Decoder: Step 4. Configure Decoder Rules

Document created by RSA Information Design and Development on Mar 22, 2017Last modified by RSA Information Design and Development on Sep 25, 2017
Version 3Show Document
  • View in full screen mode
  

This topic provides procedures for creating and managing rules for Decoder or Log Decoder traffic capture in the Services Config view > Rules tabs. 

Capture rules can add alerts or contextual information to sessions or logs. They can also define which data is filtered out by a Decoder or Log Decoder. Rules are created for specific metadata patterns, which result in predefined actions when matches are found. For example, to keep all traffic that fits certain criteria, but discard all other traffic, you can create a rule to perform the necessary actions. When applied, rules affect both packet capture file importing, as well as live network capture.

Rule and Query Guidelines provides guidelines that all queries and rule conditions in Security Analytics Core Services must follow.

By default, no rules are defined when you first install Security Analytics. Until rules are specified, the packets are not filtered. You can deploy the latest rules from Live. You can define three types of rules: Network Layer Rules, Application Layer Rules, and Correlation Rules.

Network Layer Rules

Network layer rules are applied at the packet level and are made up of rule sets from Layer 2, Layer 3, and Layer 4. Multiple rules can be applied to the Decoder. Rules can be applied to multiple layers (for example, when a network rule filters out specific ports for a specific IP address). Network rules are only available on packet Decoders.

Application Layer Rules

Application layer rules are applied at the session level. If the first rule listed is not a match, the Decoder then attempts to match the next rule listed, until a match is found.

Correlation Rules

Correlation rules are applied over a configurable sliding time window. When a match is found, the service creates a new super session that identifies other sessions that match the rule, then creates a session list for analysis.

Common Uses

The two most common uses of rules are:

  • To alert, and thereby create a custom alert meta value, when certain conditions are found
  • To filter out certain types of traffic that do not add value to the analysis of the data

Rule Sets

Groups of capture rules form rule sets, which you can import and export. This feature enables use of multiple rule sets for various scenarios. You can import the exported rule set, in the form of an .nwr file, to other Security Analytics services, simplifying the deployment and configuration of multiple services.

Rule Processing

These are the principles governing capture rule processing:

  • Multiple rules can be applied to the Decoder.
  • Capture rules are executed one after the other, in sequence.
  • Rule processing stops when all rules are processed or after a rule configured to stop rule processing is matched.
  • A default rule can be used to either include or exclude all traffic not otherwise selected by a rule. A default rule, if used, must always be placed at the bottom of the rule list. Otherwise, rule processing stops as soon as the default rule is evaluated since, by definition, all traffic is selected by the default rule.
  • When rule processing stops, the session is saved using the configured session options and debug options.

Rule Configuration

The Decoder and Log Decoder rules are editable in the Services Config view. While each type of rule (network, application, and correlation) has its own tab; the functions are similar for all types of rules. You can:

  • Add, edit, and delete rules
  • Enable and disable rules
  • Change the execution sequence of rules
  • Import rules from a file
  • Export rules to a file
  • Push rules to another service
  • Revert or apply rule changes
  • Restore one of the last ten rule configurations

Capture Rule Syntax

The syntax for writing capture rules consists of comparing a field to a value using a comparison operator. The supported comparison operators are equals (=) and not equals(!=).

Values can be expressed as discrete values, a range of values, an upper or lower bound, or a combination of these three. Greater than (>) and less than (<) comparisons are accomplished through the use of ranges. You can create a greater than or less than comparison, and test equality or inequality against a range of values or an upper/lower bound.

The following table summarizes the supported comparison operators and the syntax for expressing values.

                                                 
SyntaxDescription
* Default rule. By using an asterisk (*) as the sole character in a rule, that rule will select all traffic.
= Equality operator.
!= Inequality operator.
&& Logical AND operator.
|| Logical OR operator.
-u Upper bound. For example, to select all TCP ports above 40000, the syntax would be: tcp.port = 40000-u
l - Lower bound. For example, to select all TCP ports below 40000, the syntax would be: tcp.port = l-40000
- (dash)Denotes a range. This is only applicable to numeric values. Separate the lower and upper bounds of the range with a dash (-) character. For example, to select TCP ports between 25 and 443, the syntax would be: tcp.port = 25-443
, (comma)Denotes a list of values. Single values may be used as well as any combination of ranges and upper or lower bounds. For example, the following is valid syntax: tcp.port = 1-10,25,110,143-225,40000-u
( ) Grouping operator. An expression can be enclosed in parentheses to create a new logical expression. For example, the following would select traffic on port 80 to/from 192.168.1.1 OR traffic on port 443 to/from 10.10.10.1: (ip.addr=192.168.1.1 && tcp.port=80) || (ip.addr=10.10.10.1 && tcp.port=443)

Rule and Query Guidelines provides guidelines that all queries and rule conditions in Security Analytics Core Services must follow. 

Procedures

Configure Capture Rules

  1. In the Security Analytics menu, select Administration > Services.
  2. In the Services view, select a Decoder service and Actions menu cropped > View > Config.
  3. In the Services Config view, select one of the Rules tabs: Network Rules, App Rules, or Correlation Rules.
    The rules grid for the selected rule type is displayed.

Each type of rule has a grid with slightly different columns and different parameters. Several basic guidelines apply to all rule management activities:

  • The rules are executed in the sequence they are displayed in the grid. To change the execution sequence of rules, drag and drop rules to the appropriate location in the grid or use the context menu options to arrange the rules in the grid.
  • To select a single row, click the row.
  • To select a group of adjacent rows, click the first, then shift-click the row at the end of the group.
  • To select multiple non-adjacent rows, click the first, then control-click the others.
  • When editing rules in the rules tab, you must apply the configuration changes in order to activate.
  • Until changes are applied, you can discard edits to the grid and revert to the unedited rules.
  • Once rules are applied, you can recover the last ten rules configurations using the History option in the Actions menu.

Add a Rule

To add a rule in any Rules tab, do one of the following:

  • Click Icon-Add.png.
  • Right-click a rule, and select Insert Above or Insert Below from the context menu.
    The Rule Editor dialog for that type of rule is displayed.

For more details, see one of the following sections:

Remove a Rule

  1. From any Rules tab, select the rules to remove from the rules grid.
  2. Click Icon_Delete_sm.png.
    The selected rules are removed from the grid, but still exist on the service.

Edit a Rule

  1. From any Rules tab, select the rule to edit.
  2. Click icon-edit.png or double-click the rule row.
    The Rule Editor dialog for that type of rule is displayed. For more details, see one of the following sections:

Disable a Rule

  1. From any Rules tab, select the rules to disable.
  2. Click 104Disable.png.
    The status changes to disabled in the grid, but the rule is still enabled on the service.

Enable a Rule

  1. From any Rules tab, select the rules to enable.
  2. Click 104Enable.png.
    The status changes to enabled in the grid, but the rule is still disabled on the service.

Import Rules from a File

You can import network, application, and correlation rules to a Decoder from a file that contains rules of the same type. After the rules are imported, you can edit and manage them as you would any other rules.

When you attempt to import a group of rules, Security Analytics Administration checks the type of rules imported. If you are successful, a message displays the number of rules imported. If the rule type differs from the active tab type, the rules are not imported. You must re-import the rules under the correct tab or select another file to import.

To import rules to a service:

  1. From any Rules tab, select Icon_ActionsMenu-rule.png > Import.
    The Import dialog is displayed.
    104RulesImportDialog.png
  2. Click Icon-Add.png.
    A view of the directory structure is displayed.
  3. Choose one or more NetWitness rules (.nwr) files to import, and click Open.
    The file is added to the list in the Import dialog.
    104ImportRuleFile.png
  4. Click Import.
    The rules are imported into the user interface. Imported rules have a red corner in each edited column.
  5. Edit or reorder the rules if needed.
  6. To save the rules to the service, click Apply.
    The rules for the service are updated with the changes.

Export a Rule to a File

  1. To export a subset of the rules, select the rules to be exported.
  2. Do one of the following:
    • In the toolbar, select Icon_ActionsMenu-rule.png > Export > Selection. (Export > All exports all rules in the grid even if you have a subset selected for export.)
    • Right-click the selected rules and select Export Selection.

A prompt for the filename is displayed.
104ExportRules.png

  1. Enter the filename and click Export.
    The .nwr file is downloaded.

Push Rules to Other Services

You can apply (push) rules or selected rules to other services (Decoders or Log Decoders) or service groups.

Push Selected Rules

To push selected rules from this Decoder to other Decoders:

  1. From any Rules tab, select the rules that you want to push to another Decoder.
  2. Do one of the following:
    • Select Icon_ActionsMenu-rule.png > Push > Selection.
    • Right-click the selected rules and select Push Selected Rules.
      The Push Selected Rules dialog is displayed.
      PushSelectionSrv.png
  3. Select a Push Option:
    • Select Replace to delete all rules on the target services and replace them with the selected rules. This is the default selection.
    • Select Merge to merge the selected rules with the existing rules on the target services.
  4. On the Services tab, select the target services to receive the pushed rules, or select the groups of services from the Groups tab.
  5. Click Push.
    The rules are pushed to the selected services and become effective immediately.

Push All Rules

When you push all rules to other services, all rules on the target services are removed and replaced with all of the rules on the source service. 

To push all rules from this Decoder to other Decoders:

  1. From any Rules tab, select Icon_ActionsMenu-rule.png > Push > All.
    (Push > All pushes all rules in the grid even if you have a subset selected to push.) The Push Selected Rules dialog is displayed.
    PushAllSrv.png
  2. On the Services tab, select the target services to receive the pushed rules, or select the groups of services from the Groups tab.
  3. Click Push.
    All rules from the target services are deleted and replaced with all of the rules from source service. The rules become effective immediately.

Change Execution Order of Rules

Capture rules are applied in the order they are displayed in the grid. To reorder rules, use either of these methods:

  • Drag and drop the rules in the appropriate location in the grid.
  • Right-click a rule to display the context menu, and use the Cut and Paste options.

Restore a Rule Snapshot from History

Security Analytics keeps the last ten snapshots of rules applied to a service. To restore a rules snapshot from history:

  1. Select Icon_ActionsMenu-rule.png > History.
    A submenu of snapshots is displayed.
  2. Select the snapshot time from the submenu.
    The rules from the snapshot are loaded into the grid, replacing the current set. But the current set is still in use on the service.
  3. To apply the rules to the service, click Apply.
    The rules are applied to the service.
You are here
Table of Contents > Required Procedures > Step 4. Configure Decoder Rules

Attachments

    Outcomes