<< Click to Display Table of Contents >> Navigation: Event and Object Analysis > Capture Results Filtering > Prefiltering HTTP Requests > Conditions > IP Condition |
Checks if the client or server IP addresses belong to a range or a subnet.
Description
This condition checks if the client or server IP addresses belong to a range or a subnet.
Please note:
Unwanted traffic should be isolated as early as possible. This affects the performance of Microolap EtherSensor and the runtime environment.
1. It is recommended to isolate all traffic from a certain IP address or a range of addresses in the EtherSensor EtherCAP service IP filter.
2. It is recommended to isolate certain HTTP traffic from a specific IP address or a range of addresses (if it is possible to specify such criteria) in an HTTP prefilter, but not at the message analysis stage.
3. It is recommended to filter certain messages from a specific IP address in the message filter.
Format
<с name="ip" address="<address type>" value="<ip-range>" />
The "name" attribute:
The name attribute specifies the name of the condition - name="ip".
The "address" attribute:
The address="..." attribute specifies the address type to check. Possible values:
src or client
Check the source address
dst or server
Check the destination address
The "value" attribute:
The value="..." provides a value for the comparison. Possible values:
ipaddress
Checks if the IP address is equal to this value. For example: value="192.168.0.10"
ip1-ip2
Checks if the IP address is within this range. For example: value="192.168.0.1-192.168.0.10"
ip/netmask
Checks if the IP address belongs to the specified subnet. For example: value="192.168.0.1/255.255.255.0"
ip/netmaskbits
Checks if the IP address belongs to the specified subnet. For example: value="192.168.0.1/24"
Example
Drop all messages from 192.168.0.15.
<?xml version="1.0" encoding="utf-8"?>
<filter name="HTTP filter" version="1.0">
<comment>HTTP filter.</comment>
<table name="main">
<rule enabled="1">
<comment>
Discard messages from 192.168.0.15.
</comment>
<match>
<c name="ip" address="client" value="192.168.0.15" />
</match>
<action name="drop" />
</rule>
<rule enabled="1">
<action name="accept" />
</rule>
</table>
</filter>