Decoder: App Rules Tab

Document created by RSA Information Design and Development on Jul 26, 2016Last modified by RSA Information Design and Development on Sep 28, 2016
Version 4Show Document
  • View in full screen mode

This topic introduces application rules and describes features that apply specifically to application rules.

The main Rules Tab section describes the toolbar common to all types of rules. This section introduces the user interface for application rules.

You can display this view by doing the following:

  1. In the Security Analytics menu, select Administration > Services.
  2. Select a service and  ic-actns.png >View > Config.
    The Config view for the selected service is displayed.
  3. Click the App Rules tab

This is an example of the App Rules tab.


This is an example of the Rule Editor dialog for an application rule.



Application Rules Grid Columns

PendingThis column indicates whether a rule has pending changes. Rules that are currently active on the Decoder have no indicator. If the rule is new or has been modified, the column contains Icon-PendingPlus.png . Once the rules are applied, the pending indicator is removed.
NameThis is the rule name, a descriptive identifier for the rule.
ConditionThis is the definition of the condition that triggers an action when matched.
SessionDataThis column displays the Session Data action taken when a packet matches the rule. Possible values are Filter, Keep, or Truncate.
AlertThis column displays the name of the custom alert that the Decoder generates when metadata matches the rule.
StatusThis column indicates whether the rule is enabled or disabled with a circle icon. If the circle is filled green, the rule is enabled. If the circle is empty, the rule is disabled.

The Rule Editor dialog provides the fields and options needed to define an application rule. 

Rule NameThe descriptive name that identifies the rule.
ConditionThe definition of the condition that triggers an action when matched. You can type directly in the field or build the condition in this field using meta from the Intellisense window actions. As you build the rule definition, Intellisense displays syntax errors and warnings.

The following table describes the Session Data actions and options.

Stop Rule ProcessingIf checked, further rule evaluation ends if the rule is matched, and the session is saved in accordance with the session action. If not checked, rule evaluation continues until all rules are evaluated.
KeepThe packet payload and associated metadata are saved when they match the rule.
FilterThe packet is not saved when it matches the rule.
TruncateThe packet payload is not saved when it matches the rule, but packet headers and associated metadata are retained.
Alert and Alert OnIf Alert is checked, the packet generates a custom alert when metadata matches the rule. You can select the name of the alert in the Alert On field.
ForwardEnables the performance of syslog forwarding when the log matches the rule.
TransientPrevents the alert metadata that is created from being written to the disk.

The following table describes Rule Editor dialog actions. 

ResetResets the contents of the dialog to their values before editing; changes are discarded.
ValidateValidates that the rule syntax is correct.
CancelCancels any edits and closes the Rule Editor dialog.
OKSaves the new rule or edited rule, and adds it to the rules grid. The Rule Editor dialog closes.
You are here: References > Services Config View - Rules Tabs > App Rules Tab