5.6.17. `Config - sigflow/rulesets` screen of the legacy web UI

This screen is only accessible to members of the operator group.

Note

For administrator group members, the following message is displayed: `Error 403: Insufficient permissions`

After pressing the `Rulesets` command from the sub-menu `Config/Sigflow`, the following screen is displayed.
This screen enables:

  • Creating files called rulesets.

  • Managing the categories and rules of Ruleset files. Once a file is generated, its content can also be managed, i.e. modification of categories and rules

  • Providing these files to the Sigflow detection engine of the GCap

  • Exporting these files to the local download directory with the extension rules

Note

A ruleset file is composed of one or more source files downloaded from different sources.
Each source file is composed of different categories.
Each category consists of rules (or signatures).
../../_images/RULESSET-01.PNG

`Rulesets` screen contains the following sections:

Item

Name

Position

1

`Defined rulesets`

Indicates the list of defined signature sets

2

`List of rulesets`

Indicates that the current screen shows the list of existing rules

3

`Action`

Area of possible actions. The possible actions listed below depend on the context:

4

`Add`

  • The button to create a ruleset

5

`1 RULESET`

Field indicating the number of rulesets available

6

Description of a ruleset

Includes the following types of information:

  • The name of the ruleset

  • The date and time of the last update

  • thThee number of sources and signatures

7

Search field

Enables a search

8

`View` button

Displays the `Rulesets: view` screen (see below)

9

context menu

Displays the management sub-menu for this source for access to the Edit source and Delete source commands

After pressing the `View` command button, the `Rulesets: view` screen contains the following sections:

../../_images/RULESSET-02.PNG

Item | Name

Position

1

File name field

Indicates the name of the file containing the selected ruleset. This includes the following fields:

2

`Created`

  • The date and time the ruleset was created

21

`Updated`

  • The date and time of the last update

20

`All rules operational:`

  • Status of operational rules (true or false)

19

`Rules count:`

  • rRles counter

3

`Action`

Area of possible actions. The possible actions listed below depend on the context.

4

`Changelog`

  • Button for displaying the file history

5

`Update`

  • Button to update the file

18

`Edit`

  • Button to edit the file

17

`Copy`

  • Button to copy the file

16

`Delete`

  • Button to delete the file

6

`Display`

Area of possible actions. The possible actions listed below depend on the context.

12

`Show structure`

Button to display the file by source and then by category

13

`Show rules`

Button to display the file by rules, listed by SID

14

`Export rules files`

Button to export the file

15

`Generate rules file`

Button to generate the rules file from the current file
7
8
10

`Source`

List of categories for each source. This includes three types of information:

  • The name of the category: example (9)

  • The description of the category

  • The creation date of the category

4

Search field

Enables a search

Note

Each of these categories can be edited.
Clicking on a category will display the list of rules.
Each of these rules can be edited.

See the procedure Creating a SIGFLOW engine ruleset for:

  • Creating a Ruleset file

  • Managing its content, modifying categories and rules

  • Sending a Ruleset file to the Sigflow detection engine in the GCap

  • Exporting a file to the local download directory of the user PC with the rules extension

See the procedure Modifying SIGFLOW engine rules for:

  • The implementation of a transformation rule (Transform rule)

  • Deactivation of the rule of a transformation rule

  • Activation of the rule of a transformation rule

  • Threshold rule

  • The deletion rule (Suppress rule)

See the procedure Generating a SIGFLOW engine ruleset.