ADM rules syntax

The ADM rules are very similar to C expressions.

The main difference is a more extensive set of literals (numbers, strings, regular expressions, IP addresses, MAC addresses, and Booleans). String terms can be compared with string and Regex literals to test their content but they can also be compared with numbers to test their length. Numeric, IP address, and MAC address terms can only be compared with the same type of literal value. The only exception is that everything can be treated as a Boolean to test for its existence. Some terms can have multiple values, for example the following rule would trigger for PDF files inside .zip files: type = = application/zip && type = = application/pdf.

Table 1: Operators
Operator Description Example

&&

Logical AND protocol = = http && type = = image/gif

||

Logical OR time.hour < 8 || time.hour > 18

^ ^

Logical XOR email.from = = "a@b.com" ^^email.to = = "a@b.com"

!

Unary NOT ! (protocol = = http | | protocol = = ftp)

= =

Equal type = = application/pdf

! =

Not equal srcip ! = 192.168.0.0/16

>

Greater objectsize > 100M

> =

Greater or equal time.weekday > = 1

<

Less objectsize < 10K

< =

Less or equal time.hour < = 6
Table 2: Literals
Literal Example
Number 1234, 0x1234, 0777, 16K, 10M, 2G
String "a string"
Regex /[A-Z] [a-z]+/
IPv4 1.2.3.4, 192.168.0.0/16, 192.168.1.0/255.255.255.0
MAC aa:bb:cc:dd:ee:ff
Bool true, false
Table 3: Type operator compatibility
Type Operators Notes
Number

= =, ! =, >, > =, <, < =

String = =, ! = Compare content of string with String/Regex
String

>, > =, <, <=

Compare length of string
IPv4 = =, ! =
MAC = =, ! =
Bool = =, ! =

Compare against true/false, also supports implied comparison with true, for example the following tests whether the email.bcc term occurs: email.bcc

Table 4: ADM regex grammar
Basic operators

|

Alternation (or)

*

Zero or more

+

One or more

?

Zero or one

( )

Grouping (a | b)

{ }

Repeating Range {x} or {,x} or {x,} or {x,y}

[ ]

Range [0-9a-z] [abc]

[^ ]

Exclusive Range [^abc] [^0-9]

.

Any Character

\

Escape Character
Escapes

\d

Digit [0-9]

\D

Non-Digit [^0-9]

\e

Escape (0x1B)

\f

Form Feed (0x0C)

\n

Line Feed (0x0A)

\r

Carriage Return (0x0D)

\s

White Space

\S

Not White Space

\t

Tab (0x09)

\v

Vertical Tab (0x0B)

\w

Word [A-Za-z0-9_]

\W

Not Word

\x00

Hex Representation

\0000

Octal Representation

^

Start of line
S End of line

Note: The start of line and end of line anchors (^ and $) don't work for objcontent.

POSIX character classes

[:alunum:]

Digits and letters

[:alpha:]

All letters

[:ascii:]

ASCII Characters

[:blank:]

Space and tab

[:cntrl:]

Control characters

[:digit:]

Digits

[:graph:]

Visible characters

[:lower:]

Lowercase letters

[:print:]

Visible characters and spaces

[:punct:]

Punctuation and Symbols

[:space:]

All whitespace characters

[:upper:]

Uppercase characters

[:word:]

Word characters

[:xdigit:]

Hexadecimal Digit