Enterprise Recon 2.4

Global Filters

This section covers the following topics:

Overview

Global Filters allow you to set up filters to automatically exclude or ignore matches based on the set filter rules.

You can do this by adding a filter from the Scans > Global Filters page or through Remediation by marking matches as False Positive or Test Data when remediating matches.

Permissions and Global Filters

Resource Permissions and Global Permissions that are assigned to a user grants access to perform specific operations for global filters.

Operation Definition Users with Access
Import or export global filter Import or export global filter definitions in supported files formats.

  1. Global Admin.
  2. System Manager.

Add, edit or delete global filters Users can add, modify or remove global filters that apply to all or specific Targets / Target Groups.

  1. Global Admin.
  2. System Manager.
  3. Users without Global Permissions but have Scan or Remediate - Mark Location for Report privileges assigned through Resource Permissions.

See User Permissions for more information.

View Global Filters

The Global Filters page displays a list of filters and the Targets they apply to. Filters created by marking exclusions when taking remedial action will also be displayed here (see Remediation).

Filter the list of global filters displayed using the options in the Filter by… section:

  • False Positives > Locations: Locations marked as False Positives.
  • False Positives > Matches: Match data marked as False Positives.
  • Test Data > Matches: Match data marked as test data.

Global Filter Manager page to add, export and import Global Filters.

Add a Global Filter

To add a global filter:

  1. Log in to the ER2 Web Console.
  2. Go to the Scans > Global Filters page.
  3. On the top-right corner of the Global Filters page, click +Add.
  4. From the drop-down list, select a filter type:

    Filter Type Description
    Exclude location by prefix

    Exclude search locations with paths that begin with a given string. Can be used to exclude entire directory trees.

    Example

    Filter value: C:\Windows\System32

    Excludes all files and folders in the "C:\Windows\System32" folder.

    Exclude location by suffix

    Exclude search locations with paths that end with a given string.

    Example

    Filter value: led.jnl

    Excludes all files and folders that end with "led.jnl", e.g. "canceled.jnl" and "totaled.jnl".

    Exclude locations by expression

    Exclude search locations that match the given expression. The syntax the of the expressions you can use are as follows:

    ?: A wildcard character that matches exactly one character; ??? matches 3 characters. If placed at the end of an expression, also match zero characters.

    *: A wildcard character that matches zero or more characters in a search string.

    Example 1

    Filter value: C:\V???

    All locations where the path starts with "C:\V" followed by any three characters will be excluded during scans. For example, the expressions will exclude "C:\V123", but does not exclude "C:\V1" or "C:\V1234".

    Example 2

    Filter value: /var/*

    All locations in the "/var" directory will be excluded during scans.

    Example 3

    Filter value: /var/*.txt

    All text files with the ".txt" extension in the "/var" directory will be excluded during scans.

    You can inverse this filter with a logical NOT operation to only include search locations that match the given expression.

    !<expression>

    Example 1

    Filter value: !*.pdf

    Only locations with the ".pdf" suffix will be included during scans.

    Example 2

    Filter value: !C:\Users\*

    Only locations where the path starts with "C:\Users\" will be included during scans.

    Include locations within modification date

    Include search locations modified within a given range of dates.

    Prompts you to select a start date and an end date. Files and folders that fall outside of the range set by the selected start and end date are not scanned.

    Include locations modified recently

    Include search locations modified within a given number of days from the current date.

    Example

    Filter value: 14

    Only scan files and folders that have been modified not more than 14 days before the current date.

    Exclude locations greater than file size (MB) Exclude files that are larger than a given file size (in MB).
    Ignore exact match

    Ignore matches that match a given string exactly.

    Example

    Filter value: 4419123456781234

    All exact matches of the pattern "4419123456781234" will be ignored as matches during scans.

    Ignore match by prefix

    Ignore matches that begin with a given string.

    Example

    Filter value: 4419

    Search ignores matches found during scans that begin with "4419", such as "4419123456781234".

    Ignore match by expression

    Ignore matches found during scans if they match a given expression.

    ?: A wildcard character that matches exactly one character; ??? matches 3 characters. If placed at the end of an expression, also match zero characters.

    *: A wildcard character that matches zero or more characters in a search string.

    Example 1

    Filter value: *123

    All data patterns that end with "123" will be ignored as matches during scans.

    Example 2

    Filter value: 123*

    All data patterns that begin with "123" will be ignored as matches during scans.

    PCRE

    To enter a Perl Compatible Regular Expression (PCRE), select Enable full regular expressions support.

    Add test data

    Report match as test data if it matches a given string exactly.

    Example

    Filter value: 4419123456781234

    All exact matches of "4419123456781234" found during scans will be reported as test data.

    Add test data prefix

    Report matches that begin with a given string as test data.

    Example

    Filter value: 4419

    Report matches that begin with "4419" as test data, such as "4419123456781234".

    Add test data expression

    Report matches as test data if they match a given expression. The syntax the of the expressions you can use:

    ?: A wildcard character that matches exactly one character; ??? matches 3 characters. If placed at the end of an expression, also match zero characters.

    *: A wildcard character that matches zero or more characters in a search string.

    Example 1

    Filter value: *123

    All data patterns that end with "123" found during scans will be reported as test data.

    Example 2

    Filter value: 123*

    All data patterns that begin with "123" found during scans will be reported as test data.

  5. In Apply to, select the Target Group and Target the filter applies to.
    Example of "Exclude Location by Prefix" filter to exclude "c:\windows\system32" path for all Targets and Target Groups.
  6. Click Ok.

Import and Export Filters

Importing and exporting filters allows you to move filters from one ER2 installation to another. This is also useful if you are upgrading from Card Recon, or are moving from an older installation of ER2.

You can import from or export to the following file formats:

  • Portable XML file.
  • Spreadsheet (CSV).
  • Test File.
  • Card Recon Configuration File.

Portable XML File

This section shows how filters are described in XML files.

These XML files follow the following basic rules:

  • XML tags are case sensitive.
  • Each tag must include the closing tag. For example, <filter>...</filter>.
  • The following ASCII characters have a special meaning in XML and have to be replaced by their corresponding XML character entity reference:

    ASCII Character Description XML Character Entity Reference
    < Less-than sign &lt;
    > More-than sign &gt;
    & Ampersand &amp;
    ' Apostrophe &apos;
    " Double quotation mark &quot;

The following tags are used in the XML file for global filters:

XML Tags Description
<filter> This is the root element that is required in XML files that describe global filters. All defined global filters must be within the filter tag.
<level> This tag defines the realm that the filter is applied to.
  1. global : Filter applies to all Targets.
  2. group : Filter is only applied to a specific Group.
  3. target : Filter is only applied to a specific Target.
<name> Name of the Group or Target that the filter is applied. Only required when level is group or target.
<filter type> This tag defines the filter type and expression. Refer to Filter Types table to understand how to set up different filters.

Filter Types

Filter Type Description and Syntax
Exclude location by prefix

Exclude search locations with paths that begin with a given string. Can be used to exclude entire directory trees.

Syntax: <location-exclude>prefix*</location-exclude>

Exclude location by suffix

Exclude search locations with paths that end with a given string.

Syntax: <location-exclude>*suffix</location-exclude>

Exclude locations by expression

Excludes search locations by expression.

Syntax: <location-exclude>expression</location-exclude>

Include locations within modification date

Include search locations modified within a given range of date by specifying a start date and an end date.

Syntax: <modified-between>YYYY-MM-DD - YYYY-MM-DD</modified-between>

Include locations modified recently

Include search locations modified within a given number of days from the current date.

Syntax: <modified-within>number of days</modified-within>

Exclude locations greater than file size (MB)

Exclude files that are larger than a given file size (in MB).

Syntax: <modified-maxsize>file size in MB</modified-maxsize>

Ignore exact match

Ignore matches that match a given string exactly.

Syntax: <match-exclude>string</match-exclude>

Ignore match by prefix

Ignore matches that contain a given prefix.

Syntax: <match-exclude>string*</match-exclude>

Ignore match by expression

Ignore matches found during scans if they match a given expression.

Syntax: <match-exclude>expression</match-exclude>


PCRE

To enable full regular expression support, include @~ before a given expression.

Syntax: <match-exclude>@~expression</match-exclude>
Add test data

Report match as test data if it matches a given string exactly.

Syntax: <match-test>string</match-test>

Add test data prefix

Report matches that begin with a given string as test data.

Syntax: <match-test>string*</match-test>

Add test data expression

Report matches as test data if they match a given expression.

Syntax: <match-test>expression</match-test>

Example

<filter> <!-- These filters apply to all Targets --> <global> <location-exclude>*.gzip</location-exclude> <location-exclude>*FOOBAR*</location-exclude> <match-test>*@example.com</match-test> <modified-maxsize>2048</modified-maxsize> </global> <!-- These filters apply only to the Group My-Default-Group --> <target> <name>My-Default-Group</name> <modified-between>2018-1-1 - 2018-1-15</modified-between> </target> <!-- These filters apply only to the Target host My-Windows-Machine --> <target> <name>My-Windows-Machine</name> <match-exclude>1234567890</match-exclude> <modified-within>3</modified-within> </target>
</filter>

Filter Columns in Databases

Filter out columns in databases by using the "Exclude location by suffix" filter to specify the columns or tables to exclude from the scan.

Description Syntax
Exclude specific column across all tables in a database. <column name>
Exclude specific column from in a particular table. <table name>/<column name>

Database Index or Primary Keys

Certain tables or columns, such as a database index or primary key, cannot be excluded from a scan. If a filter applied to the scan excludes these tables or columns, the scan will ignore the filter.