Keyword Filtering

Filtering

The dashboard allows you to filter/search based on keywords or regular expressions. This wiki entry helps to clarify how this process works.

1. General Knowledge

The code that determines a match is contained in the Alerts class (resources/Classes/Alerts.class.php). The method is this:

<?PHP
public function patternMatch() {
                if( !isset($_GET['myKeywords']) )
                        return true;

                if( $_GET['myKeywords'] == null || empty($_GET['myKeywords']) )
                        return true;

                $pattern = urldecode($_GET['myKeywords']);

                // Assume the given pattern is regex
                if( preg_match('/^\//',$pattern) ) {
                        return preg_match($pattern, $this->_alertGroup . $this->_alertSystemSource . $this->_alertLogSource . $this->_alertRuleID . $this->_alertRuleMsg . $this->_origMsg);
                } else {
                        return stristr($this->_alertGroup . $this->_alertSystemSource . $this->_alertLogSource . $this->_alertRuleID . $this->_alertRuleMsg . $this->_origMsg, $pattern);
                }
        }

?>

The method returns true if the found alert is a match to what we want, and returns false otherwise. As I'm sure you can also see here, this is a pretty simplistic way to do things. I do intend to expand on this in the future.

2. Keyword Matching

You can type whatever you want in the filter box and a case insensitive string match is applied to all parts of the found alert. If it's a match, you'll see it in your results.

3. Regular Expressions

Regular expressions are deemed as any keyword entry that begins with a /. The whole entry is evaluated as a pattern given to the PHP preg_match() function. For example: /clamav.*update/i

It's important to note that you need to match the preg_match() requirements. Ref: www.php.net/preg_match