6.2.1.24.5. local-rules

6.2.1.24.5.1. Introduction

The local-rules command of the show advanced-configuration subgroup enables displaying:

  • under the heading Rules: the local Sigflow rules, i.e.:

    • detection rules and

    • File rebuilding rules

  • under the heading threshold:

    • thresholds or limits defined by the keyword "threshold"

    • deletion rules defined by the keyword "suppress"

It is only possible to display the rules of the configured tenant.

If the probe is configured in single-tenant mode then only the local_all.rules file can be displayed.

For more information, please refer to the paragraph Capture and monitoring interfaces: single-tenant vs multi-tenant.

6.2.1.24.5.2. Prerequisites

  • User: setup

  • Dependencies: the detection engine must be switched off

6.2.1.24.5.3. Command

show advanced-configuration local-rules {TENANT|list}

The TENANT parameter can take the following values:

  • single-tenant: all

  • multi-tenant by int: {mon0|mon1|mon2|mon3|monvirt}

  • multi-tenant by vlan:

    • default

    • VLAN X

    • VLAN X Y

6.2.1.24.5.4. Example to list searchable rule files

  • Enter the following command.

(gcap-cli) show advanced-configuration local-rules list

  • Validate.

The system displays the result.

Available rule files:
    - mon0
    - monvirt

6.2.1.24.5.5. Example to list the searchable rule files display the rules in single tenant mode

  • Enter the following command.

(gcap-cli) show advanced-configuration local-rules all

  • Validate.

The system displays the result.

Rules:
alert dns any any -> any any (msg:"[ TEST AUTO ] ALERT DNS UDP";sid:12345600;priority:2;)

Thresholds

The result is displayed in two categories:

  • rules: in this category, the locally defined rules are listed

  • Thresholds: in this category, the locally defined thresholds and limits are listed

6.2.1.24.5.6. Example of displaying the rules in multi-tenant mode for the mon0 interface

  • Enter the following command.

(gcap-cli) show advanced-configuration local-rules mon0

  • Validate.

The system displays the result.

Displaying rules for mon0

Rules:
alert dns any any -> any any (msg:"[ TEST AUTO ] ALERT DNS UDP";sid:12345600;priority:2;)

Thresholds

6.2.1.24.5.7. Example of displaying the multi-tenant rules for vlan 10

  • Enter the following command.

(gcap-cli) show advanced-configuration local-rules VLAN 10

  • Validate.

The system displays the result.

Displaying rules for vlan 10

Rules:
alert dns any any -> any any (msg:"[ TEST AUTO ] ALERT DNS UDP";sid:12345600;priority:2;)

Thresholds