Element <filter>
Defines the filter. It has a start tag <filter> and an end tag </filter>.
In filter, must start at <or></or> or <and></and>, then put <find/> into there like
And filter id=1 -> F1, refer to Example
<filter id="1" >
<or>
<find name="tcp.port" relation="==" content="443" />
<find name="udp.port" relation="==" content="53" />
</or>
</filter><or>
Defines all finds conjunct with or. It has a start tag <or> and an end tag </or>.
<and>
Defines all finds conjunct with and. It has a start tag <and> and an end tag </and>.
<find>
Please refer to Element - <find>
Attribute
id
Specifies a unique id for an element
Interger
*
name
Specifies a name for an element
String
sessionBase
If one packet in session match filter, the whole session will treat as match
yes/no
yes
matchedlog
if match filter and syslog set, send log
yes/no
no
mpslog
if matched per second over value, send log
Interger
0
v5.3
blockifempty
block if no find in filter
yes/no
no
maxPackets
only match first N packets in a session
Interger
0(means no limit)
start
start filter position, support l2, l3, l4, l7, http_body
String
l7
v5.3, regex only
position
absolute position for filter
Interger
-1
v5.3, regex only
within
maxinum size for filter
Interger
0
v5.3, regex only
masking
just masking, no filter function
yes/no
no
regex only
tuple5_live_hashtable_size
set hash table size for tuple5 live use only
Interger
no
v3.3
Example
filter dns port and server
Example for Regular Expression
Last updated