ARRAY NTB XML
  • ARRAY NTB XML
    • Element <run>
    • Element <filter>
      • Element <find>
    • Element <output>
    • Element <chain>
    • Element <script>
    • Element <action>
    • Element <input>
    • Schema
  • Case Study
    • Mirror
    • Inline & Bypass
    • Load Balance
    • Packet Stripping
    • Packet Editing
    • Packet Tagging
    • Packet Reply
    • Packet > File
    • Tunnel
    • Bandwidth Control
    • Snort Rule > ARRAY NTB XML
    • Offload
    • Service Chain
    • Block Gmail
    • Block Specific Country
    • Block/Detect black list
    • Mobile Edge Computing Breakout
    • L2 GRE Breakout
    • VXLAN Breakout
    • VXLAN Encapsulation
    • L2 Switch Like
    • L3 Switch NAT Breakout
  • Reference
    • TW IP
Powered by GitBook
On this page
  • <or>
  • <and>
  • <find>
  • Attribute
  • Example
  • Example for Regular Expression
  1. ARRAY NTB XML

Element <filter>

Defines the filter. It has a start tag <filter> and an end tag </filter>.

PreviousElement <run>NextElement <find>

Last updated 1 year ago

In filter, must start at <or></or> or <and></and>, then put <find/> into there like

And filter id=1 -> F1, refer to Example

<filter id="1" >
    <or>
	<find name="tcp.port" relation="==" content="443" />
	<find name="udp.port" relation="==" content="53" />
    </or>
</filter>

<or>

Defines all finds conjunct with or. It has a start tag <or> and an end tag </or>.

<and>

Defines all finds conjunct with and. It has a start tag <and> and an end tag </and>.

<find>

Please refer to >

Attribute

Attribute
Description
Type
Default (* must have)
Support

id

Specifies a unique id for an element

Interger

*

name

Specifies a name for an element

String

sessionBase

If one packet in session match filter, the whole session will treat as match

yes/no

yes

matchedlog

if match filter and syslog set, send log

yes/no

no

mpslog

if matched per second over value, send log

Interger

0

v5.3

blockifempty

block if no find in filter

yes/no

no

maxPackets

only match first N packets in a session

Interger

0(means no limit)

start

start filter position, support l2, l3, l4, l7, http_body

String

l7

v5.3, regex only

position

absolute position for filter

Interger

-1

v5.3, regex only

within

maxinum size for filter

Interger

0

v5.3, regex only

masking

just masking, no filter function

yes/no

no

regex only

tuple5_live_hashtable_size

set hash table size for tuple5 live use only

Interger

no

v3.3

Example

filter dns port and server

<run>
<filter id="1" sessionBase="no">
    <or>
	<find name="udp.port" relation="==" content="53" />
    </or>
</filter>
<filter id="2" sessionBase="no">
    <or>
	<find name="ip.addr" relation="==" content="8.8.8.8" />
	<find name="ip.addr" relation="==" content="8.8.4.4" />
	<find name="ip.addr" relation="==" content="168.95.1.1" />
	<find name="ip.addr" relation="==" content="168.95.100.1" />
    </or>
</filter>
<chain>
    <in>P0</in>
    <fid type="and">F1,F2</fid>
    <out>P1</out>
    <next type="notmatch">
        <out>P2</out>
    </next>
</chain>
</run>

Example for Regular Expression

<run>
    <filter id="1" sessionBase="no" start="l7" within="100">
        <or>
            <!-- string -->
            <find name="regex" relation="==" content="This is p@cket filtering test"/>
            <!-- hex -->
            <find name="regex" relation="==" content="\xE9\xA2\xB1\xE9\xA2\xA8"/>
            <!-- http host name-->
            <find name="regex" relation="==" content="{s}\/.*Host: nlpqflkbvkdde\.eu"/>
            <!-- dns qry name-->
            <find name="regex" relation="==" content="\x08facebook\x03com"/>
        </or>
    </filter>
    <chain>
        <in>P0</in>
        <fid>F1</fid>
        <out>P1</out>
    </chain>
</run>
Element - <find