Creating a custom scan filter

To create a custom scan filter:

1. Click on the Main button, right-click the Security Scanner > Results Filtering node and select New > Filter….

Screenshot 56 - The new Scan filter properties dialog: General tab-page

2. In the General tab specify the name of the new scan filter.

Screenshot 57 - Filter properties dialog

3. Click on Add and select the required filter property from the provided list (for example, operating system). This defines what type of information will be extracted from the scan results (i.e. the area of interest of the scan filter).

4. Click on Next to continue.

Screenshot 58 - Filter condition properties dialog

5. Select the required filter condition from the ‘Conditions’ drop down and specify the filter value. The filter value is the reference string to be used with the specified condition to filter information from scan results.

6. Click on Add to continue.

NOTE: You can create multiple filter conditions for every scan filter. This allows you to create powerful filters that more accurately isolate the scan results information that you may want to analyze.

Screenshot 59 - The new Scan-Filter properties dialog: Report Items tab-page

7. Click on the Report Items tab and select the information categories/sub-nodes that will be displayed in the configuration interface. Click on OK to save and create the new filter.

The new filter will be added as a new permanent sub-node under the Security Scanner > Results Filtering node.

NOTE: To delete or customize a scan filter, right-click on the target filter and selecting Delete… or Properties respectively.

Example 1 – Create a filter which displays all computers that have a particular patch missing

In this example, we will create a filter that lists all Windows XP based computers that have the MS03-026 patch (i.e. the Blaster virus patch) missing.

1. Click on the Main button, right-click on the Security Scanner > Results Filtering node and select New > Filter…

2. In the filter name field type in ‘Missing Blaster Patch’ and click on the Add button.

3. Select the ‘operating system’ option and click on Next.

Screenshot 60 - Filter conditions dialog

4. From the conditions drop down box select ‘Equal to’ and in the value field type in ‘Windows XP’.

5. Click on the Add button to add the condition to the filter.

Screenshot 61 - The new Scan Filter properties dialog: General tab-page

6. Click on Add to create another filter condition in which you will specify the required patch name (i.e. MS03-026).

7. From the list of filter properties, select ‘Patch’ and then click on Next.

8. From the conditions drop down select ‘is not installed’ and in the value field type in ‘MS03-026’. Click on the Add button to include this condition in the scan filter.

9. Click OK to finalize the configuration and create the filter. The new filter is added as a new permanent sub-node. (Security Scanner > Results Filtering > Missing Blaster Patch).

Example 2 – Create a filter that lists all Sun stations with a web server

To create a filter that lists all Sun workstations that are running a web server on port 80, perform the following steps:

1. Click on the Main button, right-click on the Security Scanner > Results Filtering node and select New > Filter….

2. In the filter name field key in ‘Sun WS web servers on port 80’ and click on the Add button.

3. From the list of filter properties select ‘operating system’ and then click on Next.

4. From the conditions drop down select ‘Includes’ and in the value field type in ‘Sun OS’.

5. Click on the Add button.

6. From the properties dialog, click on the Add button to add another filter condition.

7. Select ‘TCP Port’ and click on Next.

8. From the conditions drop down box select ‘is open’ and in the value field type key in ‘80’.

9. Click on the Add button to include this condition in the scan filter.

10. Click on OK to finalize the configuration. The new filter will be added as a new permanent node. (Security Scanner > Results Filtering > Sun WS web servers on port 80).