Network Rules Tab

Document created by RSA Information Design and Development on Jul 26, 2016Last modified by RSA Information Design and Development on Sep 28, 2016
Version 4Show Document
  • View in full screen mode
 

This topic introduces network rules and describes features that apply specifically to network rules.

The main Rules Tab section describes the toolbar common to all types of rules. This section introduces the user interface for network rules.

You can display this view by doing the following:

  1. In the Security Analytics menu, select Administration > Services.
  2. Select a service and select  Actions menu cropped > View > Config.
    The Config view for the selected service is displayed.
  3. Select the Network Rules tab.

This is an example of the Network Rules tab.

104NetRulesTab.png

This is an example of the Rule Editor dialog for a network rule.

104NetRuleEditor.png

Features

The following table describes the columns in the Network Rules grid.

                         
ColumnDescription
PendingThis column indicates whether a rule has pending changes. Rules that are currently active on the Decoder have no indicator. If the rule is new or has been modified, the column contains Icon-PendingPlus.png . Once the rules are applied, the pending indicator is removed.
NameThis is the rule name, a descriptive identifier for the rule.
ConditionThis is the definition of the condition that triggers an action when matched.
PacketDataThis column displays the Session Data action taken when a packet matches the rule. Possible values are Filter, Keep, or Truncate.
AlertThis column indicates whether the Decoder generates a custom alert when metadata matches the rule. Possible values are Enabled or Disabled.
StatusThis column indicates whether the rule is enabled or disabled with a circle icon. If the circle is filled green, the rule is enabled. If the circle is empty, the rule is disabled.

The Rule Editor dialog provides the fields and options needed to define a network rule.

The following table describes the Rule Definition fields.

          
FieldDescription
Rule NameThe descriptive name that identifies the rule.
ConditionThe definition of the condition that triggers an action when matched. You can type directly in the field or build the condition in this field using meta from the Intellisense window actions. As you build the rule definition, Intellisense displays syntax errors and warnings.

The following table describes the Session Data actions.

                   
ActionDescription
Stop Rule ProcessingIf checked, further rule evaluation ends if the rule is matched, and the session is saved as indicated. If not checked, rule evaluation continues until all rules are evaluated.
KeepThe packet payload and associated meta are saved when they match the rule.
FilterThe packet is not saved when it matches the rule.
TruncateThe packet payload is not saved when it matches the rule, but packet headers and associated meta are retained.

The following table describes the session options. 

                   
OptionDescription
AssembleIf checked, the assembler assembles the packet chain when it matches the rule.
Network MetaThe packet generates network metadata when it matches the rule.
Application MetaThe packet generates application metadata when it matches the rule.
AlertThe packet generates a custom alert when metadata matches the rule.

The following table describes Rule Editor dialog actions. 

                   
ActionDescription
ResetResets the contents of the dialog to their values before editing; changes are discarded.
CancelCancels any edits and closes the Rule Editor dialog.
OKSaves the new rule or edited rule, and adds it to the rules grid. The Rule Editor dialog closes.
ValidateValidates that the rule syntax is correct.
You are here: References > Services Config View - Rules Tabs > Network Rules Tab

Attachments

    Outcomes