gnat_rule_file
Synopsis
Definition of JSON file for defining patterns to trigger actions.
Description
Tag rules are used to define and match patterns to rule flow record.
The rule is used to identify patterns that match a flow record and can be used for triggering actions.
The rule patterns are defined in a JSON file and the location designated with the --options rule argument of the gnat_rule command line interface.
Json File Format
The JSON file is composed of an array of JSON objects, each object representing a rule pattern. Each object contains a set of key-value pairs, where the key is the name of the field. The value is the value to match against. The following fields are available for matching:
| field | type | required | match type |
|---|---|---|---|
action | str | yes | n/a |
tag | int | yes | exact match |
observe | str | no | prefix match |
proto | str | no | prefix match |
saddr | str | no | prefix match |
sport | int | no | exact match |
daddr | str | no | prefix match |
dport | int | no | exact match |
ndpi_appid | str | no | prefix match |
orient | str | no | prefix match |
risk_severity | int | no | exact match |
hbos_severity | int | no | exact match |
risk_severity and hbos_severity are used to define the severity of the rule. The severity is defined as an integer value from 0 to 5, where 0 is the lowest severity and 5 is the highest severity.
Examples
[
{ "action":"trigger","tag":"dns","observe":"lan1","ndpi_appid":"dns" },
{ "action":"ignore","observe":"lan1","daddr":"8.8.8","ndpi_appid":"dns" },
{ "action":"trigger","proto":"tcp","orient":"oi"},
{ "action":"trigger","tag":"tls","proto":"tcp","ndpi_appid":"tls"},
{ "action":"trigger","proto":"tcp","saddr":"10.0.4.240","daddr":"10.1.1.81","dport":8181},
]