Decoder: Fix Rules with Deprecated Syntax

Document created by RSA Information Design and Development on Jul 21, 2016Last modified by RSA Information Design and Development on Oct 24, 2016
Version 5Show Document
  • View in full screen mode
  

After an update to Security Analytics 10.6, the user interface highlights any rules with deprecated syntax. It is important to correct the syntax for the highlighted rules because they may contain ambiguous syntax, which can cause unexpected results. The Rule Editor provides additional tooltips. After you fix the rules, the highlights disappear.

Rule and Query Guidelines provides guidelines that all queries and rule conditions in Security Analytics must follow. It also provides information about strict mode configuration as well as valid and deprecated syntax.

If you have multiple Decoder services, you can update the rules you have fixed on other Decoder services using the Push Rules option. For more information see, Step 4. Configure Decoder Rules.

Procedure

To correct rules with deprecated syntax:

  1. In the Security Analytics menu, select Administration > Services.
  2. In the Services view, select a Decoder service and Actions menu cropped > View > Config.
  3. In the Services Config view, select one of the Rules tabs: Network Rules, App Rules, or Correlation Rules.
    The Rules tab for the selected rule type shows the number of rules using the deprecated syntax and the deprecated rules are highlighted.
    RulesTabDeprRules-D.png
  4. Select a deprecated rule and click ic-edit.png.
    The Rules Editor shows additional information for the deprecated rule and it includes an additional Save option.
    DeprAppRuleEditor-D.png
  5. In the Condition field, correct the rule syntax.
    All string literals and time stamps must be quoted. Do not quote number values and IP addresses. Rule and Query Guidelines provides additional details.
    For example, if the deprecated rule condition is ip.src="10.30.30.30", correct the syntax by removing the quotes: ip.src=10.30.30.30
  6. Do one of the following:
    • To correct the rule individually, click Save.
      The corrected rule is applied independently to the Decoder service. The corrected rule appears on the Rules tab without highlights. 
    • To correct the rule and apply the rule to the Decoder service later with other rules, click OK.
      The corrected rule appears on the Rules tab without highlights. The rule is not applied to the Decoder service.

     

You are here
Table of Contents > Additional Procedures > Fix Rules with Deprecated Syntax

Attachments

    Outcomes