7.3.2. Creating a SIGFLOW engine ruleset

7.3.2.1. Introduction

The security policy in detection terms is held in what is called a ruleset.
The ruleset contains the rule sources enabling detection.
The detection rules in the ruleset will enable the GCap to raise security alerts on the traffic being scanned.
Multiple rulesets can be used to apply multiple security policies to the various capture points.

Note

Managing a ruleset is only available to users assigned the role of operator.

This procedure describes:

  • Creating a ruleset

  • Managing a ruleset

For

go to

Creating a ruleset

Procedure to create a ruleset

Displaying a ruleset

Procedure to display an existing ruleset

Copying a ruleset

Procedure to copy a ruleset

Deleting a ruleset

Procedure to delete a ruleset

Editing a ruleset

Procedure to edit a ruleset

Exporting a ruleset

Procedure to export a ruleset

Updating a ruleset

Procedure to update a ruleset

The configuration interface is described in `Config - sigflow/rulesets` screen of the legacy web UI.

7.3.2.2. Prerequisites

User : member of Operator group

7.3.2.3. Preliminary operations

7.3.2.4. Procedure to create a ruleset

  • From the navigation bar, click successively on :

  • The `Config` button

  • The `Rulesets` button of the `Sigflow` menu.
    The `Rulesets` window is displayed.
../../_images/RULESSET-01.PNG

From the ruleset management interface:

  • Click on the `Add` link

  • Enter a name for the created ruleset

  • Tick the sources to be added to the ruleset

  • Leave the `Activate all categories in selected sources` checkbox ticked

  • Leave the `Action`, `Lateral`, and `Target` transformation fields as default

  • If necessary, add a comment (optional)

  • Click on `+ Add`

7.3.2.5. Procedure to display an existing ruleset

  • From the navigation bar, click successively on :

  • The `Config` button

  • The `Rulesets` button of the `Sigflow` menu.
    The `Rulesets` window is displayed.
../../_images/RULESSET-01.PNG

From the ruleset management interface, the available rulesets are displayed.

  • To see the contents of a ruleset, click on the `View` button (8).

7.3.2.6. Procedure to copy a ruleset

This option is used to duplicate the Ruleset, the copy will take into account the sources associated with the Ruleset.
The administrator can decide to make a duplicate of the Ruleset in order to assign it to another probe GCAP for example according to the network flows that transit. The Ruleset is specific and must be optimized according to the probe to which it will be assigned.

  • From the navigation bar, click successively on :

  • The `Config` button

  • The `Rulesets` button of the `Sigflow` menu.
    The `Rulesets` window is displayed.
../../_images/RULESSET-01.PNG

  • Click on the three vertical dots (9)

  • Click on the `Copy ruleset` command

  • Enter the desired name for the new ruleset

  • If necessary, add a comment (optional)

  • Click on the `Submit` button.

7.3.2.7. Procedure to delete a ruleset

Deleting the Ruleset is irreversible but will not cause the deletion of the sources and signatures that were linked to the Ruleset.

  • From the navigation bar, click successively on :

  • The `Config` button

  • The `Rulesets` button of the `Sigflow` menu.
    The `Rulesets` window is displayed.
../../_images/RULESSET-01.PNG

  • method 1 :

  • Click on the three vertical dots (9)

  • Click on the `Delete ruleset` command

  • If necessary, add a comment (optional)

  • Click on the `Delete object` button

Or

  • method 2 :

  • Click on the `View` button of the desired ruleset

  • Click on the `Delete` link, in the list of actions on the left

  • If necessary, add a comment (optional)

  • Click on the `Delete object` button

7.3.2.8. Procedure to edit a ruleset

A Ruleset can be edited so that the operator can make changes to the sources, categories or rules present in the Ruleset.
These changes can be made to the rules in order to adapt a public rule to specific information system requirements, or to a specific need.

  • From the navigation bar, click successively on :

  • The `Config` button

  • The `Rulesets` button of the `Sigflow` menu.
    The `Rulesets` window is displayed.
../../_images/RULESSET-01.PNG

  • Click on the `View` button (8).

../../_images/RULESSET-02.PNG

  • Click on the `Edit` link (18).

Note

Other Method

  • Click on the three vertical dots (9).

  • Click on the `Èdit` command.

Once in the edit menu, it is possible to:

  • Change the name of the ruleset.

  • Change the `Action`, `Lateral`, and `Target` transformation fields.
    Changes will be applied to all categories in the Ruleset.

    Note

    Pour plus d'informations, voir le paragraphe Transform rule:

  • Change the comment

  • Add or remove sources from the ruleset via the `Edit Sources` link.
    This option is used to manually enable or disable the action of a source on a Ruleset.
    Once unchecked, signatures will no longer be matched by specific streams and will no longer raise alerts on the interface.
  • Add or remove categories from a ruleset source via the `Edit categories` link.
    This option is used to manually enable or disable the action of a category on a Ruleset.
    Once unchecked, signatures will no longer be matched by specific streams and will no longer raise alerts on the interface.
  • Add rules to the disabled list via the `Add rules to disabled list` link.
    It is possible to disable a signature associated with a ruleset. Disabling a rule does not permanently delete it.
  • Remove rules from the disabled list via the `Remove rules from disabled list` link.
    The rule returns to the active ruleset rules.

  • Click on the `Submit` button to validate the changes.

Note

When adding a source, it is necessary to manually add the categories of this source so they are present in the source.
If this is not done, the ruleset source will be empty.

7.3.2.9. Procedure to export a ruleset

  • From the navigation bar, click successively on :

  • The `Config` button

  • The `Rulesets` button of the `Sigflow` menu.
    The `Rulesets` window is displayed.
../../_images/RULESSET-01.PNG

  • Click on the `View` button (8).

../../_images/RULESSET-02.PNG
  • Click on the `Export rules file` link (13).
    Exporting the ruleset enables downloading a ".rules" file containing all the rules of the ruleset in question. This may enable some rules to be reimported into other tools.

Important

This feature does not serve as a ruleset backup. It is not possible to import the exported file back into Gcenter as is. This would result in duplicate rules.

7.3.2.10. Procedure to update a ruleset

Note

The update via this procedure only concerns the custom or public sources of the ruleset. The update is performed if the ruleset file of the remote server or editor has been updated.

  • From the navigation bar, click successively on :

  • The `Config` button

  • The `Rulesets` button of the `Sigflow` menu.
    The `Rulesets` window is displayed.
../../_images/RULESSET-01.PNG

  • Click on the `View` button (8) of the desired ruleset.

Note

Other Method

  • Click on the three vertical dots (9)

  • Click on the `Update ruleset` command

../../_images/RULESSET-02.PNG

  • Click on `Update` (5)