| Administrators and Analysts with rules definition authority may define Action rules by selecting Rules -> Actions from the menu bar. Any Analyst may display rule definitions. The Action rule definitions are somewhat more complicated than Trigger definitions because they must define which Triggers comprise and Action, and what conditions must be met for the Action to be passed to the Event Analyzer plugin for further processing. The Target type and Attack type are organizational values and several can be seen displayed on the left frame in the slide above. The Action Name is used in incident displays. The Action threshold defines the minimum sum of the weights of detected Triggers for the Action to be reported. The End of line is a list characters that indicate the end of a line. These may be '\r\l' for carriage return and line feed or '</table>' for the end of an HTML table definition. The lower half of the middle frame is where the Triggers for the Action are defined. The right frame displays summary information about the Triggers that have been defined. The Plugin name, Function, and Trigger name identify existing Trigger definitions. The weight is required, and the sum of the weights of some combination of Triggers must equal or exceed the Action threshold. The remaining fields define the characteristics of the Trigger within the Action definition. The same Trigger may be used by multiple Actions and have different characteristics. The Validate button tests that the Action context is valid. For example, if the total weight of all Triggers is less than the threshold, this can only be determined by using the Validate button. The TCP port definition in the slide above is defined to be a support Trigger, which allows the Action Analyzer to ignore it unless another Trigger in the Action is detected. |