Element <filter>
Defines the filter. It has a start tag <filter> and an end tag </filter>.
In filter, must start at <or></or> or <and></and>, then put <find/> into there like
And filter id=1 -> F1, refer to Example
<filter id="1" >
<or>
<find name="tcp.port" relation="==" content="443" />
<find name="udp.port" relation="==" content="53" />
</or>
</filter>
<or>
Defines all finds conjunct with or. It has a start tag <or> and an end tag </or>.
<and>
Defines all finds conjunct with and. It has a start tag <and> and an end tag </and>.
<find>
Please refer to Element - <find>
Attribute
id
Specifies a unique id for an element
Interger
*
name
Specifies a name for an element
String
sessionBase
If one packet in session match filter, the whole session will treat as match
yes/no
yes
matchedlog
if match filter and syslog set, send log
yes/no
no
mpslog
if matched per second over value, send log
Interger
0
v5.3
blockifempty
block if no find in filter
yes/no
no
maxPackets
only match first N packets in a session
Interger
0(means no limit)
start
start filter position, support l2, l3, l4, l7, http_body
String
l7
v5.3, regex only
position
absolute position for filter
Interger
-1
v5.3, regex only
within
maxinum size for filter
Interger
0
v5.3, regex only
masking
just masking, no filter function
yes/no
no
regex only
tuple5_live_hashtable_size
set hash table size for tuple5 live use only
Interger
no
v3.3
Example
filter dns port and server
<run>
<filter id="1" sessionBase="no">
<or>
<find name="udp.port" relation="==" content="53" />
</or>
</filter>
<filter id="2" sessionBase="no">
<or>
<find name="ip.addr" relation="==" content="8.8.8.8" />
<find name="ip.addr" relation="==" content="8.8.4.4" />
<find name="ip.addr" relation="==" content="168.95.1.1" />
<find name="ip.addr" relation="==" content="168.95.100.1" />
</or>
</filter>
<chain>
<in>P0</in>
<fid type="and">F1,F2</fid>
<out>P1</out>
<next type="notmatch">
<out>P2</out>
</next>
</chain>
</run>
Example for Regular Expression
<run>
<filter id="1" sessionBase="no" start="l7" within="100">
<or>
<!-- string -->
<find name="regex" relation="==" content="This is p@cket filtering test"/>
<!-- hex -->
<find name="regex" relation="==" content="\xE9\xA2\xB1\xE9\xA2\xA8"/>
<!-- http host name-->
<find name="regex" relation="==" content="{s}\/.*Host: nlpqflkbvkdde\.eu"/>
<!-- dns qry name-->
<find name="regex" relation="==" content="\x08facebook\x03com"/>
</or>
</filter>
<chain>
<in>P0</in>
<fid>F1</fid>
<out>P1</out>
</chain>
</run>
Last updated