i am trying to find the rule logic for the rules that are populated under the Alert.id Meta Key on the the Investigation Pane. I found some of them under the Application Rule tab on the decoder but not all of the ones I am looking for. Is there a way I can get to that information through the UI or do i need to ssh into one of the appliances? or is there a reference online where I can search for the rule logic?
alert.id is an internal metakey used by application rules, feeds and parsers. a single metavalue in alert.id is then processed by3 feeds (alertids_info.feed, alertids_suspicious.feed, & alertids_warning) These feeds, populate multiple metakey values from any match, to keys like risk.info, risk.suspicious, risk.warning, threat.source, threat.category, etc.
So to answer your question, there are not just a set of rules that write to this key, parsers, and other feeds also write to this key. (note you can look at the "Parsers Configuration" section of a Packet Decoder and expand the parsers to see which ones write to the alert.id key.
So for example i am looking at the alert id nw32765, trying to figure out what logic was used to fire this alert. There are several of these under the Application Rules tab under the decoder but not this particular one. Also what if i wanted to change the name of the meta value to be more descriptive?
As I said, that alert.id is not meant for use in customer rules, they are for expanding one value to multiple keys from the alerted feeds. They have already been converted to a "human readable form" by the feeds. please IGNORE alert.id, in face hide the key.
If you rally want to know what nw32765 is, drill on it. Then look at the number of sessions for that key, and look at information in the following keys, for a value that has the EXACT same number of sessions:
If you have loaded the "hunting pack" from RSA Live, the above keys are deprecated and are replaced by new keys:
Session Analysis (analysis.session)
Service Analysis (analysis.service)
File Analysis (analysis.file)
Investigation Category (inv.category)
Investigation Context (inv.context)
FYI - nw32765 is in risk.info "http1.1 without referer header"
"risk.info" it is not an "alert" its just information used to aide in finding specific types of traffic.
FWIW: RSA is working on moving away from the "nwxxxx" values and will be replacing them with more descriptive names in a future release.