Services Config View - Rules TabsServices Config View - Rules Tabs
The Rules tabs in the Services Config view ( (Admin) > Services > select a service and click > View > Config) enable you to define and manage capture rules. Each type of rule has a list with slightly different columns and different parameters in the Rule Editor dialog. Application and correlation rules apply to both Decoders and Log Decoders. Network rules apply only to Network Decoders.
Workflow
The following figure depicts the workflow for common Decoder configuration tasks with the steps you can complete in this view highlighted.
What do you want to do?
User Role | I want to... | Documentation |
---|---|---|
Administrator | configure capture settings | Configure Capture Settings |
Administrator | manage parsers and log parsers | Enable and Disable Parsers and Log Parsers |
Administrator |
start and stop data capture |
|
Administrator | configure rules* | Configure Decoder Rules |
Administrator | import, export, or push a rule* | Configure Decoder Rules |
Administrator | enable or disable a rule* | Configure Decoder Rules |
Administrator | add, edit, or delete a rule* | Configure Decoder Rules |
*You can complete these tasks here.
Related Topics
- Configure Common Settings on a Decoder
- Decoder and Log Decoder Quick Setup
- App Rules Tab
- Correlation Rules Tab
- Network Rules Tab
Quick Look
This is an example of the App Rules tab.
1 | Rules Tab Toolbar - Provides options to work with rules in the list |
2 | Rules Actions Menu - Provide options to manage sets of rules |
3 | Rules List Context Actions - Displays the Rules List Context Menu |
Rules Tab Toolbar
The toolbar is the same for all Config view > Rules tabs.
Feature | Description |
---|---|
Actions | Displays the Actions menu. |
Adds a new rule to a service. | |
Deletes a rule from a service. | |
Allows rule modification. | |
Disables a rule (without deleting the rule). | |
Enables (reactivates) a rule. | |
Filter | The input field for a search string. NetWitness filters the rules dynamically as you type a search string. Clicking x clears the input field, restoring the unfiltered view. |
Apply | Saves the changes made to rules and applies the configured rules to a service. Until you apply changes, it is possible to reload the rules as they were before current modifications. |
Revert | Discards unsaved changes to the list and reverts to the unedited rules. |
Rules Actions Menu
The Actions menu has options that help to manage sets of rules.
Option | Description |
---|---|
Import | Imports a set of rules into the user interface so that it can be applied to a service. You can edit the rules before applying. |
Export | Saves selected rules or all rules to an .nwr file on the client machine. |
Push | Allows rules to be applied to other services (Decoders or Log Decoders) or Decoders belonging to a service group. When pushing, the rules can either be merged (update existing rules and append new ones) or replaced.
|
History | Displays the last ten snapshots of rules applied through NetWitness. You can select and apply (restore) a snapshot to the Decoder at anytime. |
Rules List Context Actions
Within a rules list, right-clicking a row displays the Rules list context menu.
Option | Description |
---|---|
Cut | Deletes the current rule. |
Copy | Copies the current rule. |
Paste Above | Pastes the copied rule above the current rule. |
Paste Below | Pastes the copied rule below the current rule. |
Edit | Edits the current rule. |
Insert Below | Inserts imported rules below the current rule. |
Insert Above | Inserts imported rules above the current rule. |
Export Selection | Exports the selected rules. |
Push Selected Rules | Pushes the selected rules to other services. |