<< Click to Display Table of Contents >> Navigation:  Event and Object Analysis > Capture Results Filtering > Filtration Basics > Rules > Criteria and Conditions > HEADER Condition

Checks the value of one of the message headers.

Description

This condition checks if the value of the field contains a substring or matches a pattern or a regular expression. Message headers are any metadata headers generated by detectors; they look like "X-Sensor-...".

These are also mail message headers except for the following:

From

To

Cc

Bcc

Subject

Date

Content-Type

Content-Transfer-Encoding

Please note that for more efficient filtering you should avoid filtering the "X-Sensor-..." metadata headers if any special conditions are pre-defined for these headers. For example, for the "X-Sensor-Detector" header instead of checking the header value using header condition, it is more efficient to use the special condition.

Format

<с name="header"
  headername="<header name>"
  op="<operation>"
  value="<compare pattern>" />

The "name" attribute:

The name attribute specifies the name of the condition: name="header".

The "headername" attribute:

The headername="..." attribute specifies the name of the header to check.

The "op" attribute:

The op="..." attribute specifies the type of the comparison operation and may have the following values:

"eq", = or ==

The condition is considered true if the value being checked CONTAINS the specified value

"ne", != or <>

The condition is considered true if the value being checked DOES NOT CONTAIN the specified value

"wc" or "wildcard"

The condition is considered true if the value being checked matches the specified wildcard pattern

"re", "regex" or "regexp"

The condition is considered true if the value being checked matches the specified regular expression

The "value" attribute:

The value="..." attribute specifies a string or a pattern to match the value.

Examples:

<c name="header" headername="X-Priority" op="eq" value="3" />

The condition is considered true if a message has the X-Priority header, and its value contains "3".

<c name="header" headername="X-Mailer" op="!=" value="Outlook" />

The condition is considered true if a message has the X-Mailer header, and its value does not contain "Outlook".

<c name="header"
  headername="X-Sensor-Net-Interface-Id"
  op="eq"
  value="01-icap" />

The condition is considered true if a message has the X-Sensor-Net-Interface-Id header, and its value contains "01-icap".

<c name="header"
  headername="X-Sensor-Net-Interface-Id"
  op="wc"
  value="*-icap" />

or

<c name="header"
  headername="X-Sensor-Net-Interface-Id"
  op="wildcard"
  value="*-icap" />

The condition is considered true if a message has the X-Sensor-Net-Interface-Id header, and its value matches "*-icap" pattern.

Example:

Drop messages sent via Outlook.

<?xml version="1.0" encoding="utf-8"?>
<filter name="Message filter" version="1.0">
 <comment>Message filter.</comment>
 
 <table name="main">
   <rule enabled="1">
     <match>
       <c name="header"
          headername="X-Mailer"
          op="=="
          value="Outlook" />
     </match>
     <action name="drop" />
   </rule>
 
 </table>
</filter>