Event and Object Analysis > Capture Results Filtering > Filtration Basics > Rules > Criteria and Conditions

Checks the message attachment names.

Description

This condition checks if any attachment name matches a pattern or a regular expression.

Format

<с name="attach-name" op="<operation>" value="<compare pattern>" />

The "name" attribute:

The name attribute specifies the name of the condition: name="attach-name".

The "op" attribute:

The op="..." attribute specifies the type of the comparison operation and may have the following values:

"eq", = or ==

The condition is considered true if the value being checked CONTAINS the specified value

"ne", != or <>

The condition is considered true if the value being checked DOES NOT CONTAIN the specified value

"wc" or "wildcard"

The condition is considered true if the value being checked matches the specified wildcard pattern

"re", "regex" or "regexp"

The condition is considered true if the value being checked matches the specified regular expression

The "value" attribute:

The value="..." attribute specifies a string or a pattern to match the value.

Example:

The condition is considered true if any attachment name contains "instruction.doc".

The condition is considered true if any attachment name does not contain "instruction.doc".

The condition is considered true if any attachment name matches the "*.doc" pattern.

The condition is considered true if any attachment name matches the ".+\.doc" regular expression.

The condition is considered true if any attachment name matches the ".+((\.doc)|(\.exe)|(\.zip))" regular expression.

Example:

Drop messages that have *.exe attachments.

<?xml version="1.0" encoding="utf-8"?>
<filter name="Message filter" version="1.0">
<comment>Message filter.</comment>

<table name="main">
<rule enabled="1">
<match>
<c name="attach-name" op="re" value=".+\.exe" />
</match>
<action name="drop" />
</rule>

</table>
</filter>

ATTACH-NAME Condition

ATTACH-NAME Condition