Exclusion filters allow you to exclude data based on source and destination IP addresses and/or source and destination ports. You can enter exact values, or use wild cards to create more extensive filters.
You should specify your exclusion filters in entuity_home\etc\flow-exclusions.properties, on each server acting as a flow collector. An example configuration definition is included in entuity_home\etc\flow-exclusions-template.properties.
You specify exclusion filters:
- On the endpoint, so flows outgoing from or incoming to the specified endpoint are filtered out.
IPAddressPattern : PortPattern
- that are unidirectional, so flows which originate from the specified source endpoint and end at the specified destination endpoint are filtered out.
SrcIPAddressPattern : SrcPortPattern > DstIPAddressPattern : DstPortPattern
- that are bidirectional, so flows in both directions between two endpoints are filtered out:
IPAddressPattern1 : PortPattern1 = IPAddressPattern2 : PortPattern2
An IPAddressPattern can be one or more IP address or range of IP addresses. These are examples of valid patterns:
- matches a single IP address:
10.44.1.101
- matches all IP addresses within the range:
10.44.1/24
- an asterisk matches all IP addresses:
*
A PortPattern can be one or more port numbers, or range of port numbers. These are examples of valid patterns:
- matches a single port:
3066
- matches all ports within the range:
2048-2099
- an asterisk matches all ports, equivalent to 0 to 65535:
*
These are example exclusion filters:
- Filter all flows going from or to applications on port 3306 on 10.44.1.101 host
10.44.1.101:3306
- Filter all flows going from or to applications (ports 3306, 1433) on any of listed hosts
10.44.1.101, 10.44.1.102 : 1433, 3306
- Filter all flows going from host 10.44.1.101 to host 10.44.1.10
10.44.1.101:* > 10.44.1.10:*
- Filter all flows between host 10.44.1.101 and host 10.44.1.10
10.44.1.101:* = 10.44.1.10:*
Comments
0 comments
Please sign in to leave a comment.