App Rules Tab

The App Rules tab (Admin > Services > select a Decoder or Log Decoder and click netwitness_actiondd.png > View > Config > App Rules tab) enables you to manage application rules. NetWitness applies application rules at the session level.

What do you want to do?

User Role I want to... Documentation
Administrator add or edit application rules Configure Application Rules

Related Topics

Quick Look

The following figure shows an App Rules tab and the table describes the columns.

netwitness_12.1_apprltb_1122_750x471.png

Column Description

Pending

This column indicates whether a rule has pending changes. Rules that are currently active on the Decoder have no indicator. If the rule is new or has been modified, the column contains netwitness_ic-pending2.png​. Once the rules are applied, the pending indicator is removed.

Name

This is the rule name, a descriptive identifier for the rule.

Condition

This is the definition of the condition that triggers an action when matched.

Session Data

This column displays the Session Data action taken when a packet matches the rule. Possible values are Filter, Keep, or Truncate.

Alert

This column displays the name of the custom alert that the Decoder generates when metadata matches the rule.

Status

This column indicates whether the rule is enabled or disabled with a circle icon. If the circle is filled green, the rule is enabled. If the circle is empty, the rule is disabled.

Rule Editor Dialog

The following figure shows the Rule Editor dialog for an application rule.

netwitness_truncate_option.png

The Rule Editor dialog provides the fields and options needed to define an application rule.

Field Description
Rule Name The descriptive name that identifies the rule.
Condition The definition of the condition that triggers an action when matched. You can type directly in the field or build the condition in this field using meta from the Intellisense window actions. As you build the rule definition, Intellisense displays syntax errors and warnings.

All string literals and time stamps must be quoted. Do not quote number values and IP addresses. Configure Decoder Rules provides additional details.

The following table describes the Session Data actions and options.

Action Description
Stop Rule Processing If checked, further rule evaluation ends if the rule is matched, and the session is saved in accordance with the session action. If not checked, rule evaluation continues until all rules are evaluated.
Keep The packet payload and associated metadata are saved when they match the rule.
Filter The packet is not saved when it matches the rule.
Truncate


Truncate All – truncates all session payload bytes. The packet payload is not saved when it matches the rule, but packet headers and associated metadata are retained. This is the default truncation option.

Truncate After First <n> Bytes – truncates the session payload bytes after the specified first <n> bytes, where <n> is an integer. The packet payload is not saved after <n> bytes when it matches the rule, but packet headers and associated metadata are retained.

Truncate SSL/TLS After Handshake – truncates the payload for all sessions except in the case of an SSL/TLS session, where the SSL exchange is preserved, but the rest of the payload is not saved. This option is for use with SSL parsers.

Alert and Alert On If Alert is checked, the packet generates a custom alert when metadata matches the rule. You can select the name of the alert in the Alert On field.
Forward Enables the performance of syslog forwarding when the log matches the rule.
Transient Prevents the alert metadata that is created from being written to the disk.

The following table describes Rule Editor dialog actions.

Action Description
Reset Resets the contents of the dialog to their values before editing; changes are discarded.
Cancel Cancels any edits and closes the Rule Editor dialog.
OK Saves the new rule or edited rule, and adds it to the rules grid. The Rule Editor dialog closes.
Save (Rules with deprecated syntax only) Applies a corrected rule individually to the Decoder service. See Fix Rules with Invalid Syntax.