|
<< Click to Display Table of Contents >> Navigation: Event and Object Analysis > Capture Results Filtering > Filter Use Cases > Message Filtering by URL |
If a URL contains words <forum, phorum, post, submit> for get method, we need to label this message as "user reads forums".
Check URL and HTTP request method using the HTTP filter. To check the URL, use the "url" condition. To check the HTTP method, use the "method" condition.
The HTTP filter file may look like this:
<?xml version="1.0" encoding="utf-8"?>
<filter name="HTTP filter" version="1.0">
<table name="main">
<rule enabled="true">
<comment>
Detect requests possibly related to forums.
</comment>
<match>
<and>
<c name="method"
value="GET"/>
<c name="url"
op="re"
value="http://.*/.*(forum|phorum|post|submit).*" />
</and>
</match>
<action name="tag" value="USER_READS_FORUMS"/>
</rule>
<rule enabled="true">
<action name="accept" />
</rule>
</table>
</filter>
For a detailed description of the "url" and "method" filtering conditions, refer to "URL Condition" and "METHOD Condition" sections.
1. Remember that at the stage of the HTTP filtering, messages don't exist; the traffic will be checked for these messages later. However, labels and tags set for requests at this stage will be saved to the message (if the message is extracted from these requests). These labels and tags will be available for the check in the message filter and later will be available as X-Sensor-Tags and X-Sensor-Labels headers.
2. Remember that the "url" condition gets the entire URL of the request, including the host name (i.e. http://www.mail.ru/mail/read.php?some=parameter¶m2). Account for this in the check condition.