6.2.1.24.5. local-rules

6.2.1.24.5.1. Introduction

The local-rules command of the show advanced-configuration subgroup enables displaying:

Under the heading Rules: the local Sigflow rules, i.e.:
- Detection rules and
- File rebuilding rules
Under the heading threshold:
- Thresholds or limits defined by the keyword "threshold"
- Deletion rules defined by the keyword "suppress"

It is only possible to display the rules of the configured tenant.
If the probe is configured in single-tenant mode then only the local_all.rules file can be displayed.
For more information, please refer to the paragraph Capture and monitoring interfaces: single-tenant vs multi-tenant.

6.2.1.24.5.2. Prerequisites

User: setup
Dependencies: the detection engine must be switched off

6.2.1.24.5.3. Command

show advanced-configuration local-rules {TENANT|list}

The TENANT parameter can take the following values:

Single-tenant: all
Multi-tenant by int: {mon0|mon1|mon2|mon3|monvirt}
Multi-tenant by vlan:
- default
- VLAN X
- VLAN X Y

6.2.1.24.5.4. Example to list searchable rule files

Enter the following command.

(gcap-cli) show advanced-configuration local-rules list

Validate.
The system displays the result.

 Available rule files:
   - mon0
  - monvirt

6.2.1.24.5.5. Example to list the searchable rule files display the rules in single tenant mode

Enter the following command.

(gcap-cli) show advanced-configuration local-rules all

Validate.
The system displays the result.
```
Rules:
alert dns any any -> any any (msg:"[ TEST AUTO ] ALERT DNS UDP";sid:12345600;priority:2;)

Thresholds
```
The result is displayed in two categories:
- Rules: in this category, the locally defined rules are listed
- Thresholds: in this category, the locally defined thresholds and limits are listed

6.2.1.24.5.6. Example of displaying the rules in multi-tenant mode for the `mon0` interface

Enter the following command.

(gcap-cli) show advanced-configuration local-rules mon0

Validate.
The system displays the result.

Displaying rules for mon0

Rules:
 alert dns any any -> any any (msg:"[ TEST AUTO ] ALERT DNS UDP";sid:12345600;priority:2;)

Thresholds

6.2.1.24.5.7. Example of displaying the multi-tenant rules for vlan 10

Enter the following command.

(gcap-cli) show advanced-configuration local-rules VLAN 10

Validate.

The system displays the result.

Displaying rules for vlan 10

Rules:
alert dns any any -> any any (msg:"[ TEST AUTO ] ALERT DNS UDP";sid:12345600;priority:2;)

Thresholds

6.2.1.24.5. local-rules

6.2.1.24.5.1. Introduction

6.2.1.24.5.2. Prerequisites

6.2.1.24.5.3. Command

6.2.1.24.5.4. Example to list searchable rule files

6.2.1.24.5.5. Example to list the searchable rule files display the rules in single tenant mode

6.2.1.24.5.6. Example of displaying the rules in multi-tenant mode for the mon0 interface

6.2.1.24.5.7. Example of displaying the multi-tenant rules for vlan 10

6.2.1.24.5.6. Example of displaying the rules in multi-tenant mode for the `mon0` interface