Basics of constructing filters
You construct filters using fields, values of the fields, and operations.
Filters are constructed from the following parts:
- The fields that you want to match in the data (for example, there are separate fields for source IP address and port in logs). You can filter data according to any field.
- The values in those fields that you want to match (for example, the exact port number or IP address you are interested in).
- operations define how the fields and values are matched to data entries (especially if there are several fields included as the filtering criteria).
A filter can have one or several fields. The more fields you have in a filter, the more specific the selection of log data becomes. For example, you can use the IP source field in the filter and get a selection of log data that matches the source IP address you specify. To limit the selection of log data even further, you could add a field for the destination port used.
Different types of data entries contain different types of information, so the fields you add also restrict the general type of data that your filter matches. It is possible to create a filter that can never match any data if the combination of fields is not found in any single entry. However, everything depends on the general structure of the filter. It is possible to create filters that match related data in different types of entries using different fields as criteria. Depending on the field, you can define one to several values that you want to look for in the data. There are some operations (for example, Defined) for which a field value is not needed.
Operations define how field values in log data are compared to the field values defined in the filter. You can have as many operations in a filter as necessary, and you can also nest operations inside other operations. When you add two fields, you must always combine the fields with an operation. Each field in a filter is attached to one of these operations:
- Calculations (BITWISE and SUM OF)
- Comparisons (for example, EQUAL TO, GREATER THAN, SMALLER THAN)
- Logicals (AND, NOT, OR)
Filter example
Figure: Matching events with a filter
The illustration shows a Filter with several fields and operations. This Filter matches if the destination IP address is in the 192.168.11.0/24 network AND the destination port is 80 or greater OR if the destination IP address is in the 192.168.12.0/24 network AND the destination port is 80 or greater.
A data entry of a connection to host 192.168.11.10 on port 80 matches the first AND operation in the example filter. The same connection does not match the second AND operation in the Filter. Since the two AND operations are combined with OR, the Filter as a whole is considered a match and the data is selected for the task that is being carried out.
Filters that match a single value
A filter that matches a single source IP address:
Src Addr EQUAL TO 192.168.1.101
Where
Src Addr is a field,
EQUAL TO is the operation, and the IP address is a value.
Filters that match several values
A filter that matches any non-empty value for destination port:
Dst Port IS DEFINED
A filter that matches all destination ports between 1024 and 49152:
Dst Port BETWEEN 1024 AND 49152
A filter that matches any of three alternative destination ports:
Dst Port IN 51111, 52222, 53333
Complex filters that use logical operations
You can add the logical operations NOT, AND, and OR. The NOT operation negates the criteria you set.
A filter that matches all destination ports except ports between 1024 and 49152:
NOT
Dst Port BETWEEN 1024 AND 49152
When you add more than one field to a filter, you must define how the fields are used in relation to each other. You must use either AND (all field values must be present in the same entry) or OR (a data entry matches the filter if any one field value is found).
A filter that matches if the destination port is lower than 1024 and the source is a particular IP address:
AND
Src Addr EQUAL TO 192.168.1.101
Dst Port SMALLER THAN 1024
A filter that matches either of two destination ports:
OR
Dst Port EQUAL TO 80
Dst Port EQUAL TO 8080
You can apply the AND and OR operations to other AND and OR statements to create more complex statements. You can also negate whole AND and OR sections with NOT