Customers need to export all ESA rules for review.
Logon to the SA Server via ssh as root and run the following command:
mongoexport --csv -d sa -c rule -o rules.csv -f _id,class,statements,conditions,outputActions,
enrichments,type,severityId,templateId,name,description,enabled,createdBy,dateCreated,modifiedBy,
dateModified
Note that this is a single, one-line command, but we are putting line break in here for ease of reading
The command will export the rules into the current folder into a file named rules.csv.
The following is the sample output from this command. Note that we have put line breaks in here for ease of reading
[root@SA-SA-30 ~]# less rules.csv
_id,class,statements,conditions,outputActions,enrichments,type,severityId,templateId,name,description,enabled,createdBy,
dateCreated,modifiedBy,dateModified,"esa000002",,,,,,"ESA_CONTENT","LOW","esa000002","Direct Login By A Guest Account",
"A successful interactive or remote interactive logon to a guest account on a Windows host.
The guest user list is configurable.",
false,,,"admin",2017-01-25T19:45:09Z
"esa000003",,,,,,"ESA_CONTENT","LOW","esa000003","Excessive Web Server Errors From Same IP",
"Five or more error code responses from a web server that begin with the number 4 or 5 for the
same source IP within 1 minute. Both the number of errors and time window are configurable.",
false,,,"admin",2017-01-25T19:45:09Z
"esa000150",,,,,,"ESA_CONTENT","LOW","esa000150","Rogue DHCP Server Detected","Detects traffic sourced
on UDP 67/68 that is not a legitimate DHCP server, based on a whitelist of IP addresses that is
configurable. Prerequisites for logs are: meta key ""protocol"" must be indexed by the Log Decoder
within the table-map.xml file and the Concentrator within the index-concentrator-custom.xml file. ",
false,,,"admin",2017-01-13T17:28:14Z
ObjectID(5515934ae4b06c8fbbefdabe),,,,"[]","[]","ESA_ADVANCED","LOW","Advanced_Template","SAMPLE - P2P
Software as Detected by an Intrusion Detection Device-Forwarder","Auto-generated from rule SAMPLE - P2P
Software as Detected by an Intrusion Detection Device",true,"admin",2015-03-27T17:28:42Z,
"Unknown identity",2016-09-07T17:46:43Z
ObjectID(5515934ae4b06c8fbbefdabf),,"[ { ""_id"" : ""901170f1-86fd-45b1-99d8-8d87ba27527d"", ""name"" :
""Intrusion Log Message"", ""conditionType"" : ""AllMet"", ""statementLines"
" : [ { ""statementId"" : """", ""metaKeyId"" : ""medium"", ""conditionId"" : ""Is"", ""value"" : ""32"",
""array"" : false, ""evaluationType"" : ""Is"", ""ignoreCase"" : false }, { ""statementId"" :
""901170f1-86fd-45b1-99d8-8d87ba27527d"", ""metaKeyId"" : ""device_class"", ""conditionId"" : ""Is"",
""value"" : ""IDS, Firewall, IPS, Intrusion, Vulnerability"", ""array"" : true, ""evaluationType"" :
""Is"", ""ignoreCase"" : false } ] }, { ""_id"" : ""761e64a8-1b4e-495d-b3cc-6b7b256a1f22"", ""name"" :
""P2P Detection"", ""conditionType"" : ""OneMet"", ""statementLines"" : [ { ""statementId"" : """",
""metaKeyId"" : ""policy_name"", ""conditionId"" : ""Contains"", ""value"" : ""P2P"", ""array"
" : false, ""evaluationType"" : ""Contains"", ""ignoreCase"" : false }, { ""statementId"" : ""
761e64a8-1b4e-495d-b3cc-6b7b256a1f22"", ""metaKeyId"" : ""policy_name"", ""conditionId"" : ""Contains"
", ""value"" : ""p2p"", ""array"" : false, ""evaluationType"" : ""Contains"", ""ignoreCase"" : false } ] } ]",
"[ { ""_id"" : ""08b17742-505d-4844-a487-4615bd359608"", ""connectorType"" : ""AND"", ""statementId"" : "
"901170f1-86fd-45b1-99d8-8d87ba27527d"", ""joinOn"" : """", ""occur"" : 1 },
{ ""_id"" : ""66f9d42b-7158-4107-b9e4-925b3e160f55"", ""connectorType"" : ""NONE"", ""statementId"" :
""761e64a8-1b4e-495d-b3cc-6b7b256a1f22"", ""joinOn"" : """", ""occur"" : 1 } ]","[]","[]","ESA_BASIC",
"LOW","Basic_Template","SAMPLE - P2P Software as Detected by an Intrusion Detection Device",
"P2P software as detected by an intrusion detection device (IDS),intrusion prevention device (IPS),
firewall or vulnerability scanner.",true,"admin",2015-03-27T17:28:42Z,"Unknown identity",
2016-09-07T17:46:43Z
ObjectID(551596e4e4b06c8fbbefdac1),,,,"[]","[]","ESA_ADVANCED","LOW","Advanced_Template",
"SAMPLE - Non SMTP Traffic on TCP Port 25 Containing Executable-Forwarder",
"Auto-generated from rule SAMPLE - Non SMTP Traffic on TCP Port 25 Containing Executable",
true,"admin",2015-03-27T17:44:04Z,"Unknown identity",2016-09-07T17:46:43Z
ObjectID(551596e4e4b06c8fbbefdac2),,"[ { ""_id"" : ""98472b6d-13dc-40c5-b086-b571b617ee93"",
""name"" : ""Non SMTP Traffic on TCP Port 25 Containing Executable"", ""conditionType"" :
""AllMet"", ""statementLines"" : [ { ""statementId"" : """", ""metaKeyId"" : ""service"",
""conditionId"" : ""IsNot"", ""value"" : ""25"", ""array"" : false, ""evaluationType"" : ""IsNot"",
""ignoreCase"" : false }, { ""statementId"" : ""98472b6d-13dc-40c5-b086-b571b617ee93"",
""metaKeyId"" : ""tcp_dstport"", ""conditionId"" : ""Is"", ""value"" : ""25"", ""array"" : false,
""evaluationType"" : ""Is"", ""ignoreCase"" : false }, { ""statementId"" :
""98472b6d-13dc-40c5-b086-b571b617ee93"", ""metaKeyId"" : ""extension"", ""conditionId"" : ""Is"",
""value"" : ""exe,com,vb,vbs,vbe,cmd,bat,ws,wsf,scr,shs,pif,hta,jar,js,jse,lnk"", ""array"" : true,
""evaluationType"" : ""Is"", ""ignoreCase"" : false } ] } ]",
"[ { ""_id"" : ""f6793715-bf4a-491a-ab69-fc6a8a7b0469"", ""connectorType"" : ""NONE"", ""statementId"" :
""98472b6d-13dc-40c5-b086-b571b617ee93"", ""joinOn"" : """", ""occur"" : 1 } ]","[]","[]",
"ESA_BASIC","LOW","Basic_Template","SAMPLE - Non SMTP Traffic on TCP Port 25 Containing Executable",
"Monitors for non-SMTP traffic on TCP destination port 25 containing executable. ",true,
"admin",2015-03-27T17:44:04Z,"Unknown identity",2016-09-07T17:46:43Z
ObjectID(55fc53d6a7c8c6844ce189a1),,,,"[]","[]","ESA_ADVANCED","LOW","Advanced_Template",
"SAMPLE - Whitelist - From outside of Germany, P2P Software as Detected by an Intrusion Detection Device-Forwarder",
"Auto-generated from rule SAMPLE - Whitelist - From outside of Germany,
P2P Software as Detected by an Intrusion Detection Device",
true,"admin",2015-09-18T18:11:34Z,"Unknown identity",2016-09-07T17:46:43Z
[truncated]