Decoder: Network Rules Tab

Document created by RSA Information Design and Development on Sep 13, 2017Last modified by RSA Information Design and Development on Oct 11, 2017
Version 6Show Document
  • View in full screen mode
 

The Network Rules tab (ADMIN > Services > select a Decoder and click Actions menu > View > Config > Network Rules tab) enables you to manage network rules. NetWitness Suite applies network rules at the packet level. Network rules consist of rule sets from Layer 2, Layer 3, and Layer 4. Multiple rules can be applied to the Decoder. Rules can be applied to multiple layers (for example, when a network rule filters out specific ports for a specific IP address). Network rules apply only to packet Decoders.

What do you want to do?

                  
User RoleI want to...Documentation
Administratoradd, edit, or fix network rulesConfigure Network Rules

Related Topics

Quick Look

The following figure shows the Network Rules tab.

This is an example of the Network Rules tab.

The following figure shows the Rule Editor dialog for a network rule.

This is the Rule Editor dialog.

The following table describes the columns in the Network Rules grid.

                                   
ColumnDescription
Pending This column indicates whether a rule has pending changes. Rules that are currently active on the Decoder have no indicator. If the rule is new or has been modified, the column contains The pending indicator. Once the rules are applied, the pending indicator is removed.
Name This is the rule name, a descriptive identifier for the rule.
Condition This is the definition of the condition that triggers an action when matched.
Packet Data This column displays the Session Data action taken when a packet matches the rule. Possible values are Filter, Keep, or Truncate.
Alert This column indicates whether the Decoder generates a custom alert when metadata matches the rule. Possible values are Enabled or Disabled.
Status This column indicates whether the rule is enabled or disabled with a circle icon. If the circle is filled green, the rule is enabled. If the circle is empty, the rule is disabled.

The Rule Editor dialog provides the fields and options needed to define a network rule.

The following table describes the Rule Definition fields.

                   
FieldDescription
Rule Name The descriptive name that identifies the rule.
Condition The definition of the condition that triggers an action when matched. You can type directly in the field or build the condition in this field using meta from the Intellisense window actions. As you build the rule definition, Intellisense displays syntax errors and warnings.

In conditions, all string literals and time stamps must be quoted. Do not quote number values and IP addresses. Configure Decoder Rules provides additional details. This section also describes the meta keys that NetWitness Suite supports for use in network rule conditions.

The following table describes the Session Data actions.

                           
ActionDescription
Stop Rule Processing If checked, further rule evaluation ends if the rule is matched, and the session is saved as indicated. If not checked, rule evaluation continues until all rules are evaluated.
Keep The packet payload and associated meta are saved when they match the rule.
Filter The packet is not saved when it matches the rule.
Truncate The packet payload is not saved when it matches the rule, but packet headers and associated meta are retained.

The following table describes the session options. 

                           
ActionDescription
Assemble If checked, the assembler assembles the packet chain when it matches the rule.
Network Meta The packet generates network metadata when it matches the rule.
Application Meta The packet generates application metadata when it matches the rule.
Alert The packet generates a custom alert when metadata matches the rule.

The following table describes Rule Editor dialog actions. 

                           
ActionDescription
Reset Resets the contents of the dialog to their values before editing; changes are discarded.
Cancel Cancels any edits and closes the Rule Editor dialog.
OK Saves the new rule or edited rule, and adds it to the rules grid. The Rule Editor dialog closes.
Save (Rules with deprecated syntax only) Applies a corrected rule individually to the Decoder service. See Fix Rules with Invalid Syntax.
You are here
Table of Contents > Decoder and Log Decoder References > Services Config View - Network Rules Tab

Attachments

    Outcomes