Decoder: Configure Network Rules

Document created by RSA Information Design and Development on Jul 26, 2016Last modified by RSA Information Design and Development on Sep 28, 2016
Version 4Show Document
  • View in full screen mode
 

Network rules do not apply to Log Decoders. Network layer rules are applied at the packet level on a Decoder and are made up of rule sets from Layer 2 ‐ Layer 4. Network rules can apply to multiple network layers (for example, when a network rule filters out specific ports for a specific IP address).

Sample Network Rules

To truncate all SSL from the source port, create a rule as follows:

  • Rule Name: Truncate SSL
  • Condition: tcp.srcport=443
  • Rule Action: Truncate

To filter subnet traffic, create a rule as follows:

  • Rule Name: Subnet Filter
  • Condition: ip.addr=192.168.2.0/24
  • Rule Action: Filter

Navigate to the Network Rules Tab

  1. In the Security Analytics menu, select Administration > Services.
  2. Select a Decoder service and ic-actns.png > View > Config
    The Services Config view for the selected service is displayed.
  3. Select the Network Rules tab.
    The Network Rules tab is displayed.
    104NetRulesTab.png

Add or Edit a Network Rule

  1. In the Network Rules tab, do one of the following:
  • If adding a new rule, click Icon-Add.png.
  • If editing a rule, select the rule from the rules grid and click icon-edit.png.
    The Rule Editor dialog is displayed.
    104NetRuleEditor.png
  1. In the Rule Name field, provide a name for the rule. For example, for a rule that truncates all SSL from the source port, type SSL Truncate.
  2. In the Condition field, build the rule condition that triggers an action when matched. You can type directly in the field or build the condition in this field using meta from the window actions. As you build the rule definition, Security Analytics displays syntax errors and warnings. For example, to truncate all SSL from the source port, tcp.srcport=443.
  3. If you want rule evaluation to end with this rule, select the Stop Rule Processing checkbox.
  4. In the Session Data section, choose one of the following actions to apply when a matching packet is found:
  • Keep: The packet payload and associated meta are saved when they match the rule.
  • Filter: The packet is not saved when it matches the rule.
  • Truncate: The packet payload is not saved when it matches the rule, but packet headers and associated meta are retained.
  1. In the Session Options section, select all options that apply of these four.
  • Assemble: The assembler assembles the packet chain when it matches the rule.
  • Network Meta: The packet generates network metadata when it matches the rule.
  • Application Meta: The packet generates application metadata when it matches the rule.
  • Alert: The packet generates a custom alert when metadata matches the rule.
  1. To save the rule and add it to the grid, click OK.
    The rule is added at the end of the grid or inserted where you specified in the context menu.
  2. Check that the rule is in the correct execution sequence with other rules in the grid. If necessary, move the rule.
  3. To apply the updated rule set to the Decoder, click Apply.

    Security Analytics saves a snapshot of the currently applied rules, then applies the updated set to the Decoder and removes the pending indicator from the rules that were pending.
You are here: Required Procedures > Step 4: Configure Decoder Rules > Configure Network Rules

Attachments

    Outcomes