Criteria (matches) and condition

<< Click to Display Table of Contents >>

Navigation:  Event and Object Analysis > Capture Results Filtering > Filtration Basics > Rules >

Criteria (matches) and condition

Criteria (match) of a rule are set with the <match> XML tag and define whether the rule's action is to be performed for this message.

The match of the rule consists of one or more conditions interconnected with boolean operations AND, OR, XOR or NOT. This allows you to create criteria based on logical expressions which consist of conditions.

Example:

<rule>
 <match>
   <c name="all" />
 </match>
 <action name="drop" />
</rule>

This match consists of a single "all messages" condition.

Conditions in criteria

A condition is an atomic check of a message or its metadata. A condition is defined with the <condition> or <c> XML tag. A condition is either fulfilled for the message and is considered TRUE or is not fulfilled and thus considered FALSE .

A condition has its name specified in the name attribute which defines  what exactly is to be checked for the message. Other tag attributes specify action parameters. Attribute names for additional parameters depend on the condition.

The general structure of the XML tag of a condition:

<condition name="The name of the condition." [additional parameters] />

or

<condition name="The name of the condition." [additional parameters] >
</condition>

or

<c name="The name of the condition." [additional parameters] />

or

<c name="The name of the condition." [additional parameters] ></c>

Most conditions use the value="…" attribute which specifies the values to check in the condition, or the data="…", attribute which may specify an external file for the check to load data from (word sets, domain name lists or other parameters). Specific attributes and how they are checked are described in sections for corresponding conditions.

Logical expressions in matches

When you need to create a rule with a complex match containing multiple conditions, these conditions can be combined into logical expressions using the AND, OR, XOR, NOT boolean operations. Logical operations in XML tags are specified as follows:

<and> … </and>:

Corresponds to ( … & … & … & … ) - all the conditions inside the <and> tag are connected with the AND boolean operation.

<or> … </or>:

Corresponds to ( … | … | … | … ) - all the conditions inside the <or> tag are connected with the OR boolean operation.

<xor> … </xor>:

Corresponds to ( … ^ … ^ … ^ … ) - all the conditions inside the <xor> tag are connected with the XOR boolean operation.

<not> … </not>:

Corresponds to !(…) - the negation operation is applied to the condition.

For example:

<and>
 <c name="ccc1"/>
 <c name="ccc2"/>
</and>

means (ccc1 & ccc2),

and the following match:

<not><c name="ccc1"/></not>

means not (ccc1).

Any logical operation tag can be nested.

For example:

<and>
 <c name="ccc1"/>
 <or>
   <c name="ccc2">
   <c name="ccc3">
 </or>
 <or>
   <c name="ccc4">
   <c name="ccc5">
   <not><c name="ccc6"></not>
 </or>
</and>

means (ccc1 & (ccc2 | ccc3) & (ccc4 | ccc5 | !ccc6)). That is, the criteria from this example are met for the message if: is true for ccc1, and is true (for ссс2 or ссс3), and (is true (for ссс4 or ссс5) or is not true for ссс6).

For clarity, we can split this match into condition blocks, which should return TRUE for the following checks:

1) The ссс1 condition must be true for the message

AND

2) One of the (ссс2 or ссс3) conditions must be true for the message

AND

3) One of the (ссс4 or ссс5) conditions must be true for the message OR the ссс6 condition must be false for the message.