Q: How do I set up a custom rule that fires an alert by email or SNMP trap?

A:

Make sure the alert mechanism you will want to use (email to who? syslog where? etc.) is set up in [ Policy & Response // Responses // Alerts ]. Then:

1. First create the custom rule. Since later when we create the alert we will be able to filter on source or dest IP (or other criteria) you may not want to limit the custom rule to a group of IPs, if you still want the event detected but not receive an alert for most IPs. Make a note of the rule SID.
2. Now navigate to: [ Policy & Response // Compliance // Rule Management ] and create a rule. Give the rule a good name and description, and make it of type intrusion event. Add a condition that the rule SID match the custom rule you just created, and add other criteria if needed.
3. Now navigate to: [ Policy & Response // Compliance // Policy Management ] and create a new policy (or edit an existing policy of you want to group the alerts together). Give the policy a good name and description, and use the "add a rule" dialog to select the Compliance rule you just created. Once added, click on "responses" next to the rule, and use the quirky dialog to add one or more responses that alerts you in the manner desired using the alerts you already have configured.
4. Finally, activate the Compliance Policy.