Arkime Rules

This is a gallery of Arkime Rules to browse. Learn how to contribute one here.

Check out the rules format page for more details on Arkime Rules.

Set Protocols

This example rule adds tlsrulestest to the protocols field if the protocols field is set to tls and the host.http is set to www.aol.com, mail.google.com, or foo.bar.com.

tls setfield 
  - name: "Set tlsrulestest on certain hosts"
    when: "fieldSet"
    fields:
      protocols:
        - tls
      host.http:
        - www.aol.com
        - mail.google.com
        - foo.bar.com
    ops:
      "protocols": "tlsrulestest"

Truncate TLS

This rule will only save the first 20 packets of TLS sessions. The packets will still be counted and processed but not saved to disk.

tls truncate fieldSet 
  - name: "Truncate TLS PCAP"
    when: "fieldSet"
    fields:
      protocols:
      - tls
    ops:
      _maxPacketsToSave: 20

Drop Syn Scan

This rule drops all syn scans from saving the session to Elasticsearch. It requires packets.src = 1, packets.dst = 0, and tcpflags.syn = 1.

syn scan drop dontSaveSPI 
  - name: "Drop syn scan"
    when: "beforeFinalSave"
    fields:
      packets.src: 1
      packets.dst: 0
      tcpflags.syn: 1
    ops:
      _dontSaveSPI: 1

Example Truncate PCAP localhost

These example rules drop all localhost packets after the first 20. Two rules are needed so we drop traffic both to and from localhost.

maxPacketsToSave fieldSet localhost 
  - name: "Drop from localhost"
    when: "fieldSet"
    fields:
      ip.src:
      - 127.0.0.1
    ops:
      _maxPacketsToSave: 10

  - name: "Drop to localhost"
    when: "fieldSet"
    fields:
      ip.dst:
      - 127.0.0.1
    ops:
      _maxPacketsToSave: 10

Example dropByDst

The `_dropByDst` and `_dropBySrc` are very powerful if you want to drop traffic where the src/dst IPs could be ever shifting, such as a host on AWS. The packets are also dropped very early in the Arkime packet flow, so it can help with CPU. This example will start dropping any traffic to a IP that was used to talk to ad.beacon.something.example.com or ad2.beacon.something.example.com. Of course if other hosts use that same server from host header sharing that traffic will be dropped too, so be careful.

example dropByDst fieldSet 
  - name: "Drop ad beacon"
    when: "fieldSet"
    fields:
      host.http:
      - ad.beacon.something.example.com
      - ad2.beacon.something.example.com
    ops:
      _dontSaveSPI: 1
      _dropByDst: 10

Want to contribute an Arkime Rule?

Check out our contributing file for more information.

Arkime Logo