Where clauses
The where clauses are an optional part of the ECF and establish restrictive selection criteria. A where clause consists of the keyword where followed by the criteria within square brackets:
The criteria portion of the statement is a logical combination of expressions about the slots of the event.
The where clauses can use logical combination operators, as described in, and any of the following condition operators:
equals (==) | within | matches |
not_equals (!=) | outside | ip_greater_or_equals |
greater_than (>) | has_prefix | ip_smaller_or_equals |
greater_or_equal(<) | has_suffix | ip_matches |
smaller_than (>=) | contains | ip_matched_by |
smaller_or_equals (<=) | contains_one_of | superclass_of |
between | contained_in | subclass_of |
MRL primitives, functions, and operations also can be used in expressions. An exhaustive list can be found in MRL-functions-and-primitives.
In the following example, the where clause syntax requires that the mc_host slot of the event under analysis literally is to be set to 'thishost'.
where [
$APEV.mc_host == 'thishost';
]
The syntax in the next example requires that the mc_host slot of the event under analysis literally to be set to 'thishost' or to 'thathost' if the source does not contain NT.
where [
$APEV.mc_host == 'thishost' OR
$APEV.mc_host == 'thathost' AND
NOT $APEV.source contains 'NT'
]
You can write the same rule by using parentheses to specify priority or precedence, as shown in the following example:
where [
($APEV.mc_host == 'thishost') OR
(($APEV.mc_host == 'thathost') AND
(NOT ($APEV.source contains 'NT')));
]
You can also use parentheses to alter the precedence. In the following example, the OR operator would be evaluated first because it is enclosed in parentheses.
where [
($APEV.mc_host == 'thishost' OR
$APEV.mc_host == 'thathost')
AND $APEV.source contains 'NT';
]
For information about the order of precedence for combination operators, see Combination-operators.