Contents
Types of Filters
Client_ip
- The client_ip data filter is applied to DNS query/response events, IPmeta data, and RPZ events. If the event is a query, specify the query source’s IP address; if the event is a response, specify the destination’s IP address.
- Client_ip can be specified in the following formats:
- As a single IPv4 or IPv6 address.
Example: 10.10.1.0, 2620:10a:6000:661e::523
- As a range of IPv4 addresses, each consisting of two single IPs and a dash between them. There are no spaces between the IP addresses and the dash.
Example: 10.10.1.0-10.10.2.35.
This format is applicable to the IPv4 address format only. IPv6 uses the CIDR notation.
- As a network/mask of single IPv4 addresses, followed by a slash and mask, with no spaces between the two IPv4 addresses and the slash.
Example: 10.10.1.0/255.255.255.0
This format is applicable to the IPv4 address format only.
- As a CIDR block of a single IPv4 or IPv6 address, followed by a slash and a number, with no spaces between the IP addresses and the slash.
Example: 10.10.0.1/15, 2001:cdba:9abc:5678::/64
DNS Record Type
The DNS Record Type filter can be applied on DNS query/response events and RPZ events. These records provide important details about domains and hostnames.
The following are the DNS Record Type filters:
Filter Type Field Value Definition A 1 a host address AAAA 28 IP6 Address AFSDB 18 for AFS Data Base location AMTRELAY 260 Automatic Multicast Tunneling Relay APL 42 APL ATMA 34 ATM Address AVC 258 Application Visibility and Control AXFR 252 transfer of an entire zone CAA 257 Certification Authority Restriction CDS 59 Child DS CDNSKEY 60 DNSKEY(s) the Child wants reflected in DS CERT 37 CERT CNAME 5 the canonical name for an alias CSYNC 62 Child-To-Parent Synchronization DHCID 49 DHCID DNAME 39 DNAME DNSKEY 48 DNSKEY DOA 259 Digital Object Architecture DS 43 Delegation Signer EID 31 Endpoint Identifier EUI48 108 an EUI-48 address EUI64 109 an EUI-64 address GPOS 27 Geographical Position HINFO 13 host information HIP 55 Host Identity Protocol HTTPS 65 HTTPS Binding IPSECKEY 45 IPSECKEY ISDN 20 for ISDN address IXFR 251 incremental transfer KEY 25 for security key KX 36 Key Exchanger LOC 29 Location Information LP 107 L32 105 L64 106 MAILB 253 mailbox-related RRs (MB, MG or MR) MB 7 a mailbox domain name (EXPERIMENTAL) MG 8 a mail group member (EXPERIMENTAL) MINFO 14 mailbox or mail list information MR 9 a mail rename domain name (EXPERIMENTAL) MX 15 mail exchange NID 104 NS 2 an authoritative name server NULL 10 a null RR (EXPERIMENTAL) NSEC 47 NSEC NSEC3 50 NSEC3 NSEC3PARAM 51 NSEC3PARAM NSAP 22 for NSAP address, NSAP style A record NSAP-PTR 23 for domain name pointer, NSAP style NINFO 56 NINFO NIMLOC 32 Nimrod Locator NAPTR 35 Naming Authority Pointer OPT 41 OPT OPENPGPKEY 61 OpenPGP Key PTR 12 a domain name pointer PX 26 X.400 mail mapping information RP 17 for Responsible Person RT 21 for Route Through RRSIG 46 RRSIG RKEY 57 RKEY SIG 24 for security signature SINK 40 SINK SMIMEA 53 S/MIME cert association SOA 6 marks the start of a zone of authority SPF 99 Sender Policy Framework is used to indicate to mail exchanges which hosts are authorized to send mail for a domain SRV 33 Server Selection SSHFP 44 SSH Key Fingerprint SVCB 64 Service Binding TA 32768 DNSSEC Trust Authorities TALINK 58 Trust Anchor LINK TKEY 249 Transaction Key TLSA 52 TLSA TSIG 250 Transaction Signature TXT 16 text strings URI 256 URI WKS 11 a well known service description X25 19 for X.25 PSDN address ZONEMD 63 Message Digest Over Zone Data * 255 A request for some or all records the server has available
ON-PREM HOST
ON-PREM HOST is a display name of the on-prem host. Filtering by substring is allowed.
ON-PREM HOST types of filters include the following:
- iccrvr01.indu.test-example.com
- ZTP_atlasautomation_8722411532980096350
- APIKEY1
- Inblox Test OnPrem
OPHID
This is a unique identifier of the on-prem host. The user can use this value or provide a custom-defined OPHID.
OPHID types of filters include the following:
e7d97bd6548y8bbasd766e3f8f3789jrob6
4c168ec9ca885fa5d9ccca0d8dfe793f
cdc-filter-test
query FQDN (wildcard)
Filters are evaluated in the order presented above: that is, IP -> dns_view -> member name -> query FQDN. Filters within one category are evaluated in the order in which they are defined.
Member
The member data filter is applied to DNS query/response events and RPZ events. Specify the name of the Grid member that processed the query. The member data filter is regex in functionality.
Example: ns2.site1.xyz.com, infoblox.localdomain.*
FQDN Query
The query FQDN data filter is applied to DNS query/response events and RPZ events. A query filter is a combination of valid FQDNs and wildcards. A query filter is also a combination of valid FQDN syntax and a token. The following are the EQDN Query rules:
- Tokens can be on the left and right sides of an FQDN, not in the middle.
- A rule can have zero, one, or two tokens.
- If a rule has two tokens, they have to be on the opposite ends of the FQDN.
- Tokens on the left side must be followed by a dot (except case in 6).
- Tokens on the right side must be preceded by a dot (except case in 6).
- Rule "?" is allowed. This rule signifies a single token with nothing else; use it to catch an FQDN composed of a single label.
Types of Tokens
Token | Description |
---|---|
* | Zero or more domain name labels; can be on the left side only |
# | One or more domain name labels; can be on the left side only |
? | Exactly one domain name label; can be on the right or left side |
Examples of valid query filter rules
*.infoblox.com
amazon.?
*.google.?
#.org
*.cnn.?
#.github.?
facebook.com
?.facebook.com
?
?.
example.?.
?.google.?
Examples of invalid query filter rules
*infoblox.com===================== missing dot after star
amazon.??? ====================== "?" is not a regex "?"
.*.google.? ====================== dot before star
#.*.org ========================= two tokens on the left
cnn.* =========================== star on the right
*.github.# ======================= "#" on the right
* ========================== single "*" token is not allowed
*. ================= single "*" token is not allowed
# ================= single "#" token is not allowed
#. ================= single "#" token is not allowed
?infoblox.com================= dot is missed after "?"
Token to Regex Conversion
# -> ([^.]+\.?)+ One or more labels, where the label contains one or more any character except dot, that may be followed by a dot.
* -> ([^.]+\.?)* Zero or more labels, where the label contains one or more any character except dot, that may be followed by a dot.
? -> ([^.]+\.?)? One or more any character except dot, that may be followed by a dot.
This page has no comments.