Users have two options to make custom rule modifications to ASL rules.
Use the ASL Web Interface. For further documentation please visit https://wiki.atomicorp.com/wiki/index.php/Using_ASL#Rule_Editor
If you do not have access to the ASL web interface then rule modifications can be made directly from the commandline interface. To make modifications please follow the steps below:
- Using an editor of your choice access the /etc/asl/rules file
- The /etc/asl/rules file is where custom rule modifications are stored. This file has a unique structure and it is as follows.
Field One: V or G -- Modify the rule for a Virtual Host or as a Global configuration
Field Two: waf or hids -- Type of rule that needs modification
Field Three: Alert ID (integer)
Field Four: If field one is set to V then the Virtual Host goes in this field
Field Five: yes or no -- Do you want to disable the rule?
Field Six: yes or no -- Do you want to receive email notifications about this alert?
Field Seven: rule level (integer) -- Level of the alert
Field Eight: yes or no -- Is Active Response enabled on this rule?
Field Nine: yes or no -- Is logging enabled on this rule.
Field Ten: NOT USED
Field Eleven: Description
V,waf,330215,test.atomicorp.com,no,yes,9,yes,yes,,Atomicorp.com WAF Rules: Sosospider - Abusive
G,hids,5555,,no,yes,10,yes,yes,,Atomicorp.com HID Rules: modification