This topic introduces application rules and provides instructions for creating application rules.
Application layer rules are applied at the session level.
Sample Application Rules
To truncate packets carried via Server Message Block protocol (SMB), create a rule as follows:
- Rule Name: Truncate SMB
- Condition: service=139
- Rule Action: Truncate
To retain email to and from a specific e‐mail address, create a rule as follows:
- Rule Name: Email Filter Tom Jones
- Condition: email=Tom.Jones@TheShop.com
- Rule Action: Filter
Navigate to the App Rules Tab
Navigating to the App Rules tab is always the first step in defining application rules. To access the App Rules tab:
- In the Security Analytics menu, select Administration > Services.
- Select a Decoder or Log Decoder service and > View > Config.
The Systems Config view for the selected service is displayed.
- Select the App Rules tab.
Add or Edit an Application Rule
In the App Rules tab:
- Do one of the following:
- The Rule Editor Dialog is displayed with application rule parameters.
- In the Rule Name field, type a name for the rule. For example, for a rule that truncates all SMB, type Truncate SMB.
- In the Condition field, build the rule condition that triggers an action when matched. You can type directly in the field or build the condition in this field using meta from the window actions. As you build the rule definition, Security Analytics displays syntax errors and warnings. For example, to truncate all SMB, type service=139.
- If you want rule evaluation to end with this rule, check the Stop Rule Processing checkbox.
- In the Session Data section, choose one of the following actions to apply when a matching packet is found:
- Keep: The packet payload and associated meta are saved when they match the rule.
- Filter: The packet is not saved when it matches the rule.
- Truncate: The packet payload is not saved when it matches the rule, but packet headers and associated meta are retained.
- In the Session Options section, do any of the following:
- To generate a custom alert when a session metadata matches the rule, enable the Alert flag and select the name of the alert meta from the Alert On drop-down list.
- To perform syslog forwarding when the log matches the rule, enable the Forward flag.
Note: Make sure that:
- You have enabled both the Alert and Forward flags to carry out syslog forwarding.
- The name of the rule mentioned in the Rule Editor dialog matches the syslog forwarding destination name specified in the Log Decoder > View > Explore > /decoder/config/logs.forwarding.destination parameter.
- To prevent the alert metadata that is created from being written to the disk, enable the Transient flag.
- To save the rule and add it to the grid, click OK.
The rule is added at the end of the grid or inserted where you specified in the context menu. The plus sign is displayed in the Pending column.
- Check that the rule is in the correct execution sequence with other rules in the grid. If necessary, move the rule.
- To apply the updated rule set to the Decoder or Log Decoder, click Apply.
Security Analytics saves a snapshot of the currently applied rules, then applies the updated set to the Decoder and removes the pending indicator from the rules that were pending.