Filtering messages for particular hosts

<< Click to Display Table of Contents >>

Navigation:  Event and Object Analysis > Capture Results Filtering > Filter Use Cases >

Filtering messages for particular hosts

Problem

In case of requests to <*baender*.com, benderlog.ru, banderlog.biz> sites, we need to stop processing such messages and destroy all data stored about it.

Solution Logic

There are two options to solve the problem:

1. Ignore all traffic to hosts with the specified names in HTTP filter. To do this, we need to use a filtering condition for "Host" HTTP request header.

2. Delete messages sent to the specified hosts in the message filter. To do this, we need to resolve DNS names and use a "hostname" filtering condition.

Option 1 is recommended because it filters unnecessary data out at an earlier stage thus decreasing the workload on Microolap EtherSensor and increasing its overall performance.

Solution

1. Option 1 - ignore the traffic at an earlier stage using HTTP filter.

The HTTP filter file may look like this:

<?xml version="1.0" encoding="utf-8"?>
<filter name="HTTP filter" version="1.0">
 <table name="main">
 
   <rule enabled="true">
     <match>
       <or>
         <c name="req-header"
            headername="Host"
            op="wc"
            value="*baender*.com*"/>
         <c name="req-header"
            headername="Host"
            op="eq"
            value="benderlog.ru"/>
         <c name="req-header"
            headername="Host"
            op="eq"
            value="banderlog.biz"/>
       </or>
     </match>
     <action name="drop" />
   </rule>
 
   <rule enabled="true">
     <action name="accept" />
   </rule>
 
 </table>
</filter>

For a detailed description of the "req-header" filtering condition, refer to "REQ-HEADER, RESP-HEADER Condition" section.

2. Option 2 - deleting messages in the message filter.

Make sure DNS name resolution is enabled. The message filter file may look as follows:

<?xml version="1.0" encoding="utf-8"?>
<filter name="Message filter" version="1.0">
 
 <table name="main">
 
   <rule enabled="1">
     <match>
       <or>
         <c name="hostname"
            address="server"
            op="wc"
            value="*baender*.com*" />
         <c name="hostname"
            address="server"
            op="eq"
            value="benderlog.ru" />
         <c name="hostname"
            address="server"
            op="eq"
            value="banderlog.biz" />
       </or>
     </match>
     <action name="drop"/>
   </rule>
 
   <rule enabled="1">
     <action name="accept" />
   </rule>
 
 </table>
</filter>

For a detailed description of the "hostname" filtering condition, refer to "HOSTNAME Condition" section.

Comments and General Recommendations

1. In option 1, note that the check for the host name from the Host header against the "*baender*.com* wildcard mask contains "*" at the beginning and at the end of the mask. At the beginning of the mask, it is required because the host name may start with upper level domain names (for example, www.baender.com or 123.baender.com). At the end of the mask, it is required because the host name in the Host header may end with a destination port (for example, baender.com:80). Equality check ("eq") would only search for a substring in a string. Therefore, "eq" with the value of "benderlog.ru" will work for www.benderlog.ru and benderlog.ru:80 as well.

2. For option 2, generally, for the hostname condition to work, you need first to resolve DNS names. However, in this case (we check only the destination host and only for HTTP) it is not necessary, because the host value will be available from the Host HTTP header.