search

Element <filter>

Defines the filter. It has a start tag <filter> and an end tag </filter>.

In filter, must start at <or></or> or <and></and>, then put <find/> into there like

And filter id=1 -> F1, refer to Example

<filter id="1" >
    <or>
	<find name="tcp.port" relation="==" content="443" />
	<find name="udp.port" relation="==" content="53" />
    </or>
</filter>

hashtag
<or>

Defines all finds conjunct with or. It has a start tag <or> and an end tag </or>.

hashtag
<and>

Defines all finds conjunct with and. It has a start tag <and> and an end tag </and>.

hashtag
<find>

Please refer to Element - <find>

hashtag
Attribute

Attribute
Description
Type
Default (* must have)
Support

id

Specifies a unique id for an element

Interger

*

name

Specifies a name for an element

String

sessionBase

If one packet in session match filter, the whole session will treat as match

yes/no

yes

matchedlog

if match filter and syslog set, send log

yes/no

no

mpslog

if matched per second over value, send log

Interger

0

v5.3

blockifempty

block if no find in filter

yes/no

no

maxPackets

only match first N packets in a session

Interger

0(means no limit)

start

start filter position, support l2, l3, l4, l7, http_body

String

l7

v5.3, regex only

position

absolute position for filter

Interger

-1

v5.3, regex only

within

maxinum size for filter

Interger

0

v5.3, regex only

masking

just masking, no filter function

yes/no

no

regex only

tuple5_live_hashtable_size

set hash table size for tuple5 live use only

Interger

no

v3.3

hashtag
Example

filter dns port and server

hashtag
Example for Regular Expression

PreviousElement <run>NextElement <find>

Last updated