HOSTNAME Condition

<< Click to Display Table of Contents >>

Navigation:  Event and Object Analysis > Capture Results Filtering > Filtration Basics > Rules > Criteria and Conditions >

HOSTNAME Condition

Checks the message source and destination host names.

Description

This condition checks if the source or destination host names match a string, a pattern or a regular expression. For this condition to work correctly, you should first perform host name resolution (see "DNS Action").

Tip:
If you need to check only the destination host only for HTTP, there is no need to resolve names using the DNS action, because the destination host name is available from the HTTP request "Host" header.

Format

<c name="hostname"
 address="<address type>"
 op="<operation>"
 value="<compare pattern>" />

The "name" attribute:

The name attribute specifies the name of the condition: name="hostname".

The "address" attribute:

The address="..." attribute specifies the type of the address to check. Possible values:

"src" or "client"

Only check the source address

"dst" or "server"

Only check the destination address

"both", "all" or *

Check both source and destination addresses

If this attribute is omitted, "both" is used by default. i.e. both source and destination addresses are checked.

The "op" attribute:

The op="..." attribute specifies the type of the comparison operation and may have the following values:

"eq", = or ==

The condition is considered true if the value being checked CONTAINS the specified value

"ne", != or <>

The condition is considered true if the value being checked DOES NOT CONTAIN the specified value

"wc" or "wildcard"

The condition is considered true if the value being checked matches the specified wildcard pattern

"re", "regex" or "regexp"

The condition is considered true if the value being checked matches the specified regular expression

The "value" attribute:

The value="..." attribute specifies a string or a pattern to match the value.

Example:

Drop messages sent to *.yandex.ru.

<?xml version="1.0" encoding="utf-8"?>
<filter name="Message filter" version="1.0">
 <comment>Message filter.</comment>
 
 <table name="main">
   <rule enabled="1">
     <match>
       <c name="hostname" address="server" op="wc" value="*.yandex.ru" />
     </match>
     <action name="drop" />
   </rule>
 
 </table>
</filter>