Overview
Filtering rules filter operations based on certain specific conditions. The system does not audit these operations, thereby saving the disk space of the device for the limited resources to be used to store valuable audit data.
There are three filtering methods:
Filter by IP: Set trusted IP addresses, and the system will not audit SQL requests initiated from these IP addresses.
Filter by SQL template: Set trusted SQL templates. If the template of the SQL statement is a filtering template set, no audit will be performed.
Filter by rules: Audit based on specific conditions. The rules include client information, server information, SQL requests, and SQL results.
Add Filter-by-IP Rules
Filtering by IP considers newly added client IP addresses to be on the trustlist and does not audit any information under these IP addresses. To add a new filter-by-IP rule, follow the steps below:
Note:
The non-audit IP addresses added here are valid for all assets through bypass mirroring and Agent log collection by default. That is, after a non-audit IP address is added, no audit will be performed on the clients and servers in the assets that meet the above-mentioned non-audit IP requirements. Please add with caution.
1. In the left menu, select Configure Rules > Filtering Rules to enter the "Filtering Rules" page, and select the Filter by IP tab.
2. Click Add to enter the "New IP Filter" page and edit the name and IP address to be excluded from the audit. See the table below for detailed configuration.
Parameter | Description |
Name | Must consist of Chinese characters, letters, numbers, underlines (_), dots (.) or dashes (-), within 64 characters. |
Non-audit IP Addresses | The format is IP/mask length. Multiple entries can be configured; separate them with commas (,). Example: 1.2.3.4/32,10.0.0.0/8. |
3. Then, click Save to complete the configuration of filter-by-IP rules.
Enable Filter-by-SQL-Template Rules
Filtering by SQL template provides users with common and trusted SQL templates to reduce false alarms and improve alarm accuracy. The system is built with common non-violation SQL statement templates for some common databases, and these templates work for all corresponding databases by default. To upload a certificate, perform the following steps:
1. In the left menu, select Rules Configure > Filtering Rules to enter the "Filtering Rules" page, and select the Filter by SQL Template tab.
2. Select the SQL templates that need to be enabled or disabled and click Enable Selected Items.
3. In the pop-up dialog box, click Confirm to enable the filter-by-SQL-template rules.
Filter-by-Rules
Filtering by rules allows users to customize filtering rules, supporting users to set filtering rules according to specific conditions. The rules include client information, server information, SQL requests, and SQL results. When a filtering rule is enabled for an asset, content that matches the rule will not be audited.
The procedure to add a filter-by-rules rule is the same as that to add a security rule.
After adding a custom filtering rule, you need to enable it for an asset to make it apply. The detailed steps are as follows:
1. In the left menu, select Configure Rules > Filtering Rules to enter the "Filtering-by-Rules" page, and select the Filter by Rules tab.
2. Check the rules you want to enable and click Enable Selected Items.
3. Select the asset in the "Select Asset" dialog box that pops up and click OK.