6.2.2.16.5. local-rules
6.2.2.16.5.1. Introduction
The local-rules command of the set advanced-configuration subgroup enables modifying the local rules of the GCap probe.
These rules can be global or per interface.
These modifications are made locally in the GCap and are therefore not visible at the GCenter level.
6.2.2.16.5.1.1. Details of the Rules
The locally modified rules include:
In the
Rules:file, the local Sigflow rules, i.e.:Detection rules and
File rebuilding rules
In the
threshold:file:Thresholds or limits defined by the keyword "threshold"
Deletion rules defined by the keyword "suppress"
6.2.2.16.5.1.2. Use cases
There are several use cases:
Making signatures confidential without the GCenter operators being able to see them (need-to-know concept)
Modifying the local signatures of probes in complex cases.
If the GCenter is entrusted to a third party and the latter cannot handle markers or signatures of a certain level.
Note
In multi-tenant mode, it is possible to modify the rules for only one capture interface (configured tenant): there is one file per interface.
In single tenant mode, changes apply to all interfaces at once: there is a single file for all interfaces.
6.2.2.16.5.2. Prerequisites
User: setup
Dependencies: the detection engine must be switched off
6.2.2.16.5.3. Command
set advanced-configuration local-rules TENANT
The TENANT parameter can take the following values:
Single-tenant: all
Multi-tenant by int: {mon0|mon1|mon2|mon3|monvirt}
Multi-tenant by vlan:
default
VLAN X
VLAN X Y
6.2.2.16.5.4. General process
When the set advanced-configuration local-rules ... command is executed, two rule files are opened successively through the Nano text editor.
The file modifying process is as follows:
Nano automatically opens the first file.
It enables modifying the rules of the
Rules:category , i.e.:detection rules
rebuilding rules
Modify the contents of this file
Note
Once in the interface, a copy/paste of the detection rules can be made.
There is no limitation in the number of signatures for the interfaces. However, they must not have the same SID as the other rules already present.
Close (CTRL + X) after saving
Nano automatically opens the second file.
It enables modifying the rules of the
threshold:category , i.e.:thresholds or limits defined by the keyword "threshold"
deletion rules defined by the keyword "suppress"
Note
Other types of rules can be added to limit or remove certain alerts.
There are:
Suppress Rules that suppress an alert based on the source or destination IP address,
but also Threshold Rules limiting the number of alerts to be displayed based on one or more networks.
6.2.2.16.5.5. Example of modifying the rules in single tenant mode
Important
Changes made in single tenant mode will be applied to all capture interfaces.
Enter the following command.
(gcap-cli) set advanced-configuration local-rules all
Validate.
The text editor opens with the file enabling the modification of the rules of theRules:category.
See the General Process paragraph above.
6.2.2.16.5.6. Example of modifying the rules in multi-tenant mode for the mon0 interface
Important
Changes made in multi-tenant mode for the mon0 interface will only be applied to that interface.
It is therefore possible to set detection rules and thresholds per capture interface.
Enter the following command.
(gcap-cli) set advanced-configuration local-rules mon0
Validate.
The text editor opens with the file enabling the modification of the rules of theRules:category.
See the General Process paragraph above.
6.2.2.16.5.7. Example of modifying the multi-tenant rules for vlan 10
Important
Changes made in multi-tenant mode for vlan 10 will only be applied to that vlan.
Enter the following command.
(gcap-cli) set advanced-configuration local-rules VLAN 10
Validate.
The text editor opens with the file enabling the modification of the rules of theRules:category.
See the General Process paragraph above.
6.2.2.16.5.8. Example of modifying the multi-tenant rules for the vlan by default
Enter the following command.
(gcap-cli) set advanced-configuration local-rules default
Validate.
The text editor opens with the file enabling the modification of the rules of theRules:category.
See the General Process paragraph above.