Difference between revisions of "ASL rule manager"
Line 11: | Line 11: | ||
- Rules contains each rule, and each action it should or should not take, along with any exceptions for each rule, such as for virtual hosts. Rules are divided into two groups "HIDS" and "WAF". HIDS rules are the host based intrusion detection systems rules, and "WAF" and the Web Application Firewall rules. | - Rules contains each rule, and each action it should or should not take, along with any exceptions for each rule, such as for virtual hosts. Rules are divided into two groups "HIDS" and "WAF". HIDS rules are the host based intrusion detection systems rules, and "WAF" and the Web Application Firewall rules. | ||
− | == Disabling a rule == | + | === Disabling a rule === |
To disable a rule, log into ASL and click on the "Configuration" tab, then select the "Rule Manager" menu item. This will open the rule manager. Once the rule manager is open, you will see two buttons "Global" and "Rules". Click on Rules. The select the group you want to disable, such as "WAF" or "HIDS" (see above for explanation of what these two groups are). Then select the rule, and click on the green down error to the left of the rule, this will expand the options available for that rule. To disable the rule, that is to tell ASL to take no action when this event occurs accept to log it, select the Active Response drop down and set the option to "No", then click the opdate button to the left. | To disable a rule, log into ASL and click on the "Configuration" tab, then select the "Rule Manager" menu item. This will open the rule manager. Once the rule manager is open, you will see two buttons "Global" and "Rules". Click on Rules. The select the group you want to disable, such as "WAF" or "HIDS" (see above for explanation of what these two groups are). Then select the rule, and click on the green down error to the left of the rule, this will expand the options available for that rule. To disable the rule, that is to tell ASL to take no action when this event occurs accept to log it, select the Active Response drop down and set the option to "No", then click the opdate button to the left. | ||
− | == Changing the options in a rule == | + | === Changing the options in a rule === |
To modify a rule, log into ASL and click on the "Configuration" tab, then select the "Rule Manager" menu item. This will open the rule manager. Once the rule manager is open, you will see two buttons "Global" and "Rules". Click on Rules. The select the group you want to configure, such as "WAF" or "HIDS" (see above for explanation of what these two groups are). | To modify a rule, log into ASL and click on the "Configuration" tab, then select the "Rule Manager" menu item. This will open the rule manager. Once the rule manager is open, you will see two buttons "Global" and "Rules". Click on Rules. The select the group you want to configure, such as "WAF" or "HIDS" (see above for explanation of what these two groups are). | ||
Then select the rule you wish to configure, and click on the green down error to the left of the rule, this will expand the options available for that rule. Changes the options for your needs, and then click the opdate button to the left to implement the changes. | Then select the rule you wish to configure, and click on the green down error to the left of the rule, this will expand the options available for that rule. Changes the options for your needs, and then click the opdate button to the left to implement the changes. | ||
+ | |||
+ | == Rule manager options == | ||
+ | |||
+ | For each rule there are four options that can be configured: | ||
+ | |||
+ | * Severity |
Revision as of 14:54, 30 July 2011
Contents |
ASL Rule Manager
The ASL rule manager centrally controls all of ASLs event correlation, analysis and response activities.
Using the rule manager
To disable a rule, log into ASL and click on the "Configuration" tab, then select the "Rule Manager" menu item. This will open the rule manager. Once the rule manager is open, you will see two buttons "Global" and "Rules".
- Global contains the configuration settings that are universal for the entire system.
- Rules contains each rule, and each action it should or should not take, along with any exceptions for each rule, such as for virtual hosts. Rules are divided into two groups "HIDS" and "WAF". HIDS rules are the host based intrusion detection systems rules, and "WAF" and the Web Application Firewall rules.
Disabling a rule
To disable a rule, log into ASL and click on the "Configuration" tab, then select the "Rule Manager" menu item. This will open the rule manager. Once the rule manager is open, you will see two buttons "Global" and "Rules". Click on Rules. The select the group you want to disable, such as "WAF" or "HIDS" (see above for explanation of what these two groups are). Then select the rule, and click on the green down error to the left of the rule, this will expand the options available for that rule. To disable the rule, that is to tell ASL to take no action when this event occurs accept to log it, select the Active Response drop down and set the option to "No", then click the opdate button to the left.
Changing the options in a rule
To modify a rule, log into ASL and click on the "Configuration" tab, then select the "Rule Manager" menu item. This will open the rule manager. Once the rule manager is open, you will see two buttons "Global" and "Rules". Click on Rules. The select the group you want to configure, such as "WAF" or "HIDS" (see above for explanation of what these two groups are).
Then select the rule you wish to configure, and click on the green down error to the left of the rule, this will expand the options available for that rule. Changes the options for your needs, and then click the opdate button to the left to implement the changes.
Rule manager options
For each rule there are four options that can be configured:
- Severity