Working with TRITON RiskVision Rules

Rules | TRITON RiskVision | 02-June-2016

Use the Rules page in the RiskVision Local Manager to add, edit, and delete whitelist and internal network rules.

Whitelist rules instruct RiskVision services to ignore traffic sent to or from specific IP addresses, IP address ranges, or subnets.

The Diagnostics > Packets tab of the Local Manager displays the number of whitelisted packets, as well as the percentage of all traffic seen represented by whitelisted packets. RiskVision components do not store any other information about whitelisted traffic.

Internal network rules are used by RiskVision analytics, which need to distinguish inbound traffic from outbound traffic. For example, data analysis is performed only on outbound traffic.

RiskVision deployments include 4 default rules:

From LocalHost whitelists all traffic originating from the RiskVision appliance (like requests to the File Sandbox and checks for system updates).

To LocalHost whitelists all traffic sent to the RiskVision appliance (like File Sandbox responses and analytic database downloads).

IPv4 Internal Network Definition is used to identify all IPv4 traffic between, originating from, or received by devices in your network.

IPv6 Internal Network Definition s used to identify all IPv4 traffic between, originating from, or received by devices in your network.

To define a new rule, click Add, then:

Enter a unique Rule Name in the field at the top of the Add Rule dialog box.

Specify whether you are creating a whitelist rule or adding to the internal network definition.

Specify a Source IP address, subnet, or range.

Specify a Destination IP address, subnet, or range.

Enter a rule Description for ease of maintenance.

Specify whether the rule will be Enabled (active) or Disabled (saved, but not used) when you click OK.

Click OK to save your rule and return to the Rules page.

To edit an existing rule, click the rule name in the Rules table.

The Edit Rule dialog box opens, allowing you to edit all of the fields specified in the Add Rule dialog box, described above.

When you click OK in the Edit Rules dialog box, your changes are saved, you are returned to the Rules page, and a confirmation message is displayed at the top of the page to indicate that the change was successful.

To remove a rule, mark the check box next to the rule name, then click Delete.

To change the order of rules in the list, mark the check box next to a rule name and click Move Up or Move Down. Changing the order of rules on the screen does not affect how the rules are processed.

To change how many rules are shown on the page at a time, click a number under the table (10, 25, or 50). 10 rules are shown by default.