Administrators and Analysts with rules definition authority may
define Trigger rules by selecting Rules -> Triggers from the
menu bar. Any Analyst may display rule definitions.
Triggers definitions are used by Stream Analysis plugins to
find matches and pass them to the Action Analysis plugin for
further processing. Therefore, each Trigger definition must
assign a Plugin Name, which includes data, tcp, ip4, etc.
The Function is an organizational value and several can be seen
displayed on the left frame in the slide above. The Trigger
Name is used in incident displays.
The Trigger types are:
- String: The Trigger is a string to be matched in the
network data
- Location: The Trigger is a value to be tested in a
specific location of a network header
- Special: The Trigger is a definition for a special
handler function
The remaining fields define the characteristics of the
Trigger. The Validate button tests that the Trigger context is
valid. For example, the Number Comparison flag should not be
defined for String Triggers, but will only be reported by using
the Validate button.
|
