6.2.1.6. config-files

6.2.1.6.1. Introduction

The config-files command of the show subgroup enables displaying:

The detailed configuration of the Sigflow detection engine using the config-files suricata-config command
The rules transmitted by GCenter to the Sigflow engine:
- rules-scirius: the scirius detection rules
- rules-files: the file rebuilding rules
- threshold.
  
  In this category, the following are defined:
  - alert threshold rules (detection rules)
    
    For example:
    No more alerts are sent beyond a certain value (notion of limit)
    Or conversely, validate alerts above a certain value (notion of threshold)
  - Limiting detection rules, for example not applying a rule to a specific IP address

It is only possible to display the rules of the configured tenant.

Users: setup, gviewadm, gview
Dependencies:
- Pair the GCap and GCenter
- Send rulesets from GCenter to the GCap

show config-files {suricata-config|rules-scirius|rules-files|threshold} [TENANT]

The show config-files command must be followed by:

The name of the configuration file:
- suricata-config for the Sigflow configuration
- rules-scirius for scirius rules for detection used by Sigflow
- rules-files for file reconstruction rules used by Sigflow
- threshold for threshold rules, limits, and deletion rules
The TENANT parameter which can take the following values:
- Multi-tenant by int: {mon0|mon1|mon2|mon3|monvirt}
- Multi-tenant by vlan:
  - default
  - VLAN X
  - VLAN X Y

Enter the following command.

(gcap-cli) show config-files rules-scirius

Enter the following command.

(gcap-cli) show config-files rules-scirius mon0

Enter the following command.

(gcap-cli) show config-files rules-scirius VLAN 10

Validate.
The system displays the result.

  suppress gen_id 1, sig_id 2435, track by_src, ip 10.10.10.10
  threshold gen_id 1, sig_id 2435, type limit, track by_src, count 1, seconds 60)

The file displays: