Creating filter using IDMEF Criteria

IDMEF Criteria are filters on IDMEF fields.
Several Prelude components use IDMEF Criteria in order to provide IDMEF filtering capability.

  • Prelude-Manager comes with the idmef-criteria-filter plugin, that can be hooked and use IDMEF Criteria, defining specific actions to take for an incoming events (relaying it, storing it in a specific database, etc).

IDMEF Criteria syntax

 <IDMEF Path> <operator> <value>

Simple example:

 alert.analyzer(-1).name = 'MySensor'

Note that you can use boolean AND / OR:

 alert.analyzer(-1).name = 'MySensor' && ('alert.assessment.impact.severity = 'high' || alert.assessment.impact.completion = 'succeeded')

Available IDMEF path

In order to know more about the IDMEF Path you can use, please have a look at the IDMEFPath documentation

Available operator

=    -> Case sensitive equal.
=*   -> Case insensitive equal.
!=   -> Case sensitive not equal.
!=*  -> Case insensitive not equal.
~    -> Case sensitive Regexp.
~*   -> Case insensitive regexp.
!~   -> Case sensitive, not matched regexp.
!~*  -> Case insensitive, not matched regexp.
<    -> Lower than.
<=   -> Lower or equal than
>    -> Higher than.
>=   -> Higher or equal than.
<>   -> Case sensitive sub-string.
<>*  -> Case insensitive sub-string.
!<>  -> Case sensitive not sub-string.
!<>* -> Case insensitive not sub-string.