Body filter

Level 1

Body text filters will search for a string of text within the body of a message. These filters are created manually as part of the scanner configuration, under the menu heading "Text Filters". The filters support plain text and Regular Expressions to specify what strings to search for within the text of a message.

GWAVA does not offer support on Regular Expressions if they fail to match on expected strings. Regular expressions must be created by the user, and are the responsibility of the admin. Regular Expression ranges (values contained within {} ) may only be used if the entire Regular Expression is followed by '/q' on the end.

Once the filter is created, then 'Action' and 'Notify' options may be configured. The envelope with a hand over it, is the Block option, which blocks messages from reaching the recipient. The padlock is the Quarantine option, which places a copy of the message in the GWAVA quarantine. Notify Sender is the icon with the person on the right side of an envelope with an arrow pointing to the left. Notify recipients is the icon with two people. Notify Admin is the icon with a person on the left with an arrow pointing to the right. Notify defined addresses is the icon with a person on the left with three arrows pointing in different directions. The Notify Defined addresses, utilizes a comma separated list of email addresses in the Custom address list.

Level 2

Body text filters will search for a string of text within the body of a message. These filters are created manually as part of the scanner configuration, under the menu heading "Text Filters". The filters support plain text and Regular Expressions to specify what strings to search for within the text of a message.

If the string specified exists in either the body, or is a substring of any string in the body, then the chosen events will apply to the message and trigger the services for blocking, quarantining or notifications. For example, if you are trying to filter for the string 'watches' and the message has in the body the string 'swatches', then the filter will be triggered. Or you are tying to block on the string 'meth' and a message has the word 'method' in it, this would trigger the filter as well. Sometimes when vague filters are applied it is best to quarantine on those filters as well, so any false positives may be released from the quarantine.

Hands On

Open the GWAVA Management Console by going to the GWAVA server IP Address and append the port number, into the address bar of an internet browser that will have network access to the GWAVA server. For example, http://<IP_of_GWAVA_Server>:49282

  1) Log in using admin credentials
  2) Select Scanner/Policy Management, and then the relevant policy, continue drilling down along Scanning Configuration - Text Filtering - Body Filter.
  3) Select the Enable body filter check box to turn on this type of filtering.
  4) Press the New Filter button
  5) Add a string of your choosing, then select options from the Actions and/or Notify tab.  
  6) As an example I entered the string brad in the filter, and select 'Block' 'Quarantine' and 'Notify Defined Addresses' to bradh@gwava.com
  7) Now initiate a telnet session to the GWAVA server, and put the string of the filter in the body of the message.
  8) Once a test message is sent, check to see if the events happened that were chosen.  This can be verified in the GWAVA log at /opt/beginfinite/gwava/services/logs/gwava/support