Element <filter>

Defines the filter. It has a start tag <filter> and an end tag </filter>.

In filter, must start at <or></or> or <and></and>, then put <find/> into there like

And filter id=1 -> F1, refer to Example

<filter id="1" >
    <or>
	<find name="tcp.port" relation="==" content="443" />
	<find name="udp.port" relation="==" content="53" />
    </or>
</filter>

<or>

Defines all finds conjunct with or. It has a start tag <or> and an end tag </or>.

<and>

Defines all finds conjunct with and. It has a start tag <and> and an end tag </and>.

<find>

Please refer to Element - <find>

Attribute

Attribute
Description
Type
Default (* must have)
Support

id

Specifies a unique id for an element

Interger

*

name

Specifies a name for an element

String

sessionBase

If one packet in session match filter, the whole session will treat as match

yes/no

yes

matchedlog

if match filter and syslog set, send log

yes/no

no

mpslog

if matched per second over value, send log

Interger

0

v5.3

blockifempty

block if no find in filter

yes/no

no

maxPackets

only match first N packets in a session

Interger

0(means no limit)

start

start filter position, support l2, l3, l4, l7, http_body

String

l7

v5.3, regex only

position

absolute position for filter

Interger

-1

v5.3, regex only

within

maxinum size for filter

Interger

0

v5.3, regex only

masking

just masking, no filter function

yes/no

no

regex only

tuple5_live_hashtable_size

set hash table size for tuple5 live use only

Interger

no

v3.3

Example

filter dns port and server

<run>
<filter id="1" sessionBase="no">
    <or>
	<find name="udp.port" relation="==" content="53" />
    </or>
</filter>
<filter id="2" sessionBase="no">
    <or>
	<find name="ip.addr" relation="==" content="8.8.8.8" />
	<find name="ip.addr" relation="==" content="8.8.4.4" />
	<find name="ip.addr" relation="==" content="168.95.1.1" />
	<find name="ip.addr" relation="==" content="168.95.100.1" />
    </or>
</filter>
<chain>
    <in>P0</in>
    <fid type="and">F1,F2</fid>
    <out>P1</out>
    <next type="notmatch">
        <out>P2</out>
    </next>
</chain>
</run>

Example for Regular Expression

<run>
    <filter id="1" sessionBase="no" start="l7" within="100">
        <or>
            <!-- string -->
            <find name="regex" relation="==" content="This is p@cket filtering test"/>
            <!-- hex -->
            <find name="regex" relation="==" content="\xE9\xA2\xB1\xE9\xA2\xA8"/>
            <!-- http host name-->
            <find name="regex" relation="==" content="{s}\/.*Host: nlpqflkbvkdde\.eu"/>
            <!-- dns qry name-->
            <find name="regex" relation="==" content="\x08facebook\x03com"/>
        </or>
    </filter>
    <chain>
        <in>P0</in>
        <fid>F1</fid>
        <out>P1</out>
    </chain>
</run>
PreviousElement <run>NextElement <find>

Last updated