KFSensor

 

Edit Visitor Rule

Use the Edit Visitor Rule dialog box to add or edit a Visitor Rule definition.

You will find a description of what Rules are available and how to configure them here.

Conditions

The rule conditions specify a set of criteria that must be met in order for the rule to be triggered.
  • Name
    The name of the Rule definition.
  • First IP
    The IP address of the visitor or start of a range of IP addresses
  • Last IP
    The Last IP address in the range. This value must be larger than the First IP field.
    If this field is blank then the rule will only match the single IP address in the First IP field.
  • Host DNS Name
    The Host DNS Name is useful to define a rule for a host that uses dynamic IP allocation.
    This name is resolved to an IP address and that IP address is used as the rule condition.
    For perfomance reasons the DNS look up of this name is checked periodically and not every time the rule is checked.
    This may mean the rule will fail to match when a host first logs onto a network.
  • Protocol
    Restricts the rule to a specific protocol.
  • Sensor IP
    Restricts the rule to a particular IP address on the Sensor.
    This is useful for writing rules that target broadcast messages. In this case enter 255.255.255.255 as the address.
  • Sensor Port
    Restricts the rule to a specific host port. If this field is blank then all ports are included in the rules conditions.
  • Min Connections
  • Max Connections
    The Min and Max Connections allow a range to be defined for the number of connections a visitor makes to the Sensor Port.
    Both or either one of these fields may be blank.
    These values apply to the sensor port, so a value for the Sensor Port field must be supplied if a min/max range is specified.

Actions

The rule actions are triggered if the conditions are met.
  • Close
    If checked then KFSensor will not respond to the connection and it will be immediately closed.
  • Ignore
    If checked then the connection will not be logged, or generate an alert.
  • Set Severity
    Sets the severity of the event generated by the connection. This overrides the severity defined by the listen definition.
    Note: This field will be disabled if the Ignore option is checked. This is because if the rule is set to ignore then there is not event to set a severity on.

Related Topics


KFSensor On-Line Manual Contents