NetWitness Platform has a set of native parsers that are defined by the system, and also provides the option to add additional parsers. Each parser is configurable in the Services Config View - General Tab. The Parser Configuration panel provides a way to enable or disable parsers to use on Decoders in addition to limiting the metadata that the parser creates.
There are also several types of custom configurable parsers:
- GeoIP2 – This parser associates IP addresses with geographical locations. For new installations and upgrades, the GeoIP2 parser is enabled by default. For more information on these parsers, see GeoIP2 Parsers.
- Search – This parser is user‐configured to generate metadata by scanning for pre‐defined keywords and regular expressions.
- FLEXPARSE (deprecated) – This is a generic parser definition language for extending the existing application protocol support of the Decoder. By default this parser is disabled (see Enable or Disable Lua and Flex Parsing Systems).
- Lua – This parser is defined using the Lua scripting language for extending the existing application protocol support of the Decoder.
- Log – This application parser supports the Log Decoder and is configured to generate metadata by scanning log files.
- Snort – This parser supports the payload detection capabilities of Snort IDS rules. Snort rules and configuration are added to the parsers/snort directory for Investigation and Decoder (see Decoder Snort Detection).
In the Services Config view > Parsers tab, you can view deployed parsers on a Decoder, upload parsers, and delete deployed parsers. The user interface includes an Indicator if the parser originated from Live Services, installed through NetWitness Platform, or uploaded manually. Parsers can be added and removed while a Decoder is running without affecting capture.
In addition, you can download parsers using NetWitness Platform Live Services.