William Hart

Network Decoder Truncation Options

Blog Post created by William Hart Employee on Apr 2, 2020

The ability to capture network events while keeping only the header portion and truncating the payload has been available for quite some time. This has always been a great option when the lack of analytical value of the raw data (e.g. the session payload) does not justify paying for the storage cost incurred to keep it. Some typical examples being saving database transfers of your backup files or data that is encrypted that you are unable to decipher into clear text.

 

In RSA NetWitness Platform 11.1 we added some additional options to increase the flexibility of when the truncation is applied to an event.

 

  • The first new option allows for the headers along with any Secure Sockets Layer (SSL) certificate exchange to be captured prior to truncating the remaining portion of the payload. This allows for analysis like TLS certificate hashing and JA3 & JA3S fingerprints to be generated while still removing the remaining payload to save on storage space.
  • The second option allows for the administrator to choose a custom boundary, based on how many bytes into the event raw data, before truncating the payload. Any bytes prior to the boundary are saved as part of the event and anything after that boundary is not stored.

 

The administrative interface shown below is where an admin can modify the truncation options on application rules per network decoder.

 

Administration of network decoder application rule truncation options

Outcomes