There are three kind of files used to configure ze-filter and to set up filtering parameters.
The first one, ze-filter.cf,
is the main configuration file, and contains information like activation of some filtering methods, global thresholds, action to be taken when some criteria is matched.
The other two, tables and databases, typically contain detailed information needed to perform filtering. Tables are text files loaded by the filter into memory while databases are large sets of data stored in files.
Databases are used when the filter needs to get the value associated to some key → this means it can get the information needed in a well defined and upper bounded number of queries. Tables are used when the filter need to browse all parameters. Usually, databases are better, but many times they aren't well suited to be used. E.g., a regular expression can't be used to define a key in a database.
As a consequence, filter performance is much more sensitive to the number of entries in tables than in databases.
ze-regex | regular expressions |
ze-oradata | Heuristic oracle filter |
ze-xfiles | Define exe file extensions |
ze-error-msg | Error/reject messages returned by filter |
ze-tables |
Those databases are bdb databases, produced from text files and generated by a “make”. A simple make inside the /var/ze-filter/cdb and the modified databases are rebuilt and the filter reloaded. The source files are text files and imagine lines like that:
Prefix:Key Value
Policy Database is very important, it contains the definitions of your network and the associated privileges (checks or not), class for rate limiting
Database | Contents |
---|---|
ze-policy.db | Policy Database |
ze-rcpt.db | Recipient access database if enabled |
ze-urlbl.db | URL blacklist if enabled |
ze-bayes.db ze-bayes-md5.db | Bayesian filter database if enabled |