Decoder: Configure Application Rules

Document created by RSA Information Design and Development Employee on Mar 22, 2017Last modified by RSA Information Design and Development Employee on Sep 25, 2017
Version 3Show Document
  • View in full screen mode

This topic introduces application rules and provides instructions for creating application rules.

Application layer rules are applied at the session level.

Sample Application Rules

To truncate packets carried via Server Message Block protocol (SMB), create a rule as follows:

  • Rule Name: Truncate SMB
  • Condition: service=139
  • Rule Action: Truncate

To retain email to and from a specific e‐mail address, create a rule as follows:


Navigate to the App Rules Tab

Navigating to the App Rules tab is always the first step in defining application rules. To access the App Rules tab:

  1. In the Security Analytics menu, select Administration > Services.
  2. Select a Decoder or Log Decoder service and Actions menu cropped > View > Config
    The Systems Config view for the selected service is displayed.
  3. Select the App Rules tab.


Add or Edit an Application Rule

In the App Rules tab:

  1. Do one of the following:
  • If adding a new rule, click Icon-Add.png .
  • If editing a rule, select the rule from the rules grid and click icon-edit.png.
  1. The Rule Editor Dialog is displayed with application rule parameters.AppRuleEditDg.png
  2. In the Rule Name field, type a name for the rule. For example, for a rule that truncates all SMB, type Truncate SMB.
  3. In the Condition field, build the rule condition that triggers an action when matched. You can type directly in the field or build the condition in this field using meta from the window actions. As you build the rule definition, Security Analytics displays syntax errors and warnings. For example, to truncate all SMB, type service=139.
    All string literals and time stamps must be quoted. Do not quote number values and IP addresses. The Rule and Query Guidelines topic provides additional details.
  4. If you want rule evaluation to end with this rule, check the Stop Rule Processing checkbox.
  5. In the Session Data section, choose one of the following actions to apply when a matching packet is found:
  • Keep: The packet payload and associated meta are saved when they match the rule.
  • Filter: The packet is not saved when it matches the rule.
  • Truncate: The packet payload is not saved when it matches the rule, but packet headers and associated meta are retained.
  1. In the Session Options section, do any of the following:
  • To generate a custom alert when a session metadata matches the rule, enable the Alert flag and select the name of the alert meta from the Alert On drop-down list.
  • To perform syslog forwarding when the log matches the rule, enable the Forward flag.

    Note:  Make sure that:
    - You have enabled both the Alert and Forward flags to carry out syslog forwarding.
    - The name of the rule mentioned in the Rule Editor dialog matches the syslog forwarding destination name specified in the Log Decoder > View > Explore > /decoder/config/logs.forwarding.destination parameter.

  • To prevent the alert metadata that is created from being written to the disk, enable the Transient flag.
  1. To save the rule and add it to the grid, click OK.
    The rule is added at the end of the grid or inserted where you specified in the context menu. The plus sign is displayed in the Pending column.
  2. Check that the rule is in the correct execution sequence with other rules in the grid. If necessary, move the rule.
  3. To apply the updated rule set to the Decoder or Log Decoder, click Apply.
    Security Analytics saves a snapshot of the currently applied rules, then applies the updated set to the Decoder and removes the pending indicator from the rules that were pending.
You are here
Table of Contents > Required Procedures > Step 4. Configure Decoder Rules > Decoder: Configure Application Rules