Intrusion Rule Filter Components
You can edit your filter to modify the special keywords and their arguments that are supplied when you click on a filter in the filter panel. Custom filters on the Rules page function like those used in the rule editor, but you can also use any of the keywords supplied in the Rules page filter, using the syntax displayed when you select the filter through the filter panel. To determine a keyword for future use, click on the appropriate argument in the filter panel on the right. The filter keyword and argument syntax appear in the filter text box. Remember that comma-separated multiple arguments for a keyword are only supported for the Category and Priority filter types.
You can use keywords and arguments, character strings, and literal character strings in quotes, with spaces separating multiple filter conditions. A filter cannot include regular expressions, wild card characters, or any special operator such as a negation character (!), a greater than symbol (>), less than symbol (<), and so on. When you type in search terms without a keyword, without initial capitalization of the keyword, or without quotes around the argument, the search is treated as a string search and the category, message, and SID fields are searched for the specified terms.
Except for the
gid and
sid keywords, all arguments and strings are treated as
partial strings. Arguments for
gid and
sid return only exact matches.
Each rule filter can include one or more keywords in the format:
keyword:”argument”
where keyword is one of the keywords in the intrusion rule filter groups and argument is enclosed in double quotes and is a single, case-insensitive, alphanumeric string to search for in the specific field or fields relevant to the keyword. Note that keywords should be typed with initial capitalization.
Arguments for all keywords except
gid and
sid are treated as partial strings. For example, the
argument
123 returns
"12345",
"41235",
"45123", and so on. The arguments for
gid and
sid return only exact matches; for example,
sid:3080 returns only
SID 3080.
Each rule filter can also include one or more alphanumeric
character strings. Character strings search the rule Message field,
Snort ID
(SID), and Generator ID (GID). For example, the string
123 returns the strings
"Lotus123", "123mania", and so
on in the rule message, and also returns
SID 6123,
SID 12375, and so on. You can search for a partial SID
by filtering with one or more character strings.
All character strings are case-insensitive and are treated as
partial strings. For example, any of the strings
ADMIN,
admin, or
Admin
return
"admin",
"CFADMIN",
"Administrator" and so on.
You can enclose character strings in quotes to return exact
matches. For example, the literal string
"overflow attempt" in quotes returns only that exact
string, whereas a filter comprised of the two strings
overflow and
attempt without quotes returns
"overflow attempt",
"overflow multipacket attempt",
"overflow with evasion attempt", and so on.
You can narrow filter results by entering any combination of keywords, character strings, or both, separated by spaces. The result includes any rule that matches all the filter conditions.
You can enter multiple filter conditions in any order. For example, each of the following filters returns the same rules:
-
url:at login attempt cve:200 -
login attempt cve:200 url:at -
login cve:200 attempt url:at