yes | None |
| HTTP Request Custom Header | Allows handling of custom HTTP Request headers. | Exact, Partial, Prefix, Suffix | Yes | A Custom header name needs to be specified. |
| HTTP Response Custom Header | Allows handling of custom HTTP Response headers. | Exact, Partial, Prefix, Suffix | Yes | None |
| HTTP Set Cookie Header | Set-Cookie headers. Provides a way to disallow certain cookies to be set in a browser. | Exact, Partial, Prefix, Suffix | Yes | None |
| HTTP URI Content | Any content found inside of the URI in the HTTP request. | Exact, Partial, Prefix, Suffix | No | None |
| HTTP User-Agent Header | Any content inside of a User-Agent header. For example: User-Agent: Skype. | Exact, Partial, Prefix, Suffix | Yes | None |
| Web Browser | Allows selection of specific Web browsers (MSIE, Netscape, Firefox, Safari, Chrome). | N/A | Yes | None |
| IPS Signature Category List | Allows selection of one or more IPS signature groups. Each group contains multiple pre-defined IPS signatures. | N/A | No | None |
| IPS Signature List | Allows selection of one or more specific IPS signatures for enhanced granularity. | N/A | No | None |
You can see the available types of Match objects from drop-down menu by navigating to Manage | Objects | Match objects and then clicking on the Add option and selecting Match object.
You can use the LOAD FROM FILE button to import content from predefined text files that contain multiple entries for a match object to match. Each entry in the file must be on its own line. The Load From File feature allows you to easily move App Rules settings from one firewall to another.
Multiple entries, either from a text file or entered manually, are displayed in the List area. List entries are matched using the logical OR, so if any item in the list is matched, the action for the policy is executed.
A match object can include a total of no more than 8000 characters. If each element within a match object contains approximately 30 characters, then you can enter about 260 elements. The maximum element size is 8000 bytes.
Regular Expressions:
You can configure regular expressions in certain types of match objects for use in App Rules policies. The Match Object Settings options provide a way to configure custom regular expressions or to select from predefined regular expressions. The SonicWall implementation supports reassembly-free regular expression matching on network traffic. This means that no buffering of the input stream is required, and patterns are matched across packet boundaries.
SonicOS provides the following predefined regular expressions:
| VISA CC | VISA Credit Card Number |
| US SSN | United States Social Security Number |
| CANADIAN SIN | Canadian Social Insurance Number |
| ABA ROUTING NUMBER | American Bankers Association Routing Number |
| AMEX CC | American Express Credit Card Number |
| MASTERCARD CC | Mastercard Credit Card Number |
| DISCOVER CC | Discover Credit Card Number |
Predefined regular expressions can be selected during configuration, or you can configure a custom regular expression.
NOTE: For more details on the Regex syntax and custom regular expressions, please go through the SonicOS Admin guide for SonicOS Policies available at SonicOS Technical Documentation
Negative Matching:
Negative matching provides an alternate way to specify which content to block. You can enable negative matching in a match object when you want to block everything except content. When you use the object in a policy, the policy will execute actions based on the absence of the content specified in the match object. Multiple list entries in a negative matching object are matched using the logical AND, meaning that the policy action is executed only when all specified negative matching entries are matched.
Although all App Rules policies are DENY policies, you can simulate an ALLOW policy by using negative matching. For instance, you can allow email .txt attachments and block attachments of all other file types. Or you can allow a few types and block all others.
Not all match object types can utilize negative matching. For those that can, you will see the Enable Negative Matching checkbox on the Add/Edit Match Object dialog.
NOTE: Match Objects are used in conjunction with Action Objects to create App rules. Please use the link Most common configurations for App rules to look at the way these Match Objects can be used for specific scenarios.
Related Articles
- Parserror on Event logs.
- Switch from the Policy mode to classic mode on Gen 7 appliances
- Analyzing TCP reset(RST)packets
YES
NO