Services Config View - Rules Tabs

The Rules tabs in the Services Config view ( netwitness_adminicon_25x22.png (Admin) > Services > select a service and click netwitness_actiondd.png > View > Config) enable you to define and manage capture rules. Each type of rule has a list with slightly different columns and different parameters in the Rule Editor dialog. Application and correlation rules apply to both Decoders and Log Decoders. Network rules apply only to Network Decoders.


The following figure depicts the workflow for common Decoder configuration tasks with the steps you can complete in this view highlighted.


What do you want to do?

User Role I want to... Documentation
Administrator configure capture settings Configure Capture Settings
Administrator manage parsers and log parsers Enable and Disable Parsers and Log Parsers


start and stop data capture

Start and Stop Data Capture

Administrator configure rules* Configure Decoder Rules
Administrator import, export, or push a rule* Configure Decoder Rules
Administrator enable or disable a rule* Configure Decoder Rules
Administrator add, edit, or delete a rule* Configure Decoder Rules

*You can complete these tasks here.

Related Topics

Quick Look

This is an example of the App Rules tab.


1 Rules Tab Toolbar - Provides options to work with rules in the list
2 Rules Actions Menu - Provide options to manage sets of rules
3 Rules List Context Actions - Displays the Rules List Context Menu

Rules Tab Toolbar

The toolbar is the same for all Config view > Rules tabs.


Feature Description
Actions Displays the Actions menu.
netwitness_add.png Adds a new rule to a service.
netwitness_delete.png Deletes a rule from a service.
netwitness_edit.png Allows rule modification.
netwitness_disableicon.png Disables a rule (without deleting the rule).
netwitness_enableicon.png Enables (reactivates) a rule.
Filter The input field for a search string. NetWitness filters the rules dynamically as you type a search string. Clicking x clears the input field, restoring the unfiltered view.
Apply Saves the changes made to rules and applies the configured rules to a service. Until you apply changes, it is possible to reload the rules as they were before current modifications.
Revert Discards unsaved changes to the list and reverts to the unedited rules.

Rules Actions Menu

The Actions menu has options that help to manage sets of rules.


Option Description
Import Imports a set of rules into the user interface so that it can be applied to a service. You can edit the rules before applying.
Export Saves selected rules or all rules to an .nwr file on the client machine.
Push Allows rules to be applied to other services (Decoders or Log Decoders) or Decoders belonging to a service group. When pushing, the rules can either be merged (update existing rules and append new ones) or replaced.
  • Push > All. Pushes all rules to other services. All rules on the target services are removed and replaced with all of the rules on the source service.
  • Push > Selection. Pushes selected rules to other services. You have two options:
    • Replace. Deletes all rules on the target services and replaces them with the selected rules from the source service.
    • Merge. Merges the selected rules with the existing rules on the target services
History Displays the last ten snapshots of rules applied through NetWitness. You can select and apply (restore) a snapshot to the Decoder at anytime.

Rules List Context Actions

Within a rules list, right-clicking a row displays the Rules list context menu.

Option Description
Cut Deletes the current rule.
Copy Copies the current rule.
Paste Above Pastes the copied rule above the current rule.
Paste Below Pastes the copied rule below the current rule.
Edit Edits the current rule.
Insert Below Inserts imported rules below the current rule.
Insert Above Inserts imported rules above the current rule.
Export Selection Exports the selected rules.
Push Selected Rules Pushes the selected rules to other services.