ADM rule term types

All terms in an ADM rule have a specific type.

Each term is either an IP address, a MAC address, a number, a string, or a boolean. In addition there are two extra literal types: regular expressions and lists. A term of a specific type can generally only be compared against a literal of the same type or a list of literals of the same type (or a list of lists of ...). There are three exceptions to this rule:

  1. A string term can be compared against a numeric literal to test its length. The following rule triggers if a password is fewer than eight characters long (password is a string term): password < 8
  2. A string term can be compared against a regular expression. The following rule triggers if a password only contains lower case letters: password == /^[a-z]+$/

  3. All terms can be tested against boolean literals to test whether they occur at all. The following rule triggers if an email has a CC address (email.cc is a string term): email.cc == true
Type Format description
IP addresses
  • IP address literals are written in standard dotted-quad notation, they are not enclosed in quotes: 192.168.1.1
  • IP addresses can have a mask written in standard CIDR notation, there must not be any white space between the address and the mask: 192.168.1.0/24
  • IP addresses can also have masks written out in long form: 192.168.1.0/255.255.255.0
Mac addresses
  • MAC address literals are written using standard notation, as with IP addresses, they are not enclosed in quotes: aa:bb:cc:dd:ee:ff

Numbers
  • All numbers in ADM rules are 32-bit integers. They can be written in decimal: 1234
  • They can be written in hexadecimal: 0xabcd
  • They can be written in octal: 0777
  • They can have a multiplier appended to multiply by 1024 (K), 1048576 (M) or 1073741824 (G): 10M
Strings
  • Strings are enclosed in double quotes: "this is a string"
  • Strings can use standard C escape sequences: "\tThis is a \"string\" containing\x20escape sequences\n"
  • When comparing a term against a string, the whole term must match the string. If an email message has a from address of someone@somewhere.com then the following rule will not trigger: email.from == “@somewhere.com”
  • To match only a part of a term, a regular expression literal should be used instead. String literals must be used when possible because they are more efficient.
Note: All email address and URL terms are normalized before matching so it is not necessary to take account of things like comments within email addresses.
Booleans
  • The boolean literals are true and false.
Regular expressions
  • Regular expression literals use the same notation as languages like Javascript and Perl, enclosing the regular expression in forward slashes: /[a-z]+/
  • Regular expressions can be followed by standard modifier flags, though "i" is the only one currently recognized (case-insensitive): /[a-z]+/i
  • Regular expression literals should use the POSIX Extended syntax. Currently Perl extensions work for all terms except the content term but this might change in future versions.

  • When comparing a term against a regular expression, the regular expression matches any substring within the term unless anchor operators are applied within the regular expression. The following rule triggers if an email is seen with an address of “someone@somewhere.com”: email.from == /@somewhere.com/

Lists
  • List literals consist of one or more literals enclosed in square brackets and separated by commas: [1, 2, 3, 4, 5]

  • Lists might contain any kind of literal, including other lists: [192.168.1.1, [10.0.0.0/8, 172.16.128.0/24]]

  • Lists must only contain one kind of literal, it's not valid to mix strings and numbers, strings and regular expressions, IP addresses and MAC addresses.

  • When a list is used with any relational operator other than not-equal (!=), then the expression is true if the term matches any literal in the list. The following rule triggers if the source IP address matches any of the IP addresses in the list: srcip == [192.168.1.1, 192.168.1.2, 192.168.1.3]

  • It is equivalent to: srcip == 192.168.1.1 || srcip == 192.168.1.2 || srcip == 192.168.1.3

  • When used with the not-equal (!=) operator, the expression is true if the term doesn't match all of the literals in the list. The following rule triggers if the source IP address is not 192.168.1.1 or 192.168.1.2: srcip != [192.168.1.1, 192.168.1.2]

  • It is equivalent to: srcip != 192.168.1.1 && srcip != 192.168.1.2

  • Lists might also be used with the other relational operators, though it doesn't make a lot of sense. The following rule triggers if the object size is greater than 100 or if the object size is greater than 200: objectsize > [100, 200]

  • It is equivalent to: objectsize > 100 || objectsize > 200