Alert Rules Use Cases

  • 1
  • Idea
  • Updated 2 years ago
  • (Edited)
Below, are examples of 5 alert rule use cases, including rule description and syntax.

1. Alert on non-proxy web access events\Direct web access

Detect all access not through the proxy server. Proxy server is

Rule needs to exclude web access from client to proxy, so has dst qualifier.

http, web_access src!= && dst!=

2. Alert on any smtp traffic from a user machine
Detect any smtp message not from mail server

RULE: smtp, envelope src!=

3. Alert on any email with attachment known as "invoice.pdf" not going to the accounts department
Detect any email with attachment invoice.pdf not to account.department

smtp, attachment recipient!="" && filename=~"invoice.pdf"

Alert on any file renames
Detect any smb rename on path mp3_uploads

RULE smb, rename_file from=~"mp3_uploads"

5. Alert when host connects to ip address
Detect traffic to specific IP address

RULE: flow, new dst=
Photo of Aisling Brennan

Aisling Brennan, Official Rep

  • 393 Posts
  • 8 Reply Likes

Posted 2 years ago

  • 1
Photo of Daniel Orchard-Robson

Daniel Orchard-Robson

  • 1 Post
  • 0 Reply Likes
trying to figure out the syntax for a rule to detect when the BitTorrent protocol is detected, thought flow,new proto=~"BITTORRENT" would work but it doesn't like it!  Any suggestions?
Photo of Laura Murphy

Laura Murphy, Official Rep

  • 5 Posts
  • 0 Reply Likes
The modules that our metdata alerting engine covers flow, http, smb and smtp. Further reading can be found here

We appreciate your feedback on this feature and plan to incorporate support for the bittorrent module in an upcoming release (probably Q1 2017). 

In the meantime, we can deal with this by creating a report alert. Please see this forum post on how to do this. 

We are very interested in the type of alerts our customers require, so if you have further suggestions, let us know at