Add a Custom DPA Rule to NetMon

When new system Deep Packet Analytics Rules for NetMon are published, they are available for download on the NetMon DPA Rules page of the LogRhythm Community.

Upload an Existing Rule

To add a Deep Packet Analytics Rule in NetMon:

1. On the top navigation bar, click Rules, and then click the Deep Packet Analytics Rules tab.
2. Under the Upload DPA Rules header, click Choose Files.
   The Open dialog box appears.
3. Locate and select the rule file that you want to add, and then click Open.
   The file appears at the bottom of the Upload DPA Rule panel.
4. Click the Upload  icon to begin the transfer and save the rule, or click the Remove  icon to cancel the upload and return to the configuration page.
   The progress of the upload appears.

• • If the upload is successful, the new rule appears at the bottom of the Manage DPA Rules table.
  • If the rule is invalid or the format is incorrect, an error appears. You will need to correct the issue and upload the file again.

By default, rules are disabled after they are uploaded. When you are finished, ensure that you turn on rules as needed on the main Deep Packet Analytics page. To enable a rule, click the toggle switch next to the rule name to ON.

Compose a New Rule

To compose a new Deep Packet Analytics Rule in NetMon:

1. On the top navigation bar, click Rules, and then click the Deep Packet Analytics Rules tab.
2. Under the Compose New DPA Rules header, click Compose.
   The rule editor appears.
3. To change the editor in use, select the desired emulator next to Editor, as follows:
   • ace – https://github.com/ajaxorg/ace/wiki/Default-Keyboard-Shortcuts
   • vim – http://bullium.com/support/vim.html
   • emacs – https://www.gnu.org/software/emacs/refcards/pdf/refcard.pdf
4. Type the content of the rule in the editor panel on the left side of the window.
   For more information, see Deep Packet Analytics Rule Examples or the Programming in Lua guide.

5. Modify the author, scope, description, and whether the rule is enabled using the controls on the right side of the window.

   

   The rule name is only editable in the content of the rule itself. It cannot be changed in the Name box. If you attempt to rename a rule using the name of an existing rule, the changes are canceled and an error is displayed at the top of the rules table.
6. Click Save to commit your changes and close the editor, or click Cancel to undo any changes and return to the configuration page.