This module will check every Pulsar event against the configured set of rules. When a match is found, a threat event is generated.
/var/lib/pulsar/rules/example_rules1.yaml with the following content:
- name: Read sensitive file from untrusted process
condition: header.image != "/usr/bin/sshd" && payload.filename == "/etc/shadow"
- name: Executed telnet or nc
condition: payload.filename in ["/usr/bin/telnet", "/usr/bin/nc"]
The first rule will cause a warning whenever a process different from
/etc/shadow. The second rule will warn when
nc are run.
|rules_path||path||Folder containing the |
You disable this module with:
pulsar config --set rules-engine.enabled=false