HELP: Information for fast signature matching per search field TYPE: OBJECT SYNTAX: COLUMN[(CN='str',SM=num,WC,NC,SL=num,SO=num,DO=num,DL=num,MW=num)...]
The array defines the parameters required for a quick search in the encrypted and compressed data for each column to be checked. This includes beside the column name (CN) and the signature method (SM) the length of the signature (SL) and its offset (SO) together with the optional data offset (DO) and data length (DL) for this column as well as the match word (MW) returned by the Bloom filter implementation during generation. The last value cannot be known and this array of a structure must be generated with the FILTER command together with the corresponding signature.
If you specify a column name, the offset in the full segment signature is determined by FLAM based on the name. This takes some time, but is the simplest and most convenient way to define a search using a few columns.
The column names themselves can also contain wildcards. If more than one column is matched in the correlation and the column is therefore not unique, all columns that match and are subject to the same signature method and length are included in the comparison. This procedure is the more complex but also the most powerful if you want to search for data in the compressed and encrypted archives.
STRING: CN='str' - Column name to matchNUMBER: SM=num - Signature method (Bloom filter)SWITCH: WC - Mark column as wildcard (also set if wildcards found in signature portion of the data)SWITCH: NC - Mark column for none case sensitive compareNUMBER: SL=num - Partial signature lengthNUMBER: SO=num - Offset of partial signatureNUMBER: DO=num - Data offset where hash calculation starts [0 (from beginning)]NUMBER: DL=num - Data length for hash calculation [0 (to the end)]NUMBER: MW=num - Match word for partial signature