Editing policies

The Edit policy interface is used to create a new, or modify an existing, policy. Policies are used to match on events that can be saved to the history table and viewed in the Alarms tab. Algorithms, for example, can create events which trigger a policy.

Note

Some policies are read-only and cannot be edited because they are predefined to support specific algorithms that monitor flows or specific events.

Policy Fields

  • Policy Name: Name displayed in the Bulletin Board

  • Active: This is a check box that is used to determine whether or not the Policy should be active.

Filters

  • Message Filter: The text in the body of the message

  • IP Address Filter: The host the message came from

  • Alert Level Filter: Can be a combination of two fields “facility” and “severity”.

    • Facility includes: kern, user, mail, daemon, auth, syslog, lpr, news, uucp, cron, authpriv, ftp, unknown, local0…7

    • Severity (Priority) includes: emerg, alert, crit, err, warning, notice, info, debug

  • Exclude IPs: IP addresses to exclude from this policy

  • Include IP Range: Hosts that this policy will apply to

  • Notes: Information saved with the policy to help administrators remember its useful purpose

Logic

  • Match (Default): Allows for matching on text with Logical And & Or expressions. This is the most common.

  • Regex (Advanced): Requires advanced instruction. A regular expression is a powerful way of specifying a pattern for a complex search.

    The SQL database uses Henry Spencer’s implementation of regular expressions, which is aimed at conformance with POSIX 1003.2. The database uses the extended version to support pattern-matching operations performed with the REGEXP operator in SQL statements.

    The following does not contain all the details that can be found in Henry Spencer’s regex(7) manual page. That manual page is included in some source distributions, in the regex.7 file under the regex directory. In short, a regular expression describes a set of strings. The simplest regular expression is one that has no special characters in it. For example, the regular expression ‘hello’ matches hello and nothing else.

    Non-trivial regular expressions use certain special constructs enabling them to match more than one string. For example, the regular expression “hello|word” matches either the string hello or the string word. As a more complex example, the regular expression “B[an]*s” matches any of the strings Bananas, Baaaaas, Bs, and any other string starting with a B, ending with an s. For more references on Regular Expressions, visit the following internet pages:

Select Action

  • Bulletin Board: Select and view the foreground and background colors

  • History: When the policy is matched, should a message be:

    • Posted to Bulletin Board: and saved to history for later reporting?

    • Stored to history: for later reporting but not posted to the Bulletin Board?

    • Deleted immediately: with no history on the message?

    • Save to same order in Policy List: Save with the current policy priority (Default)

    • Save to bottom of Policy list: Saves to the bottom of the policy list and will be checked for a match last.

    • Save to top of Policy list: Saves to the top of the policy list and will be checked for a match first.

    • Threat Multiplier: Enter the value the Threat Index increases by for each violation.

  • Notifications allow the user to select an action for a policy. Select a notification profile or create a new one.

  • Trigger

    • Threshold Trigger: This is used to notify when the amount of events exceeds the threshold. Remember it could take 10 minutes or greater than 10 months until the threshold is reached.

    • Rate Trigger: This is used to prevent notification for an event until it happens X times in Y minutes.

    • Device Specific: This is checked off when the events coming in must be from the same host in order to trigger the threshold violation alarm.

  • Process Notification for:

    • First Violation: Notify once for the threshold violation and don’t repeat unless the message is cleared from the bulletin board.

    • Each Violation: Notify every time the threshold is breached.