Novell SENTINEL RAPID DEPLOYMENT 6.1 - REFERENCE GUIDE 06-15-2009 Reference Manual page 39

Boolean Operators
Filter expressions can be combined using the Boolean operators AND, OR and NOT. The filter
boolean operator precedence (from highest [top] to lowest [bottom] precedence) is:
Boolean Operators
Table 3-1
Operator
Not
And
Or
In addition to Boolean operators, filter supports the following operators.
Standard Arithmetic Operators
Standard arithmetic operators can be used to build a condition that compares the value of a Sentinel
metatag and a user-specified value (either a numeric value or a string field). The standard arithmetic
operators in Sentinel are =, <, >, !=, <=, and >=.
Examples:
filter(e.Severity > 3)
filter(e.BeginTime < 1179217665)
filter(e.SourceUserName != "Administrator")
Match Regex Operators
The match regex operator can be used to build a condition where the value of a metatag matches a
user-specified regular expression value specified in the rule. This operator is used only for string
tags, and the user-specified values for this operator are case-sensitive.
Examples:
filter(e.Collector match regex ("IBM"))
filter(e.EventName match regex ("Attack"))
Match Subnet Operators
The match subnet operator can be used to build a condition where the value of a metatag maches a
user-specified subnet specified in the rule in CIDR notation. This operator is used only for IP
address fields.
Example:
filter(e.DestinationIP match subnet (10.0.0.1/22))
Inlist Operator
The inlist operator is used to perform a lookup on an existing dynamic list of string values, returning
true if the value is present in the list. For more information on Dynamic Lists, see "Correlation Tab"
in Sentinel 6.1 Rapid Deployment User
Meaning
logical not
logical and
logical or
Guide.
Sentinel 6.1 Rapid Deployment Correlation Engine RuleLG Language
Operator Type
unary
binary
binary
Associativity
None
left to right
left to right
39