Services Config View - Rules TabsServices Config View - Rules Tabs

The Rules tabs in the Services Config view ( (Admin) > Services > select a service and click > View > Config) enable you to define and manage capture rules. Each type of rule has a list with slightly different columns and different parameters in the Rule Editor dialog. Application and correlation rules apply to both Decoders and Log Decoders. Network rules apply only to Network Decoders.

Workflow

The following figure depicts the workflow for common Decoder configuration tasks with the steps you can complete in this view highlighted.

What do you want to do?

User Role	I want to...	Documentation
Administrator	configure capture settings	Configure Capture Settings
Administrator	manage parsers and log parsers	Enable and Disable Parsers and Log Parsers
Administrator	start and stop data capture	Start and Stop Data Capture
Administrator	configure rules*	Configure Decoder Rules
Administrator	import, export, or push a rule*	Configure Decoder Rules
Administrator	enable or disable a rule*	Configure Decoder Rules
Administrator	add, edit, or delete a rule*	Configure Decoder Rules

*You can complete these tasks here.

Related Topics

• Configure Common Settings on a Decoder
• Decoder and Log Decoder Quick Setup
• App Rules Tab
• Correlation Rules Tab
• Network Rules Tab

Quick Look

This is an example of the App Rules tab.

1	Rules Tab Toolbar - Provides options to work with rules in the list
2	Rules Actions Menu - Provide options to manage sets of rules
3	Rules List Context Actions - Displays the Rules List Context Menu

Rules Tab Toolbar

The toolbar is the same for all Config view > Rules tabs.

Feature	Description
Actions	Displays the Actions menu.
	Adds a new rule to a service.
	Deletes a rule from a service.
	Allows rule modification.
	Disables a rule (without deleting the rule).
	Enables (reactivates) a rule.
Filter	The input field for a search string. NetWitness filters the rules dynamically as you type a search string. Clicking x clears the input field, restoring the unfiltered view.
Apply	Saves the changes made to rules and applies the configured rules to a service. Until you apply changes, it is possible to reload the rules as they were before current modifications.
Revert	Discards unsaved changes to the list and reverts to the unedited rules.

Rules Actions Menu

The Actions menu has options that help to manage sets of rules.

Option	Description
Import	Imports a set of rules into the user interface so that it can be applied to a service. You can edit the rules before applying.
Export	Saves selected rules or all rules to an .nwr file on the client machine.
Push	Allows rules to be applied to other services (Decoders or Log Decoders) or Decoders belonging to a service group. When pushing, the rules can either be merged (update existing rules and append new ones) or replaced. Push > All. Pushes all rules to other services. All rules on the target services are removed and replaced with all of the rules on the source service. Push > Selection. Pushes selected rules to other services. You have two options: Replace. Deletes all rules on the target services and replaces them with the selected rules from the source service. Merge. Merges the selected rules with the existing rules on the target services
History	Displays the last ten snapshots of rules applied through NetWitness. You can select and apply (restore) a snapshot to the Decoder at anytime.

Rules List Context Actions

Within a rules list, right-clicking a row displays the Rules list context menu.

Option	Description
Cut	Deletes the current rule.
Copy	Copies the current rule.
Paste Above	Pastes the copied rule above the current rule.
Paste Below	Pastes the copied rule below the current rule.
Edit	Edits the current rule.
Insert Below	Inserts imported rules below the current rule.
Insert Above	Inserts imported rules above the current rule.
Export Selection	Exports the selected rules.
Push Selected Rules	Pushes the selected rules to other services.