Rule Config: Content Control Lists

Depending on which options you selected during the Rule Type stage of the wizard, you may be presented with a "Rule Config" wizard page for configuring Content Control Lists (CCLs).

One or more CCLs are automatically selected, based on your rule type selection. You can add other CCLs to the rule by selecting the check box next to a rule. When you click on a CCL name, a summary of that CCL is displayed in the Description box.

Optionally, you can import a custom CCL that was created in Sophos Enterprise Console. See "Importing Content Control Lists" for more information.

Custom lists are displayed in Content control lists scroll box, along with the SophosLabs CCLs. Unlike SophosLabs rules, the quantity settings for custom CCLs must be configured in Sophos Enterprise Console.

Custom lists are shown with the name and description assigned to them in Sophos Enterprise Console. Any details that were specified are displayed in the Description box when you click the name of the custom CCL

To configure a CCL-based rule:

  • On the Content Control Lists tab:
    1. From the Filter by region drop-down list, select the country for which you want the rule to apply. To filter for all countries, select All.
      The name of the selected region will be displayed in brackets after the CCL name. If this drop-down list is set to All, the CCL will be tagged as [Global].
    2. From the type drop-down list, select the type of data you want to display, or select All to show all data types.
    3. By default, the All CCLs option button is selected, which means the complete list of available CCLs is displayed. If you only want to see the CCLs that have been applied to this rule, select Only active (selected) CCLs.
    4. Click on an individual rule to set the quantity for each CCL, or use the default that is set by SophosLabs. See CCL Configuration for details.
    5. If you selected Messages matching specific Sophos Content Control Lists (CCLs) on the Rule Type page, or if you want to select additional rules, select the check box next to each rule.
    6. Enter the number of CCL matches that are required to trigger this rule in the text box of [n] of the CCLs must match. By default n is set to 1. Optionally, if you want all of the CCLs to match before the rule is triggered, select All of the CCLs must match.
    On the following tabs, you must select one or both of Match Content Control Lists (CCLs) within message parts or Match Content Control Lists (CCLs) within attachments, or you will not be able to proceed to the next step of the wizard.
  • On the Inspect message parts tab, configure whether the rule searches for CCL matches within the message body and message subject. By default, the rule will match CCLs within the message body, but not the message subject. When this option is enabled, you must select one or both of Include message body or Include subject.
    • Use the Match Content Control Lists (CCLs) within message parts check box to enable or disable matching within message parts.
    • Use the Include message body check box to select whether the rule will match CCLs within the message body.
    • Use the Include subject check box to select whether the rule will match CCLs within the message subject.
  • On the Inspect attachments tab, the Match Content Control Lists (CCLs) within attachments option searches for matches inside of attachments. This check box is selected by default. Clear this box only if you do not want to search within attachments.
  • Select the Logging tab if you want to enable and configure logging of CCL-based rules.

    Although logging is off by default, you can configure the manner in which CCL-based rules are logged. The logging level varies, depending on what is selected in the CCL Logging dialog box.

    If logging is off, an entry is still added indicating simply that a CCL policy rule was triggered. If you choose to include more CCL information in the logs, you can view this by clicking View log details in the search results.

    Logging for each CCL-based rule is configured separately. You must complete the steps shown below for each rule that you want to log.
    1. Click Configure.
      The CCL Logging dialog box is displayed.
    2. Select one or more of the following Log Level options:
      • Log CCL violations: When enabled, an entry is added to the logs indicating which CCL list was triggered.
      • Include matched text:

        When enabled, the logs will also include the exact test that triggered the violation.

        Logging matched text results in sensitive data being stored on the appliance, and, potentially, backed up to your FTP server. The data is stored in a format that is not encrypted.
      • Include partial matches: When enabled, an entry is added to the logs whenever there is message that contains many of the characteristics identified in a CCL, but not enough to trigger a rule.