Decoder: Step 4: Configure Decoder Rules

Document created by RSA Information Design and Development on Jul 27, 2016Last modified by RSA Information Design and Development on Sep 28, 2016
Version 4Show Document
  • View in full screen mode

Capture rules define the data collected by a Decoder or Log Decoder. Rules are filters created for specific metadata, which result in predefined actions when matches are found. For example, to keep all traffic that fits certain criteria, but discard all other traffic, you can create a rule to perform the necessary actions. When applied, rules affect both packet capture file importing, as well as live network capture.

The NextGen System Administrator Guide provides detailed information about capture rule syntax.

By default, no rules are defined when you first install Security Analytics. Until rules are specified, the packets are not filtered. You can define three types of rules: Network Layer Rules, Application Layer Rules, and Correlation Rules.

Network Layer Rules

Network layer rules are applied at the packet level and are made up of rule sets from Layer 2, Layer 3, and Layer 4. Multiple rules can be applied to the Decoder. Rules can be applied to multiple layers (for example, when a network rule filters out specific ports for a specific IP address).

Application Layer Rules

Application layer rules are applied at the session level. If the first rule listed is not a match, the Decoder then attempts to match the next rule listed, until a match is found.

Correlation Rules

Correlation rules are applied over a configurable slice of time on a Concentrator or Decoder. When a match is found, the service creates a new super session that identifies other sessions that match the rule, then creates a session list for analysis.

Common Uses

The two most common uses of rules are:

  • To filter out certain types of traffic that do not add value to the analysis of the data
  • To alert, and thereby create a custom alert meta value, when certain conditions are found

Types of Rules

Decoder rules fall into three categories:

  • Network Layer Rules
  • Application Layer Rules
  • Correlation Rules

Rule Sets

Groups of capture rules form rule sets, which you can import and export. This feature enables use of multiple rule sets for various scenarios. You can import the exported rule set, in the form of an .nwr file, to other Security Analytics services, simplifying the deployment and configuration of multiple services.

Rule Processing

These are the principles governing capture rule processing:

  • Multiple rules can be applied to the Decoder.
  • Capture rules are executed one after the other, in sequence.
  • Rule processing stops when all rules are processed or after a rule configured to stop rule processing is matched.
  • A default rule can be used to either include or exclude all traffic not otherwise selected by a rule. A default rule, if used, must always be placed at the bottom of the rule list. Otherwise, rule processing stops as soon as the default rule is evaluated since, by definition, all traffic is selected by the default rule.
  • When rule processing stops, the session is saved using the configured session options and debug options.

Rule Configuration Features

The Decoder and Log Decoder rules are editable in the Service Config view. While each type of rule (network, application, and correlation) has its own tab; the features and functions are similar for all types of rules. You can:

  • Add, edit, and delete rules
  • Enable and disable rules
  • Change the execution sequence of rules
  • Import rules from a file
  • Export rules to a file
  • Push rules to another service
  • Cancel or apply rule changes
  • Restore one of the last ten rule configurations

Capture Rule Syntax

The syntax for writing capture rules consists of comparing a field to a value using a comparison operator. The supported comparison operators are equals (=) and not equals(!=).

Values can be expressed as discrete values, a range of values, an upper or lower bound, or a combination of these three. Greater than (>) and less than (<) comparisons are accomplished through the use of ranges. You can create a greater than or less than comparison, and test equality or inequality against a range of values or an upper/lower bound.

The following table summarizes the supported comparison operators and the syntax for expressing values.

*Default rule. By using an asterisk (*) as the sole character in a rule, that rule will select all traffic.
=Equality operator.
!=Inequality operator.
&&Logical AND operator.
||Logical OR operator.
-uUpper bound. For example, to select all TCP ports above 40000, the syntax would be: tcp.port = 40000-u
l -Lower bound. For example, to select all TCP ports below 40000, the syntax would be: tcp.port = l-40000
- (dash)Denotes a range. This is only applicable to numeric values. Separate the lower and upper bounds of the range with a dash (-) character. For example, to select TCP ports between 25 and 443, the syntax would be: tcp.port = 25-443
, (comma)Denotes a list of values. Single values may be used as well as any combination of ranges and upper or lower bounds. For example, the following is valid syntax: tcp.port = 1-10,25,110,143-225,40000-u
( )Grouping operator. An expression can be enclosed in parentheses to create a new logical expression. For example, the following would select traffic on port 80 to/from OR traffic on port 443 to/from (ip.addr= && tcp.port=80) || (ip.addr= && tcp.port=443)


Configure Capture Rules

  1. In the Security Analytics menu, select Administration > Services.
  2. In the Services view, select a Decoder service and Actions menu cropped > View > Config.
  3. In the Services Config view, select one of the Rules tabs: Network Rules, App Rules, or Correlation Rules.
    The Rule editor for the selected rule type is displayed.

Each type of rule has a grid with slightly different columns and different parameters. Several basic guidelines apply to all rule management activities:

  • The rules are executed in the sequence they are displayed in the grid. To change the execution sequence of rules, drag and drop rules to the appropriate location in the grid or use the context menu options to arrange the rules in the grid.
  • To select a single row, click the row.
  • To select a group of adjacent rows, click the first, then shift-click the row at the end of the group.
  • To select multiple non-adjacent rows, click the first, then control-click the others.
  • When editing rules in the rules tab, you must apply the configuration changes in order to activate.
  • Until changes are applied, you can discard edits to the grid and revert to the unedited rules.
  • Once rules are applied, you can recover the last ten rules configurations using the History option in the Actions menu.

Add a Rule

To add a rule in any Rules tab, do one of the following:

  • Click Icon-Add.png.
  • Right-click a rule, and select Insert Above or Insert Below from the context menu.
    The Rule Editor dialog for that type of rule is displayed.

For more details, see one of the following sections:

Remove a Rule

  1. From any Rules tab, select the rules to remove from the rules grid.
  2. Click Icon_Delete_sm.png.
    The selected rules are removed from the grid, but still exist on the service.

Edit a Rule

  1. From any Rules tab, select the rule to edit.
  2. Click icon-edit.png or double-click the rule row.
    The Rule Editor dialog for that type of rule is displayed. For more details, see one of the following sections:

Disable a Rule

  1. From any Rules tab, select the rules to disable.
  2. Click 104Disable.png.
    The status changes to disabled in the grid, but the rule is still enabled on the service.

Enable a Rule

  1. From any Rules tab, select the rules to enable.
  2. Click 104Enable.png.
    The status changes to enabled in the grid, but the rule is still disabled on the service.

Import Rules from a File

You can import network, application, and correlation rules to a Decoder from a file that contains rules of the same type. After the rules are imported, you can edit and manage them as you would any other rules.

When you attempt to import a group of rules, Security Analytics Administration checks the type of rules imported. If you are successful, a message displays the number of rules imported. If the rule type differs from the active tab type, the rules are not imported. You must re-import the rules under the correct tab or select another file to import.

To import rules to a service:

  1. From any Rules tab:
  2. Select Icon_ActionsMenu-rule.png > Import.
    The Import dialog is displayed.
  3. Click Icon-Add.png.
    A view of the directory structure is displayed.
  4. Choose one or more NetWitness rules (.nwr) files to import, and click Open.
    The file is added to the list in the Import dialog.
  5. Click the Import button.
    The rules are imported into the user interface. Imported rules have a red corner in each edited column.
  6. Edit or reorder the rules if needed.
  7. To save the rules to the service, click Apply.
    The rules for the service are updated with the changes.

Export a Rule to a File

  1. If you want to export a subset of the rules, select the rules to be exported.
  2. Do one of the following:
    • In the toolbar, select Icon_ActionsMenu-rule.png > Export. In the submenu, select Selection. (Export > All exports all rules in the grid even if you have a subset selected for export.)
    • Use the Context Menu > Export > Selection option.
      A prompt for the filename is displayed.
  3. Enter the filename and click Export.
    The .nwr file is downloaded.

Push Rules to Other Services

To push rules from this Decoder to other Decoders:

  1. Select the rules you want to push to another Decoder.
  2. Do one of the following:
    • Select Icon_ActionsMenu-rule.png > Push.
    • Right-click the selected rules, then in the Context Menu select Push Selected Rules.
  3. The Push dialog is displayed.
  4. Select the Push Option.
    • Select Merge to update existing rules on the target service and add new ones.
    • Select Replace to deleting existing rules on the target service and add the rules from source service.
  5. In the Services Tab, select the services to receive the pushed rules, or select the groups of services from the Groups tab.
  6. Click Push.
    The rules are pushed to the selected services, and become effective immediately.

Change Execution Order of Rules

Capture rules are applied in the order they are displayed in the grid. To reorder rules, use either of these methods:

  • Drag and drop the rules in the appropriate location in the grid.
  • Right-click a rule to display the context menu, and use the Cut and Paste options.

Restore a Rule Snapshot from History

Security Analytics keeps the last ten snapshots of rules applied to a service. To restore a rules snapshot from history:

  1. Select Icon_ActionsMenu-rule.png > History.
    A submenu of snapshots is displayed.
  2. Select the snapshot time from the submenu.
    The rules from the snapshot are loaded into the grid, replacing the current set. But the current set is still in use on the service.
  3. To apply the rules to the service, click Apply.
    The rules are applied to the service.
You are here: Required Procedures > Decoder: Step 4: Configure Decoder Rules