7.3.1. SIGFLOW engine rule sources
7.3.1.1. Introduction
A source is broken down as follows:
Detection rules are found in categories
Categories are found in sources
Sources are in rulesets
Note
Categories are not mandatory. They enable improved organisation of the source.
This procedure describes:
Managing the existing sources
Managing the categories and rules made available in the sources
Adding public or customized sources
Note
Sources should be added to a Ruleset that will then be made available to the GCap.
For |
go to |
---|---|
Visualise existing sources |
|
Add a public source |
|
Add a custom source |
|
Delete a source |
|
Edit a source |
|
Update a source |
This configuration interface is described in Web UI `Assets` screen.
7.3.1.2. Prerequisites
User : member of Operator group
7.3.1.3. Preliminary operations
Login to GCenter via a browser (see Connection to the GCenter web interface via a web browser)
7.3.1.4. Procedure to view the existing sources
From the navigation bar, click successively on :
The
`Config`
button The`Sources`
button of the`Sigflow`
menu.The`Sources`
windows is displayed.From the source management interface, the available sources are displayed (7).The following types of information are displayed:
The name of the source (CTI, ETPRO, LastInfoSec...)
The date and time of the last update
The number of categories and signatures
Note
It is possible to add a MISP source.For this, contact the administrator.
- To view the contents of the desired source, click on the
`View`
button (9).The detail window is displayedThe source detail is indicated in `Config - sigflow/sources` screen of the legacy web UI.
7.3.1.5. Procedure to add a public source
Preliminary step:
The GCenter must be connected to the Internet.This is done in the GCenter configuration (PROXY parameter): in case of doubt refer to the administrator.
From the navigation bar, click successively on :
- Click on the
`Add public source`
link (4)The “Sources” window is displayed.The window displays the list of available sources (2) when connecting to the Internet.If the Internet connection is not active then an error message is displayed. - Activate the desired public source (for example mark 3) by clicking on the button (4)
Enable
.The` source and/open`
window is displayed. Change source name (1) if needed.
Note
The name is also the file name so only alphanumeric characters, underscore, slash and dot can be used. However, spaces and commas should not be used.
Add the source to the default ruleset (2) if needed.
Add a comment (3) if needed.
Enter the source editor token if necessary.
- Validate the entry by clicking on the (4)
`Submit`
button or cancel with the (5)`Cancel`
button.The message`Source fully activated`
is displayed.The message`Source updated`
is displayed.The`Source is valid`
message is displayed.A link is active to display the details of this new source.This new source has been added to the Sources screen.
7.3.1.6. Procedure to add a custom source
From the navigation bar, click successively on :
- Method 1: HTTP URLFrom the source management interface:
Click on the
`Add custom source`
link (5)Enter a name for the added source
Choose the
`HTTP URL`
methodChoose the file format of the added rules: TAR archive (Signatures files in tar archive) or plain text file (Individual Signatures file)
Enter the URL of the target file on the remote HTTP server
Tick the ruleset in which to add the source - multiple ticks are possible
If necessary, add a comment (optional)
Click on the
`Submit`
button.
- Method 2: UploadFrom the source management interface:
Click on the
`Add custom source`
linkEnter a name for the added source
Choose the
`Upload`
methodChoose the file format of the added rules: TAR archive (Signatures files in tar archive) or plain text file (Individual Signatures file)
Tick the ruleset in which to add the source - multiple ticks are possible
Choose the rules file to be added
If necessary, add a comment (optional)
Click on the
`Submit`
button.Checks are made, for example:
for example, the message
`Error during source update: Invalid URL 'toto.com': No scheme supplied. Perhaps you meant http://toto.com?`
for example, the message
`Invalid filename`
indicates that the source name format is not a file name
Note
The rule files in the TAR archive enable creating categories within the source. The sub-folders in the archive will be the future source categories.
7.3.1.7. Procedure to delete a source
From the navigation bar, click successively on:
The
`Config`
button The`Sources`
button of the`Sigflow`
menu.The`Sources`
windows is displayed.Click on the three vertical points of the source to be deleted (1).
Click on the`Delete source`
command.A message`Are you sure you want to delete object ***?`
is displayed.If necessary, add a comment (optional).
Click on the
`Delete object`
button.
Or
Click on the
`View`
button of the desired source Click on the`Delete`
link, in the list of actions on the leftA message`Are you sure you want to delete object ***?`
is displayed.If necessary, add a comment (optional)
Click on the
`Delete object`
button.
7.3.1.8. Procedure to edit a source
From the navigation bar, click successively on:
- Click on the
`View`
button (9) of the desired source.The following window is displayed. Click on
`Edit`
(6)Change the desired parameters: method, file type, public source, and rules file
Add a comment if necessary - optional
Click on the
`Submit`
button.
7.3.1.9. Procedure to update a source
Note
From the navigation bar, click successively on:
- Click on the
`View`
button (9) of the desired source.The following window is displayed. - Click on
`Update`
(7)The following screen is displayed.The window shows:
The summary (1)
History (2)
It is possible to click on a changelog to view the content.