App Rules TabApp Rules Tab
The App Rules tab (Admin > Services > select a Decoder or Log Decoder and click > View > Config > App Rules tab) enables you to manage application rules. NetWitness applies application rules at the session level.
What do you want to do?
User Role | I want to... | Documentation |
---|---|---|
Administrator | add or edit application rules | Configure Application Rules |
Related Topics
Quick Look
The following figure shows an App Rules tab and the table describes the columns.
Column | Description |
---|---|
Pending |
This column indicates whether a rule has pending changes. Rules that are currently active on the Decoder have no indicator. If the rule is new or has been modified, the column contains . Once the rules are applied, the pending indicator is removed. |
Name |
This is the rule name, a descriptive identifier for the rule. |
Condition |
This is the definition of the condition that triggers an action when matched. |
Session Data |
This column displays the Session Data action taken when a packet matches the rule. Possible values are Filter, Keep, or Truncate. |
Alert |
This column displays the name of the custom alert that the Decoder generates when metadata matches the rule. |
Status |
This column indicates whether the rule is enabled or disabled with a circle icon. If the circle is filled green, the rule is enabled. If the circle is empty, the rule is disabled. |
Rule Editor Dialog
The following figure shows the Rule Editor dialog for an application rule.
The Rule Editor dialog provides the fields and options needed to define an application rule.
Field | Description |
---|---|
Rule Name | The descriptive name that identifies the rule. |
Condition | The definition of the condition that triggers an action when matched. You can type directly in the field or build the condition in this field using meta from the Intellisense window actions. As you build the rule definition, Intellisense displays syntax errors and warnings. All string literals and time stamps must be quoted. Do not quote number values and IP addresses. Configure Decoder Rules provides additional details. |
The following table describes the Session Data actions and options.
Action | Description |
---|---|
Stop Rule Processing | If checked, further rule evaluation ends if the rule is matched, and the session is saved in accordance with the session action. If not checked, rule evaluation continues until all rules are evaluated. |
Keep | The packet payload and associated metadata are saved when they match the rule. |
Filter | The packet is not saved when it matches the rule. |
Truncate |
Truncate After First <n> Bytes – truncates the session payload bytes after the specified first <n> bytes, where <n> is an integer. The packet payload is not saved after <n> bytes when it matches the rule, but packet headers and associated metadata are retained. Truncate SSL/TLS After Handshake – truncates the payload for all sessions except in the case of an SSL/TLS session, where the SSL exchange is preserved, but the rest of the payload is not saved. This option is for use with SSL parsers. |
Alert and Alert On | If Alert is checked, the packet generates a custom alert when metadata matches the rule. You can select the name of the alert in the Alert On field. |
Forward | Enables the performance of syslog forwarding when the log matches the rule. |
Transient | Prevents the alert metadata that is created from being written to the disk. |
The following table describes Rule Editor dialog actions.
Action | Description |
---|---|
Reset | Resets the contents of the dialog to their values before editing; changes are discarded. |
Cancel | Cancels any edits and closes the Rule Editor dialog. |
OK | Saves the new rule or edited rule, and adds it to the rules grid. The Rule Editor dialog closes. |
Save | (Rules with deprecated syntax only) Applies a corrected rule individually to the Decoder service. See Fix Rules with Invalid Syntax. |