Creating filter using IDMEF Criteria¶
IDMEF Criteria are filters on IDMEF fields.
Several Prelude components use IDMEF Criteria in order to provide IDMEF filtering capability.
- Prelude-Manager comes with the idmef-criteria-filter plugin, that can be hooked and use IDMEF Criteria, defining specific actions to take for an incoming events (relaying it, storing it in a specific database, etc).
- The Prewikka interface allows the user to setup criteria in order to filter query results.
IDMEF Criteria syntax¶
<IDMEF Path> <operator> <value>
Simple example:
alert.analyzer(-1).name = 'MySensor'
Note that you can use boolean AND / OR:
alert.analyzer(-1).name = 'MySensor' && ('alert.assessment.impact.severity = 'high' || alert.assessment.impact.completion = 'succeeded')
Available IDMEF path¶
In order to know more about the IDMEF Path you can use, please have a look at the IDMEFPath documentation
Available operator¶
= -> Case sensitive equal. =* -> Case insensitive equal. != -> Case sensitive not equal. !=* -> Case insensitive not equal. ~ -> Case sensitive Regexp. ~* -> Case insensitive regexp. !~ -> Case sensitive, not matched regexp. !~* -> Case insensitive, not matched regexp. < -> Lower than. <= -> Lower or equal than > -> Higher than. >= -> Higher or equal than. <> -> Case sensitive sub-string. <>* -> Case insensitive sub-string. !<> -> Case sensitive not sub-string. !<>* -> Case insensitive not sub-string.