The RSA Live Content team has released the Traffic Flow LUA and associated options parsers. The traffic flow parser brings directionality information and netblock identification into the product, which exist as part of the IR content pack. Directionality (direction meta) provides the context of whether a session was initiated from an internal host to an external host (outbound), from an external host to an internal host (inbound), or was between two internal hosts (lateral). The netblock name (netname meta) provides the context of where on your network a host resides. By default, netblocks are defined for private, broadcast, loopback, link-local, multicast, and reserved traffic. The screenshot below shows the Investigation view of these two pieces of meta being populated.
You download the parser from Live to deploy to a packet decoder, in the same manner as you download and deploy all of the RSA parsers. In addition to the parser, there is an options file. You only need the options file if the default settings are not sufficient for your use case.
At this time, only manual deployment to a Log Decoder is supported. You can find detailed information about the current implementation in SA docs, at Traffic Flow Lua Parser
What to expect going forward?
Our goal going forward is to make the parser easier to deploy and configure. It is expected in upcoming releases:
- Ease of customization and deployment across multiple devices
- Support for Log Decoders via Live