Documentation Version: er2.0.28-docs-1.1

Global Filters

Global Filters allow you to set up filters to automatically exclude or ignore matches based on the set filter rules.

You can add this by adding a filter from the Global Filter Manager page or through Remediation by marking matches as False Positive or Test Data when remediating matches.

This section covers the following topics:

Global Managers can export, import, and add Global Filters. Users who are not Global Managers can only edit existing Global Filters that apply to Targets or Target Groups for which they have Manager permissions. Users with Reader permissions for specific Targets or Target Groups can only view entries for these Targets and Target Groups in the Global Filter Manager page.

View Global Filters

The Global Filters Manager displays a list of filters and the Targets they apply to. Filters created by marking exclusions when taking remedial action will also be displayed here (see Remediation).

Filter the filters displayed using the options in the Filter by… section:

Add a Global Filter

To add a global filter:

  1. On the top-right corner of the Global Filter Manager page, click +Add.
  2. From the drop-down list, select a Filter Type:
    Filter TypeDescription
    Exclude location by prefix

    Exclude search locations with paths that begin with a given string. Can be used to exclude entire directory trees.

    For example, exclude all files and folders in the c:\windows\system32 folder.

    Exclude location by suffix

    Exclude search locations with paths that end with a given string.

    For example, entering led.jnl, excludes files and folders such as cancelled.jnl, totalled.jnl

    Exclude locations by expression

    Excludes search locations by expression. The syntax the of the expressions you can use are as follows:

    ?: A wildcard character that matches exactly one character; ??? matches 3 characters. If placed at the end of an expression, also match zero characters. C:\V??? matches C:\V123 and C:\V1, but not C:\V1234

    *: A wildcard character that matches zero or more characters in a search string. /directory-name/* matches all files in the directory. /directory-name/*.txt matches all txt files in the directory.

    Include locations within modification date

    Include search locations modified within a given range of dates.

    Prompts you to select a start date and an end date. Files and folders that fall outside of the range set by the selected start and end date are not scanned.

    Include locations modified recently

    Include search locations modified within a given number of days from the current date.

    For example, enter 14 to display files and folders that have been modified more than 14 days before the current date.

    Exclude locations greater than file size (MB)Exclude files that are larger than a given file size (in MB).
    Ignore exact match

    Ignore matches that match a given string exactly.

    For example, when you enter4419123456781234, the search ignores the 4419123456781234 match.

    Ignore match by prefix

    Ignore matches that begin with a given string.

    For example, setting this to 4419 ignores matches found during scans that begin with 4419, such as 4419123456781234.

    Ignore match by expression

    Ignore matches found during scans if they match a given expression.

    ?: A wildcard character that matches exactly one character; ??? matches 3 characters. If placed at the end of an expression, also match zero characters. V??? matches V123 and V1, but not V1234

    *: A wildcard character that matches zero or more characters in a search string which ignores all matches

    • *123 matches all expressions that end with 123.
    • 123* matches all expressions that begin with 123.

    PCRE

    To enter a Perl Compatible Regular Expression (PCRE), select Enable full regular expressions support.

    Add test data

    Report match as test data if it matches a given string exactly.

    For example, setting this to 4419123456781234 report matches that match the given string 4419123456781234 exactly as test data.

    Add test data prefix

    Report matches that begin with a given string as test data.

    For example, setting this to 4419 report matches that begin with 4419 as test data, such as 4419123456781234.

    Add test data expression

    Report matches as test data if they match a given expression. The syntax the of the expressions you can use:

    ?: A wildcard character that matches exactly one character; ??? matches 3 characters. If placed at the end of an expression, also match zero characters. V??? matches V123 and V1, but not V1234

    *: A wildcard character that matches zero or more characters in a search string which ignores all matches

    • *123 matches all expressions that end with 123.
    • 123* matches all expressions that begin with 123.
  3. (From ER 2.0.18) In Apply to, select the Target Group and Target the filter applies to.
  4. Click Ok.

Import and Export Filters

Importing and exporting filters allows you to move filters from one ER2 installation to another. This is also useful if you are upgrading from Data Recon, Card Recon, or are moving from an older installation of ER2.

You can import from or export to the following file formats:

Portable XML File

This section shows how filters are described in XML files.

These XML files follow the following basic rules:

The following tags are used in the XML file for global filters:

XML Tags

Description

<filter>

This is the root element that is required in XML files that describe global filters. All defined global filters must be within the filter tag.

<level>

This tag defines the realm that the filter is applied to.

  1. global : Filter applies to all Targets.
  2. group : Filter is only applied to a specific Group.
  3. target : Filter is only applied to a specific Target.
<name> Name of the Group or Target that the filter is applied. Only required when level is group or target.
<filter type> This tag defines the filter type and expression. Refer to Filter Types table to understand how to set up different filters.

Filter Types

Filter Type

Description and Syntax

Exclude location by prefix

Exclude search locations with paths that begin with a given string. Can be used to exclude entire directory trees.

Syntax: <location-exclude>prefix*</location-exclude>

<location-exclude>/root*</location-exclude>
This excludes all files and folders in the /root folder.
Exclude location by suffix

Exclude search locations with paths that end with a given string.

Syntax: <location-exclude>*suffix</location-exclude>

<location-exclude>*.gzip</location-exclude>
This excludes all files and folders such as example.gzip, files.gzip.
Exclude locations by expression

Excludes search locations by expression.

Syntax: <location-exclude>expression</location-exclude>

<location-exclude>C:\W??????</location-exclude>
This excludes locations like C:\Windows and C:\Win, but not C:\Windows1234.
Include locations within modification date

Include search locations modified within a given range of date by specifying a start date and an end date.

Syntax: <modified-between>YYYY-MM-DD - YYYY-MM-DD</modified-between>

<modified-between>2018-1-1 - 2018-1-31</modified-between>
This includes only locations that have been modified between 1 January 2018 to 31 January 2018.
Include locations modified recently

Include search locations modified within a given number of days from the current date.

Syntax: <modified-within>number of days</modified-within>

<modified-within>10</modified-within>
This includes locations that have been modified within 10 days from the current date.
Exclude locations greater than file size (MB)

Exclude files that are larger than a given file size (in MB).

Syntax: <modified-maxsize>file size in MB</modified-maxsize>

<modified-maxsize>1024</modified-maxsize>
This excludes files that are larger than 1024 MB.
Ignore exact match

Ignore matches that match a given string exactly.

Syntax: <match-exclude>string</match-exclude>

<match-exclude>&lt;&lt;&lt;DataType&gt;&gt;&gt;</match-exclude>
This ignores matches that match the literal string <<<DataType>>>.
Ignore match by prefix

Ignore matches that contain a given prefix.

Syntax: <match-exclude>string*</match-exclude>

<match-exclude>MyDT*</match-exclude>
This ignores matches that begin with MyDT, such as MyDT123.
Ignore match by expression

Ignore matches found during scans if they match a given expression.

Syntax: <match-exclude>expression</match-exclude>

<match-exclude>*DataType?</match-exclude>
This ignores matches that contain the string DataType followed by exactly one character, such as MyDataType0 and DataType1.
Add test data

Report match as test data if it matches a given string exactly.

Syntax: <match-test>string</match-test>

<match-test>TestData</match-test>
This reports matches as test data if they match the literal string TestData.
Add test data prefix

Report matches that begin with a given string as test data.

Syntax: <match-test>string*</match-test>

<match-test>TestData*</match-test>
This reports matches as test data if they begin with TestData, such as TestData123.
Add test data expression

Report matches as test data if they match a given expression.

Syntax: <match-test>expression</match-test>

<match-test>*TestData?</match-test>
This reports matches as test data if they contain the string TestData followed by exactly one character, such as MyTestData0 and TestData1.

Example

<filter> <!-- These filters apply to all Targets --> <global> <location-exclude>*.gzip</location-exclude> <location-exclude>*FOOBAR*</location-exclude> <match-test>*@example.com</match-test> <modified-maxsize>2048</modified-maxsize> </global> <!-- These filters apply only to the Group My-Default-Group --> <target> <name>My-Default-Group</name> <modified-between>2018-1-1 - 2018-1-15</modified-between> </target> <!-- These filters apply only to the Target host My-Windows-Machine --> <target> <name>My-Windows-Machine</name> <match-exclude>1234567890</match-exclude> <modified-within>3</modified-within> </target> </filter>

Filter Columns in Databases

Filter out columns in databases by using the "Exclude location by suffix" filter to specify the columns or tables to exclude from the scan.

Description Syntax
Exclude specific column across all tables in a database.

<column name>

To filter out "columnB" for all tables in a database, enter columnB.
Exclude specific column from in a particular table.

<table name>/<column name>

To filter out "columnB" only for "tableA" in a database, enter tableA/columnB.
Filtering locations for all Target types use the same syntax. For example, an "Exclude location by suffix" filter for columnB when applied to a database will exclude columns named columnB in the scan. If the same filter is applied to a Linux file system, it will exclude all file paths that end with columnB(e.g. /usr/share/columnB).
Use the Apply to field if the Global Filter only needs to be applied to a specific Target Group or Target.

Database index and primary keys

Certain tables or columns, such as a database index or primary key, cannot be excluded from a scan. If a filter applied to the scan excludes these tables or columns, the scan will ignore the filter.