You can edit your filter to modify the special keywords and
their arguments that are supplied when you click on a filter in the filter
panel. Custom filters on the Rules page function like those used in the rule
editor, but you can also use any of the keywords supplied in the Rules page
filter, using the syntax displayed when you select the filter through the
filter panel. To determine a keyword for future use, click on the appropriate
argument in the filter panel on the right. The filter keyword and argument
syntax appear in the filter text box. Remember that comma-separated multiple
arguments for a keyword are only supported for the Category and Priority filter
types.
You can use keywords and arguments, character strings, and
literal character strings in quotes, with spaces separating multiple filter
conditions. A filter cannot include regular expressions, wild card characters,
or any special operator such as a negation character (!), a greater than symbol
(>), less than symbol (<), and so on. When you type in search terms
without a keyword, without initial capitalization of the keyword, or without
quotes around the argument, the search is treated as a string search and the
category, message, and SID fields are searched for the specified terms.
Except for the
gid and
sid keywords, all arguments and strings are treated as
partial strings. Arguments for
gid and
sid return only exact matches.
Each rule filter can include one or more keywords in the format:
keyword:”argument”
where keyword is one of the keywords in the intrusion rule
filter groups and argument is enclosed in double quotes and is a single,
case-insensitive, alphanumeric string to search for in the specific field or
fields relevant to the keyword. Note that keywords should be typed with initial
capitalization.
Arguments for all keywords except
gid and
sid are treated as partial strings. For example, the
argument
123 returns
"12345",
"41235",
"45123", and so on. The arguments for
gid and
sid return only exact matches; for example,
sid:3080 returns only
SID 3080.
Each rule filter can also include one or more alphanumeric
character strings. Character strings search the rule Message field,
Snort ID
(SID), and Generator ID (GID). For example, the string
123 returns the strings
"Lotus123", "123mania", and so
on in the rule message, and also returns
SID 6123,
SID 12375, and so on. You can search for a partial SID
by filtering with one or more character strings.
All character strings are case-insensitive and are treated as
partial strings. For example, any of the strings
ADMIN,
admin, or
Admin
return
"admin",
"CFADMIN",
"Administrator" and so on.
You can enclose character strings in quotes to return exact
matches. For example, the literal string
"overflow attempt" in quotes returns only that exact
string, whereas a filter comprised of the two strings
overflow and
attempt without quotes returns
"overflow attempt",
"overflow multipacket attempt",
"overflow with evasion attempt", and so on.
You can narrow filter results by entering any combination of
keywords, character strings, or both, separated by spaces. The result includes
any rule that matches all the filter conditions.
You can enter multiple filter conditions in any order. For
example, each of the following filters returns the same rules:
-
url:at
login attempt cve:200
-
login
attempt cve:200 url:at
-
login
cve:200 attempt url:at
)
)
)
) next to the rule in the Dynamic State column. If you add multiple dynamic rule state filters to a rule, a number over the
filters indicates the number of filters.
Feedback