Previous Topic: Network Filter TagsNext Topic: Settings Tags

Network Integration GuideSpecifying NBA Policy in XMLXML Syntax: nbapolicy.xmlApplication Filter Tags

Application Filter Tags

This section defines the XML tags used to define NBA application filters.

<applicationfilters>

Contains the application filter tags listed below. It has a single attribute:

enabled

Can be set to:

  • enabled="true"--Enables all NBA application filter groups. You can still disable individual groups of application filters.
  • enabled="false"--Disables all NBA application filters. No application filters are applied to packets passing through the NBA.

For example:

<applicationfilters enabled="true" />
<filtergroup>

Contains tags for a group of related application filters. It supports a single attribute:

enabled

Can be set to:

  • enabled="true"--Enables the filter group. Note that you can still disable individual filters within the group.
  • enabled="false"--Disables the filter group. No filters in this group are applied to packets passing through the NBA.

For example:

<filtergroup enabled="true" />
<groupname>

Defines the name of the filter group. The group name is saved in the nbapolicy.txt diagnostic file to make the file easier to comprehend.

On Bivio 7000 appliances, the Group fields in the Filters screen of the NBA console have exactly the same effect as this policy tag.

This tag supports type and value attributes:

type

Always set to type="stringType".

value

Sets the name of the filter group. For example:

<groupname type="StringType" value="Webmail filters" />
<applicationfilter>

Contains any tags associated with a specific application filter. It supports a single attribute:

enabled

This attribute can be set to:

  • enabled="true"--Enables the filter.
  • enabled="false"--Disables the filter.

For example:

<applicationfilter enabled="true" />
<filtername>

Sets a name for the current filter. The filter name is saved in the nbapolicy.txt diagnostic file to make the file easier to comprehend.

This tag supports type and value attributes:

type

Always set to type="stringType".

value

Sets a description of the filter. For example:

<filtername type="StringType" value="Webmail blocking filter" />
<ipaddrlist>

This tag defines the source IP addresses and TCP ports that you want the application filter to detect. That is, you can configure the NBA to analyze, prohibit, monitor or ignore files or messages sent from the specified IP addresses or being transmitted to the specified port numbers. You can specify any combination of IP addresses, address ranges, ports, and port ranges.

This tag supports a single type attribute and one or more nested <element> tags.

type

Always set to type="stringListType". For example:

<ipaddrlist type="StringType"/>
<element>

Defines a specific IP address or address range. The <element> tag can optionally also specify a port number or port range. You can define multiple <element> tags. Each supports a single value attribute:

value

Defines an actual IP address and port number, such as:

<element value="192.160.0.5"/>
<element value="10.0.1/24"/>
<element value="10.0.1.5:128"/>
<element value="192.160.0.5:128-1023"/>
<element value="*"/>
<protocols>

Specifies which object types or application layer protocols to detect. These include email, Webmail, IM and file transfers. You can either set the application filter to detect all protocols or you can selectively target individual protocols.

For example, you may want to monitor ICQ and Yahoo! IM conversations in real time, analyzing and blocking inappropriate comments.

The <objtypes> object types tag in nbaconfig.xml uses the same syntax.

This tag supports a single type attribute and nested <element> tags.

type

Always set to type="stringListType". For example:

<protocols type="stringListType" />
<element>

Defines the protocols that the filter looks for. This tag supports a single value attribute. To specify multiple protocols, use multiple <element> tags.

value

Specifies the actual protocols that the filter looks for. It can be se to:

  • value="ALL"--Filter applies to all the following protocols except HTTPURL. See note 1 below.

To detect multiple protocols of the same type, set the attribute to:

  • value="FTP"--Filter applies to FTPGET and FTPPUT.
  • value="IM_ALL"--Filter applies to ICQIM, JABBERIM, MSNIM, SIPIM and YAHOOIM.
  • value="SMTP"--Filter applies to SMTPDEST and SMTPSRC. See note 2 below.
  • value="WEBMAIL"--Filter applies to AOLMAIL, GMAIL, HOTMAIL and YAHOOMAIL.

To detect specific protocols, set the attribute to:

  • value="AOLIM"--Same protocol as ICQIM. See note 3 below.
  • value="AOLMAIL"
  • value="DELTASYNC"
  • value="FTPGET"
  • value="FTPPUT"
  • value="GMAIL"
  • value="HOTMAIL"
  • value="HTTPGET"
  • value="HTTPPOST"
  • value="HTTPURL"--See note 1 below.
  • value="ICQIM"--Same protocol as AOLIM. See note 3 below.
  • value="JABBERIM"
  • value="MSNIM"
  • value="NNTPGET"
  • value="NNTPPOST"
  • value="POP3"
  • value="SIPIM"
  • value="SKYPE"
  • value="SMB"
  • value="SMTPDEST"--See note 2 below.
  • value="SMTPSRC"--See note 2 below.
  • value="YAHOOIM"
  • value="YAHOOMAIL"
Note 1: ALL does not detect HTTPURL

Be aware that ALL does not detect the HTTPURL protocol! To verify that all protocols are detected, add the following lines to your application filter definition:

<protocols type="stringListType">
<element value="all"/>
<element value="httpurl"/> 
</protocols>

Important! Analyzing HTTPURL will create a lot of extra network traffic between the NBA and the policy engines. Only include this protocol when it's really needed.

Note 2: SMTP, SMTPSRC and SMTPDEST

SMTP detects emails coming from or going to a specific set of listed IP addresses. List the addresses in the <ipaddrlist> part of the filter.

SMTPSRC detects emails from listed IP addresses.

SMTPDEST detects emails going to listed IP addresses.

Note 3: AOLIM and ICQIM

These protocols are interchangeable. They detect the same data streams. AOLIM streams are typically encrypted in a way that the NBA cannot decode. ICQIM streams can be detected.

<action>

Defaults to 'analyze'. This tag determines how the NBA handles files or messages that meet the application filter criteria. You can configure the filter to analyze, monitor ignore or prohibit these files or messages.

This tag supports type and value attributes:

type

Always set to type="simpleEnumStreamBlock".

value

Defines how the filter handles files or messages arriving at the NBA:

  • value="analyze"--The NBA analyzes the data stream and reassembles the relevant packets into a file or email, which it then passes to a policy engine for processing. When the policy engine returns:

    An 'allow' result, the stream is permitted to pass through the NBA.

    A 'block' result, and the NBA is in active mode, the NBA blocks the data stream.

    A 'block' results, and the NBA is in passive mode, the stream is permitted to pass through the NBA. When a reviewer subsequently searches for this event in the iConsole, the results screen shows that "real-time intervention was not applied to this event".

  • value="monitor"--This is similar to analyze, but crucially the NBA does not block files or messages, even if requested to do so by the policy engine (PE) as a result of processing.

    For example, if a user policy trigger blocks a file but the application filter is only set to monitor, the NBA ignores the PE request to block the file. When a reviewer searches for this file event later, the iConsole search results screen shows that "real-time intervention was not applied to this event".

  • value="ignore"--The NBA ignores packets that meet the filter criteria and permits them to pass through the NBA without interruption.
  • value="prohibit"--When the NBA is in active mode, it blocks packets that meet the filter criteria. They do not pass through the NBA.

    When the NBA is in passive mode, it ignores packets that meet the filter criteria and permits them to pass through the NBA without interruption.

<loglevel>

Defaults to error. This tag determines the level of logging for changes for the current application filter. Logging details are recorded in the NBA agent management log files. The syntax is the same as the <loglevel> tag for the overall NBA policy; see the Logging Tags section for details.

Under normal conditions, you would set this tag to:

<loglevel type="simpleEnumLogLevel" value="error">

Other supported values are none, warnings, objects, and debug.

More information:

Logging Tags