Editing policies¶
The Edit policy interface is used to create a new, or modify an existing, policy. Policies are used to match on events that can be saved to the history table and viewed in the Alarms tab. Algorithms, for example, can create events which trigger a policy.
Note
Some policies are read-only and cannot be edited because they are predefined to support specific algorithms that monitor flows or specific events.
Policy Fields
Policy Name: Name displayed in the Bulletin Board
Active: This is a check box that is used to determine whether or not the Policy should be active.
Filters
Message Filter: The text in the body of the message
IP Address Filter: The host the message came from
Alert Level Filter: Can be a combination of two fields “facility” and “severity”.
Facility includes: kern, user, mail, daemon, auth, syslog, lpr, news, uucp, cron, authpriv, ftp, unknown, local0…7
Severity (Priority) includes: emerg, alert, crit, err, warning, notice, info, debug
Exclude IPs: IP addresses to exclude from this policy
Include IP Range: Hosts that this policy will apply to
Notes: Information saved with the policy to help administrators remember its useful purpose
Logic
Match (Default): Allows for matching on text with Logical And & Or expressions. This is the most common.
Regex (Advanced): Requires advanced instruction. A regular expression is a powerful way of specifying a pattern for a complex search.
The SQL database uses Henry Spencer’s implementation of regular expressions, which is aimed at conformance with POSIX 1003.2. The database uses the extended version to support pattern-matching operations performed with the REGEXP operator in SQL statements.
The following does not contain all the details that can be found in Henry Spencer’s regex(7) manual page. That manual page is included in some source distributions, in the regex.7 file under the regex directory. In short, a regular expression describes a set of strings. The simplest regular expression is one that has no special characters in it. For example, the regular expression ‘hello’ matches hello and nothing else.
Non-trivial regular expressions use certain special constructs enabling them to match more than one string. For example, the regular expression “hello|word” matches either the string hello or the string word. As a more complex example, the regular expression “B[an]*s” matches any of the strings Bananas, Baaaaas, Bs, and any other string starting with a B, ending with an s. For more references on Regular Expressions, visit the following internet pages:
Select Action
Bulletin Board: Select and view the foreground and background colors
History: When the policy is matched, should a message be:
Posted to Bulletin Board: and saved to history for later reporting?
Stored to history: for later reporting but not posted to the Bulletin Board?
Deleted immediately: with no history on the message?
Save to same order in Policy List: Save with the current policy priority (Default)
Save to bottom of Policy list: Saves to the bottom of the policy list and will be checked for a match last.
Save to top of Policy list: Saves to the top of the policy list and will be checked for a match first.
Threat Multiplier: Enter the value the Threat Index increases by for each violation.
Notifications allow the user to select an action for a policy. Select a notification profile or create a new one.
Trigger
Threshold Trigger: This is used to notify when the amount of events exceeds the threshold. Remember it could take 10 minutes or greater than 10 months until the threshold is reached.
Rate Trigger: This is used to prevent notification for an event until it happens X times in Y minutes.
Device Specific: This is checked off when the events coming in must be from the same host in order to trigger the threshold violation alarm.
Process Notification for:
First Violation: Notify once for the threshold violation and don’t repeat unless the message is cleared from the bulletin board.
Each Violation: Notify every time the threshold is breached.