176
C
R
ONFIGURING
ULES
Viewing Rules
Step 1
Step 2
Step 3
You can configure the following rule types:
•
Event Rule - An event rule performs tests on events as they are processed in
real-time by the Event Processor. You can create an event rule to detect a
single event (within certain properties) or event sequences. For example, if you
wish to monitor your network for invalid login attempts, access multiple hosts, or
a reconnaissance event followed by an exploit, you can create an event rule. It
is common for event rules to create offenses as a response.
Offense Rule - An offense rule processes offenses only when changes are
•
made to the offense, such as, when new events are added or the system
scheduled the offense for reassessment.
This chapter includes:
Viewing Rules
•
Enabling/Disabling Rules
•
Creating a Rule
•
Copying a Rule
•
•
Deleting a Rule
Grouping Rules
•
•
Editing Building Blocks
To view deployed rules, rule type, and status:
Select the Offense Manager tab.
The Offense Manager window appears.
In the navigation menu, click Rules.
The rules window appears.
In the Display drop-down list box, select Rules.
STRM Administration Guide