Fix Rules with Invalid Syntax

After an update to NetWitness 11.x, the user interface highlights any rules with invalid syntax. The Rule Editor provides additional tooltips. After you fix the rules, the highlights disappear. Configure Decoder Rules provides guidelines that all queries and rule conditions in NetWitness must follow.

To correct rules with invalid syntax:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. In the Services view, select a Decoder and netwitness_ic-actns.png> View > Config​.
  3. In the Services Config view, select one of the Rules tabs: Network Rules, App Rules, or Correlation Rules.
    The Rules tab for the selected rule type shows the number of rules using invalid syntax and the invalid rules are highlighted.netwitness_12.1_rulestabdeprrules-d_1122.png

  4. Select an invalid rule and click netwitness_edit.png.
    The Rules Editor shows additional information for the invalid rule.
    netwitness_deprappruleeditor-d.png
  5. In the Condition field, correct the rule syntax.
    All string literals and time stamps must be quoted. Do not quote number values and IP addresses. Configure Decoder Rules provides additional details.
    For example, if the invalid rule condition is ip.src="10.30.30.30", correct the syntax by removing the quotes: ip.src=10.30.30.30
  6. Do one of the following:
    • To correct the rule individually, click Save.
      The corrected rule is applied independently to the Decoder. The corrected rule appears on the Rules tab without highlights.
    • To correct the rule and apply the rule to the Decoder later with other rules, click OK.
      The corrected rule appears on the Rules tab without highlights. The rule is not applied to the Decoder.