ASL rule manager

From Atomicorp Wiki
Jump to: navigation, search

Contents

[edit] ASL Rule Manager

The ASL rule manager centrally controls all of ASLs event correlation, analysis and response activities.

[edit] Using the rule manager

To disable a rule, log into ASL and click on the "Configuration" tab, then select the "Rule Manager" menu item. This will open the rule manager. Once the rule manager is open, you will see two buttons "Global" and "Rules".

  • Global contains the configuration settings that are universal for the entire system.
  • Rules contains each rule, and each action it should or should not take, along with any exceptions for each rule, such as for virtual hosts. Rules are divided into two groups "HIDS" and "WAF". HIDS rules are the host based intrusion detection systems rules, and "WAF" and the Web Application Firewall rules.

[edit] Disabling a rule

To disable a rule, log into ASL and click on the "Configuration" tab, then select the "Rule Manager" menu item. This will open the rule manager. Once the rule manager is open, you will see two buttons "Global" and "Rules". Click on Rules. The select the group you want to disable, such as "WAF" or "HIDS" (see above for explanation of what these two groups are). Then select the rule, and click on the green down error to the left of the rule, this will expand the options available for that rule. To disable the rule, that is to tell ASL to take no action when this event occurs accept to log it, select the Active Response drop down and set the option to "No", then click the opdate button to the left.

[edit] Changing the options in a rule

To modify a rule, log into ASL and click on the "Configuration" tab, then select the "Rule Manager" menu item. This will open the rule manager. Once the rule manager is open, you will see two buttons "Global" and "Rules". Click on Rules. The select the group you want to configure, such as "WAF" or "HIDS" (see above for explanation of what these two groups are).

Then select the rule you wish to configure, and click on the green down error to the left of the rule, this will expand the options available for that rule. Changes the options for your needs, and then click the opdate button to the left to implement the changes.

[edit] Rule manager options

[edit] HIDS Rules

For each HIDS rule there are four options that can be configured:

  • Severity
  • Active Response
  • Email
  • Logging

[edit] Severity

There are 16 levels of severity in ASL, with 0 being the lowest and 16 being the highest. The severity settings are used in the Security Events window to prioritize events, so that only high priority events show in that window by default, and also to set the minimum level required for an active response action to be taken.

[edit] Active Response

This option tells ASL to firewall, or shun the source IP address if this rule is triggered. The period of this blocking is set in the Global tab and the "Shun Time" option.

[edit] Email

This option tells ASL to email the contact set in the Global tab, in the "Email from:" field if this rule is triggered. This event will only be emailed to the contact if the "Max emails per hour:" rate has not been exceeded. If it has been exceeded, the notification will be held until that period has elapsed and will be added to the next notification email sent out.

[edit] Logging

This options configures ASL to log the event.

[edit] WAF Rules

For each HIDS rule there are six options that can be configured:

  • vhost
  • Disabled
  • Severity
  • Active Response
  • Email
  • Logging

[edit] Vhost

WAF rules can be configured for a specific vhost. For example, a WAF rule can be disabled for just one or more vhosts, or can be enabled for one or more vhosts. If you want to change a rules behavior for a vhost, but not the entire system, simply enter the vhosts name, www.example.com for instance, in the text box in the vhost column. Then adjust the settings for that vhost to your needs.

[edit] Disabled

Setting this option to "Yes" disables this rule for the entire system, or if configured for a vhost for just that vhost.

[edit] Severity

There are 16 levels of severity in ASL, with 0 being the lowest and 16 being the highest. The severity settings are used in the Security Events window to prioritize events, so that only high priority events show in that window by default, and also to set the minimum level required for an active response action to be taken.

[edit] Active Response

This option tells ASL to firewall, or shun the source IP address if this rule is triggered. The period of this blocking is set in the Global tab and the "Shun Time" option.

[edit] Email

This option tells ASL to email the contact set in the Global tab, in the "Email from:" field if this rule is triggered. This event will only be emailed to the contact if the "Max emails per hour:" rate has not been exceeded. If it has been exceeded, the notification will be held until that period has elapsed and will be added to the next notification email sent out.

[edit] Logging

This options configures ASL to log the event.

Personal tools