Complex conditions can be created using Boolean operators And, Or and Not.
<And>
<Or>
<SomeBasicCondition> … </SomeBasicCondition>
<SomeBasicCondition> … </SomeBasicCondition>
<Not>
<SomeBasicCondition> … </SomeBasicCondition>
</Not>
</Or>
<Not>
<And>
<SomeBasicCondition> … </SomeBasicCondition>
<SomeBasicCondition> … </SomeBasicCondition>
</And>
</Not>
</And>
The result of a condition, once evaluated, is an extended Boolean value. Extended Boolean values have the values true, unknown or false. Think of the value unknown as: "Cannot be evaluated now, but may be evaluated when more data becomes available".
This is important for TcpRuleRecvProto and TcpRuleRecvUntil type rules. If conditions in a TCP rule result in a value of unknown, the Recorder defers scripting and reevaluates conditions when more data arrives from the server.
There are a number of basic condition types that execute checks and can be combined (using the Boolean conditions And, Or and Not) to build complex compound conditions.
A condition is evaluated within an environment. Through the environment, the condition has access to a number of strings to which the condition can be applied. Environment configuration differs with each rule type. See section “Condition Evaluation Environment” for details.
Most conditions (except the Scripting condition) apply specific checks on specific blocks of data. There are flexible means of specifying what data is to be checked. See section “Specifying Data for Conditions” for more information.