TEXT Condition

<< Click to Display Table of Contents >>

Navigation:  Event and Object Analysis > Capture Results Filtering > Filtration Basics > Rules > Criteria and Conditions >

TEXT Condition

Checks if the message text or subject contains keywords.

Description

This condition checks if the message text or subject contains certain keywords.

It looks for all occurrences of a keyword, not only whole words.

So to say, for each keyword, it tries to match the "*keyword*" pattern.

For example, for "secret" keyword, the condition will match "secret", "sECrEt", "secretary", "insecretory" etc.

The check is case-insensitive.

Format

<с name="text" op="<operation>" value="<compare pattern>" />
<c name="text" op="<operation>" data="<data source>" />

The "name" attribute:

The name attribute specifies the name of the condition: name="text".

The "op" attribute:

The op="..." attribute specifies the check criteria:

all

Looks for messages that have all specified tags.

one

Looks for messages that has at least one of the specified tags.

If the op attribute is omitted, "one" is used by default.

The "value" attribute:

The value="..." attribute lists the keywords. Use comma (",") to separate multiple keywords. Keywords may also be specified in the key-word-list tag value

The "data" attribute:

The data="..." attribute may specify another source of keywords. You can use it to specify long keyword lists instead of specifying them in the value="..." attribute.

Possible values:

data="<extern data name>"

Load the keyword list from an external block in the filter (the ...) tag.

data="extern://<extern data name>"

Load the keyword list from an external block in the filter (the ...) tag. Use commas to separate keywords.

data="file://<full-file-path>"

Load the keyword list from a file. Provide each keyword in a new line (no commas are required).

Example:

<c name="text" op="one" value="secret1, secret2, secret3, secret4" />

or

<c name="text" op="one">secret1, secret2, secret3, secret4</c>

The condition is considered true if the message subject or text contains at least one of the specified keywords: either separately or as parts of other words.

Text examples:

1. Message subject: "RE: secret 1 secret2” — the condition is TRUE.

2. Message subject: "RE: secret3 secret4” — the condition is TRUE.

3. Message text: "I’m sending our secret 1 secret2" — the condition is TRUE.

4. Message subject: "The quick brown fox jumps" — the condition is FALSE.

<c name="text" op="all" value="secret1, secret2" />

or

<c name="text" op="all">secret1, secret2</c>

The condition is considered true if the message subject or text contains both specified keywords either separately or as parts of other words.

Text examples:

1. Message subject: "RE: secret1 secret2” — the condition is TRUE.

2. Message subject: "RE: secret1 from the accounting” — the condition is FALSE.

3. Message text: "I’m sending our secret2" — the condition is FALSE.

4. Message text: "I’m sending our secret1 from secret2" — the condition is TRUE.

<c name="text" op="one" data="dictionary.txt" />

Load the keyword list from the "dictionary.txt" file.

Example:

Accept messages with keywords from the keywords list for further processing. Drop all other messages.

<?xml version="1.0" encoding="utf-8"?>
<filter name="Message filter" version="1.0">
 <comment>Message filter.</comment>
 
 <table name="main">
 
   <rule enabled="1">
     <comment></comment>
     <match>
       <c name="text" data="extern://keywords" />
     </match>
     <action name="accept" />
   </rule>
 
   <rule enabled="1">
     <action name="drop" />
   </rule>
 
 </table>
 
 <data name="keywords">
       secret1,
       secret2,
       secret3,
       secret4
 </data>
 
</filter>