Filters

Filters can be configured in Settings → Processing → Filters.

Correct settings of Flow data sources and the logical network topology has a positive effect on the results obtained by the detection methods and on the overall predictive capability of the ADS module. The basic distinguishable entity in the module is an IP address. When the occurrence of an event is detected, the event is bound to the responsible IP address and to the flow data source on which the event has been detected. That implies that there are several limitations when IP addresses are dynamically allocated and stable allocation of identical IP addresses to each network device is not guaranteed. In such a case, it is not possible to derive a direct responsibility of a particular user for the detected event.

A filter is a named logical grouping of arbitrary IP addresses. Each filter has a unique name and includes an unrestricted number of IP address ranges. Filters are also used by detection methods to limit the range of the addresses that are relevant for each detection method.

There are two types of filters – atomic and relational filters. Atomic filters are filters that are defined and stored directly as IP address ranges (see below for possible formats). Relational filters are defined as relations on other filters (a relation can be the sum or difference of more filters or inversion of the single filter and combinations). Relational filters are stored the same way as definitions of relations. When the partial filter is changed, the relevant relational filter is also modified.

IP addresses of filters can be entered in the following ways:

• Network address or mask, for the IP version 4 and 6 (for example, 192.168.1.0/24, fc00::/7)

• Range of IP addresses, for the IP versions 4 and 6 (for example, 10.0.1.2-10.0.1.10, fe80::-fe80::ffff)

• Single IP address, for the IP version 4 and 6 (for example, 192.168.2.1, 2001:db8::beef) or a comma-separated list of single IP addresses

• Wildcards notation of IPv4 addresses (enumeration, range, all), only a single wildcard can be used in one IP address. Examples:

192.168.{1,3,20}.1: IP addresses 192.168.1.1, 192.168.3.1 and 192.168.20.1

10.[1-3].0.0: IP addresses 10.1.0.0, 10.2.0.0 and 10.3.0.0

172.16.*.1: Same as 172.16.[0-255].0

You may import filter definitions from the text file by clicking Import Atomic Filters. Each line of the file specifies one item of the filter and consists of an IP address definition and a filter name (separated by a semicolon). The IP address can be specified the same way as a definition of the manual filter. If the name of the filter already exists, you will be notified and the import will not be successful in such case. If the checkbox Overwrite and skip the problematic is checked, then the IP ranges of the filters with the same name as in the uploaded file are overwritten by those in the file. If the relational filter would be overwritten, the import of that filter is skipped.

Both atomic and relational filters are shown in one configuration table with the possibility of filtering by type. Above the table, there is a search field that allows full-text search in all columns.

Example of filter configuration: consider the environment of an organization that monitors its network at two points. The first point, which is connected to probe port 1 and 2, is the Internet connection behind a firewall, which is monitored using TAP. The second monitored point is a central switch of the organization connected to probe port 3 using the SPAN port.

What to perform in the ADS module:

1. Setting the WAN data source, which represents the Internet connection and the LAN data source which represents the central switch.

2. Exporting the data from probe port 1 and 2 into the WAN source and data from probe port 3 into the LAN source.

3. Creation of a filter "LANout" which comprises addresses 192.168.1.0/24 and bind it to the WAN source.

4. Creation of a filter "LANin" which comprises also addresses 192.168.1.0/24, which we bind to the LAN source.

5. Activation of detection of instant messaging services on the LANout filter. This detection does not make sense for internal communication.

If we did not bind filters with the flow data sources, there would be duplication in the detection of instant messaging (identical data would be processed twice).

When creating a relational filter, the dialog window allows you to define the relations as a filter union (the Add operation) or a filter subtraction (the Subtract operation). The operation can be combined with inversion of the given filter. The new filter can be saved as an atomic one by choosing the Atomize option (the IP address ranges are stored instead of the relation definition).

The relation filters can be edited, atomized or deleted using the relevant buttons. It is also possible to show the dependencies on a given filter.