Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Decoder: (Optional) Configure Selective Network Data Collection

Document created by RSA Information Design and Development Employee on Sep 8, 2020Last modified by RSA Information Design and Development Employee on Nov 24, 2020
Version 3Show Document
  • View in full screen mode
 
 

Selective network data collection gives administrators the ability to apply centrally managed capture policies across their Network Decoders. This results in better use of service resources, including hard drive space, which leads to more predictable costs and lessens the burden of managing multiple services. Administrators can determine which traffic is stored and how it is stored by using policies. Each policy contains a list of supported base protocols and definitions for handling any other protocols that are detected.

Note: Administrators can use this feature to create policies for metadata-only while using the cost-effective Meta-Only license, without having to pay for additional storage or throughput licensing. To use this license, work with your RSA Customer Support Representative to purchase the license, and then enable the functionality as described in (Optional) Configure Meta-Only Decoders.

The administrator can choose to deploy predefined policies that capture:

  • All base and other protocols (Full Capture - All Protocols)
  • Only metadata on all base and other protocols (Capture Meta Only - All Protocols)
  • Only metadata on all base protocols and drop all other protocols (Capture Meta on Base Protocols, Drop all other protocols)
  • All base protocols and only metadata on all other protocols (Full Capture on Base Protocols, Meta only on all other protocols)

The predefined policies are not configurable. The only way you can edit predefined policies is by assigning services (such as Decoders) to deploy them.

Administrators can create custom policies to give further control over the deployment. A base set of protocols are available for alterations by the administrator, allowing you to choose what level of capture you prefer on a per-protocol basis. If you are only making slight changes, a good start for customization is to clone one of the predefined polices and alter it. These centrally-managed policies are then applied to services (Network Decoders) to allow handling multiple use cases across your environment.

Here are some example use cases and how an administrator would deploy these.

Use Case 1: Predefined Policy for Internal Assets

To gain further visibility into internal lateral traffic going East-West through the environment, a Network Decoder is deployed in the interior of the network to capture this traffic. Applying full packet capture for this segment may generate too much data to manage at a reasonable cost point. Instead, the predefined "Capture Meta Only – All Protocols" policy can be applied to achieve the same parsing and detection while only saving the metadata, limiting the amount of storage required of the solution. In this situation, the only steps you must complete is to choose the predefined policy, edit it, and then enable it by assigning it to the appropriate internal services (Decoders). For an example of how to set up this policy, see Use Predefined Policies.

Use Case 2: Custom Policy for DMZ Assets

To protect the public-facing web servers, a Network Decoder is deployed into the demilitarized zone (DMZ). The network communications between these web servers and other network devices are a subset of the base protocols. To make sure you can harvest forensic evidence for any communications related to these high-value assets, you would want to do full packet capture on HTTP, SMTP, FTP, and DNS protocols. You still want visibility into any other traffic these servers are engaged in, so you would prefer metadata generated for all other protocols. The suggested steps to create this custom policy would have you choose the predefined policy "Full Capture on Base Protocols, Meta only on all other protocols" and then clone it to adjust it to the protocols aligned with the DMZ scenario. During the clone process, the name and description can be updated to identify the new purpose of the policy. The define policy step allows all the base protocol rules inside the policy except HTTP, SMTP, FTP, and DNS to be altered from "Collect All" to "Collect Meta Only" to achieve the desired policy. The last steps are assigning the policy to the appropriate DMZ services (Decoders). For an example of how to set up this policy, see Create New Policies from Predefined Ones.

Note: When a Decoder is being managed by a selective collection policy, it is possible that the Decoder specifications in the policy could be overwritten if the Decoder configuration is edited outside of the policy. To try and avoid this situation, the following warning message is displayed at the top of the Parsers section of the Decoder Configuration page: This Decoder is being managed by the following capture policy: <policy-name>. Some parsers are required by the capture policy, and changes made here may overwrite that policy. Review of the capture policy is recommended.
Another warning message is displayed at the top of the Application Rule section: This Decoder is being managed by the following capture policy: <policy-name>. Some application rules are required by the capture policy, and changes made here may overwrite that policy. Review of the capture policy is recommended.

The following sections describe configuring and using selective network data collection.

For detailed information about the Selective Collection user interface, see:

Use Predefined Policies

This procedure describes how to use the predefined policies. You can use this procedure to configure a policy for internal assets. For example, as described in Use Case 1: Predefined Policy for Internal Assets , to gain further visibility into internal lateral traffic going East-West through the environment, you could deploy a Network Decoder in the interior of your network to capture the traffic. Applying full packet capture for this segment may generate too much data to manage at a reasonable cost point. Instead, use the predefined "Capture Meta Only – All Protocols" policy to achieve the same parsing and detection while only saving the metadata, limiting the amount of storage required for this solution.

In this situation, the only steps you must complete is to select the "Capture Meta Only – All Protocols" predefined policy to edit it, enable it by assigning it to the appropriate Decoders, and then publish the policy to start collecting the data.

To work with a predefined policy:

  1. In the NetWitness Platform user interface, go to (Configure) and select the CAPTURE POLICIES tab.

    Selective Collection Capture Policies tab
    Notice that the PUBLICATION STATUS column lists each of the predefined policies with the status of Unpublished. The only way to edit a predefined policy is to assign Decoders to apply the policy. If changes are made to the Decoder assignments but are not published, the status changes to Unpublished Edits, the date the change was made is displayed in the POLICY UPDATED column, and the user name of the person who made the change is displayed in the UPDATED BY column. In predefined policies, the CREATED BY field is always system.
    The following figure shows the statuses of the policies.

  2. Select Capture Meta Only - All Protocols, and then click Edit.
    The editing view is displayed with the Identify Policy option active.

    Selective Collection, Collection Policies editing view
  3. Because this is a predefined policy, you cannot change the policy name or description. Click Next.
    The Define Policy: Capture Meta Only - All Protocols page is displayed.

    Selective Collection, Collection Policies, Define Policy page
  4. Because this is a predefined policy, you cannot edit this page. Review the rules on this page to understand the actions that will be enabled when you publish this policy. Click Next.
    The Assign Policy page is displayed.

    Selective Collection, Capture Policies, Assign Policy page
  5. Select the Decoders that you want to collect from, and then click Save and Publish.
    The publication status moves to Updating. It changes to Published when the policy has been successfully deployed to all the Decoders that you selected. However, the Decoders that are available start gathering data immediately, before the policy is displayed as Published, so even if not all of the Decoders are available (and the publication status is not Published), data will begin to be collected on the Decoders that are available. When the status moves to Published, all the services are displayed in the Service Assignment column. You can hover over the names of the Decoders to see their full names, as shown in the following figure.


Create New Policies from Predefined Ones

This procedure describes the steps for creating a new policy from a predefined one, and provides an example of how you might use this policy.

For example, as described in Use Case 2: Custom Policy for DMZ Assets , suppose a Network Decoder has been deployed into the demilitarized zone (DMZ) to protect public-facing web servers. The network communications between these web servers and other network devices are a subset of the base protocols. To make sure they can harvest forensic evidence for any communications related to these high value assets, you would want to get full packet capture on HTTP, SMTP, FTP, and DNS protocols. To provide visibility into any other traffic these servers are engaged in, you would want to generate metadata for all other protocols.

To configure a policy that would achieve the results described here, you would select the predefined policy "Full Capture on Base Protocols, Meta only on all other protocols," clone it, and then edit it to align the protocols with the DMZ scenario. During the clone process, you can update the name and description to identify the new purpose of the policy. In the step where you define the policy, you can change all the base protocol rules inside the policy (except HTTP, SMTP, FTP, and DNS) from "Collect All" to "Collect Meta Only" to achieve the desired results. The last steps assign the policy to the appropriate DMZ Decoders.

  1. In the NetWitness Platform user interface, go to (Configure) and select the CAPTURE POLICIES tab.

    Selective Collection Capture Policies tab
  2. Select Full Capture on Base Protocols, Meta only on all other protocols and then click Clone.
    The Collection Policies view is displayed with the cloned policy at the bottom of the list, identified by appending -1 to the policy name.

    Selective collection, cloned policy
  3. Select the cloned policy and click Edit.
    The editing view is displayed with the Identify Policy option active.
    In this example, we are naming this policy "DMZ Assets" and providing the description "This policy is defined to protect public-facing web servers."


  4. Click Next. The Define Policy view is displayed, with a list of rules you can use to define the policy.
    You can select the following options for rule actions:
    • Collect Meta Only: Collect metadata
    • Drop All: Drop metadata and network packets
    • Collect All: Collect metadata and network packets

    To collect the targeted data for the DMZ Assets policy, we are going to change all the base protocol rules inside the policy (except HTTP, SMTP, FTP, and DNS) from Collect All to Collect Meta Only, as shown below.

    Selective collection, cloned policy edit view

  5. Click Next.
    The Assign Policy page is displayed.

    Selective collection, assign policy to Decoders for updated clone of a predefined policy.
  6. A Decoder can only be assigned to one policy. Decoders that are not available are greyed-out, because they are already assigned to other policies. Select the Decoders to collect the targeted data, and then click Save and Publish. The publication status moves to Updating. It changes to Published when the policy has been successfully deployed to all the Decoders that you selected. However, the Decoders that are available start gathering data immediately, before the policy is displayed as Published, so even if not all of the Decoders are available (and the publication status is not Published), data will begin to be collected on the Decoders that are available.
    Your new policy is displayed in the Collection Polices view, with the services displayed in the Service Assignment column.


Create Custom Policies

You can create a custom Selective Network Decoder policy, where you can select specific protocols on which to collect data, as well as the rules that apply to them.

  1. In the NetWitness Platform user interface, go to (Configure) and select the CAPTURE POLICIES tab.

    Selective Collection Capture Policies tab
  2. Click Create New.
    The editing view is displayed with the Identify Policy option active.

  3. Enter a name and description for your policy, and then click Next.
    The Define Policy view is displayed.

  4. Define the actions for each of the protocols. The options for RULE ACTION are:
    • Collect Meta Only: Collect metadata
    • Drop All: Drop metadata and network packets
    • Collect All: Collect metadata and network packets
  5. Click Next.
    The Assign Policy view is displayed.
    Selective collection, assign policy view for a new policy
  6. A Decoder can only be assigned to one policy. Decoders that are not available are greyed-out, because they are already assigned to other policies. Select the Decoders to collect the targeted data, and then click Save and Publish. The publication status moves to Updating. It changes to Published when the policy has been successfully deployed to all the Decoders that you selected. However, the Decoders that are available start gathering data immediately, before the policy is displayed as Published, so even if not all of the Decoders are available (and the publication status is not Published), data will begin to be collected on the Decoders that are available.

    Your new policy is displayed in the Collection Polices view, with the services displayed in the Service Assignment column.

View Details and History of Policies

You can select a policy and view detailed information about it in the right panel, as shown in the following figure.

The details panel shows the following information:

  • The Decoders to which the policy is assigned
  • The history of the policy:
    • The user ID of the person who created the policy
    • The date and time the policy was created
    • The date and time the policy was last modified
    • The user ID of the person who last modified the policy
  • The protocols and rule actions defined in the policy

Verify Published Policies

When a policy has been published, the policy is applied to the Decoders that were designated in the policy assignment step. The Decoders that are assigned to the policy start collecting the data defined in the policy. There are a few ways to validate the policy is functioning as expected.

View Publication Status

Publication status is indicated in the Capture Polices view in the PUBLICATION STATUS column. You can also see which Decoders are assigned to the policy in the SERVICE ASSIGNMENT COLUMN.


The publication statuses are:

  • Unpublished - the rule actions of the policy have been defined and Decoders may have been assigned to the policy, but the policy has not been deployed to any Decoders.
  • Unpublished Edits - policies that have been updated but are not deployed to Decoders. Clicking Save and Close after making edits keeps them from automatically being published, allowing the administrator to wait until a specific outage window to publish them. This would display as Unpublished (for policies not previously published to Decoders) or Unpublished Edits (for policies that have been previously published to Decoders, but the updates have not been deployed to Decoders).
  • Published - the policy has been successfully deployed to all the Decoders that you selected. However, the Decoders that are available start gathering data immediately, before the policy is displayed as Published, so even if not all of the Decoders are available (and the publication status is not Published), data will begin to be collected on the Decoders that are available.
  • Failed - policies that failed to execute, for example, if a Decoder is offline or a system is down.

You can also select a published policy, and then click Edit to verify the Decoders that are assigned to the policy.

Verify Policies in Admin > Services

  1. As an administrator, log in to the NetWitness Platform user interface to view the Decoders that have been assigned to the policy.
  2. Go to (Admin) > Services > <decoder name> > (Actions) > View > Config. On the General tab, in the right panel, there is a list of parsers that are installed on the Decoder by default. If a policy is administering this Decoder and requires any of those parsers to function, a message is displayed as shown below.
    Decoder parser configuration with message describing which policy is managing the Decoder.
  3. On the App Rules tab, a similar message indicates that some of the rules are required for the policy to function. You can search for "selective collection" to find the specific rules required, as the rule names contain that information.

    Note: In Investigate, you must have the Alert session option selected for the selective collection policy to be displayed.

By default, the selective collection rules are added to the bottom of the rule set when the policy is applied. However, an administrator can directly affect the policy by altering the selective policy rules or by moving conflicting rules (rules with the same services) above the selective collection rules. In both cases, those changes take effect when they are saved locally on the individual Decoders, until the next time the policy is published from the central configuration page, when that policy will override changes made individually on the Decoders.

Note: There currently is no feedback in the centralized configuration page denoting that the configuration related to the policy has been altered locally on the Decoders. To avoid this situation, manage all the policy rules from the centralized configuration page. If that is not possible, as additional application rules outside of collection policies may be required, follow standard security practices, including separation of duties, to limit people who need access to alter application rules and general parsers.

Verify Policies in the Investigate View

You can further verify that the policy is working as expected (the protocols are being collected as published) in the Investigate view. In the centralized configuration page for selective collection, the administrator can get a translation of what the query parameter would be for each individual protocol when viewing the rules inside the policy.

For example, in (Configure) > Capture Policies > <select a policy> > Edit > Define Policy, if you hover over the DNS protocol name, service=53 is displayed.

To determine if the appropriate action has been taken for DNS traffic, in Investigate > Events you can add the query parameter (for example, service=53) as a filter in the query bar and run the query against the Broker or Concentrator the Network Decoder is associated with for the time the policy has been active on the Network Decoder. To make sure you are only seeing the traffic from the Decoders that you want, you can add the Decoder Source, or did meta key as another filter in the query bar.

After running the query, if there are any related results, those events are displayed in the table (unless you applied an action to drop them).

If you chose the action to collect all you can click on one of the events and review the metadata and the payload information for that packet session.

If you chose the action to collect meta only, you can click on one of the events and review the metadata, however, a message would be displayed instead of the packet payloads, as shown in the following figure.

Validate policy in Investigate message

To expedite this process, you can also take the application rules from one of the Network Decoders the policy is applied to and use it as the filter in the Investigate > Events query bar.

The following figure shows an entire collect meta only configuration by using the application rule shown here, created on the Decoder (in Verify Policies in Admin > Services): (service=0,20,21,22,23,25,53,67,69,80,110,119,137,139,161,443,520,1433,1521,1719,1720,2000,2049,5060,5222,6667) truncate:

Note: If the findings do not align with what is expected from the policy, make sure that there are not other rules on the individual Decoders that might be conflicting with the selective collection policy rules. In addition, make sure when checking in Investigate that you are looking at only the traffic associated with the Decoders related to the policy.

Troubleshooting Policy Deployments That Fail

Policy deployment can fail for the following reasons:

  • A Decoder service assigned to the policy is not running

  • A Decoder host system is down when you try to deploy the policy

When a policy deployment fails, the Failed icon is displayed in the PUBLICATION STATUS and SERVICE ASSIGNMENT columns as shown in the following figure.

Capture Policies view, failed deployment policy displayed

Use the following options to research publication failures:

Check the status of the Decoders

Check to see if the Decoder system is down, or if the Decoder service has stopped capturing data.

  1. Select the policy, click Edit, and go to the Assign Policy page to determine which Decoders are assigned to the policy,
  2. Go to (Admin) > Services, select the Decoder, click > View > System to investigate the status of the Decoder.

Review the content-server.log file

You can review the content in this file to troubleshoot errors. This file is located in the following directory on the NW Server host:

/var/log/netwitness/content-server/content-server.log

The following example shows a content-server log snippet that is displayed when publishing a policy fails:

2020-07-08 16:22:45,287 [ nioEventLoopGroup-2-2]
INFO     DataAccess|Finished publishing policy 'Full Capture on Base Protocols, Meta only on all other protocols-1' outcome:FAILED

This is an example of a content server log snippet for successfully publishing a policy:

2020-06-23 17:40:50,373 [ nioEventLoopGroup-2-7]
INFO     DataAccess|Finished publishing policy 'Policy 1' outcome:SUCCESS

Review /var/log/messages on Decoder Systems

You can view publication status in /var/log/messages on a Decoder system.

The following is an example of successful publication in /var/log/messages:

Jun 15 18:35:17 rsa-nw-1141-Decoder-1 NwDecoder[8260]: [Rules] [audit] User admin (session 26182, 10.237.169.43:55380) has added application rule 'selective-collection:meta-only' at position 38

Unpublish Policies

You can unpublish a policy by unassigning the Network Decoders from the policy, which preserves the policy but makes it inactive so that the data it defines is not being collected. You can then change or remove a portion of policy, or remove the entire policy from the Decoders to which they are assigned.

To unpublish a policy:

  1. In the NetWitness Platform user interface, go to (Configure) and select the CAPTURE POLICIES tab.
    Selective Collection Capture Policies tab
  2. Select the published policy and click Edit.
    Unpublish a policy, Edit Policy view
    1. To change the name or description of the policy, update the policy name or description in the Identify Policy view.
    2. To change the protocols that are collected, click Next and then edit the rule actions in the Define Policy view.
      Unpublish a policy, Define Policy view
    3. To unassign or reassign Decoders to this policy, click Next.
      • To fully unpublish this policy, deselect all the Decoders and then click Save and Publish.
      • To change the Decoders that are assigned to this policy, select or deselect the Decoders as needed and then click Save and Publish.

When the changes to the policy status have been completed and the Decoders updated, the policy status is displayed in green text as Published on the Collection Policies tab. If you unassigned all the Decoders without assigning any new ones, the publication status is Unpublished Edits.

Delete Policies

You can only delete customized policies. Predefined policies can be unpublished, but cannot be deleted. You can only delete one policy at a time. When you delete a policy, any Decoders that were assigned to the policy immediately stop applying the rules in the policy.

For information about how to unpublish a policy, see Unpublish Policies.

To delete a policy:

  1. In the NetWitness Platform user interface, go to (Configure) and select the CAPTURE POLICIES tab.
    Selective Collection Capture Policies tab
  2. Select a customized policy and click Delete.
    The policy is removed from the system.

Caution: If you delete a policy that is published to Decoders, a warning is displayed. If you click Accept in the warning, that policy is removed from the Decoders, the collection status is changed, and the policy is deleted.

Supported Protocols for Selective Network Data Collection

The protocols in this list are supported for selective network data collection. These protocols have descriptive tool tips in the user interface. You can choose how to handle each of these protocols individually by dropping, capturing metadata only, or capturing all data related to them. There is also an additional rule for each policy that handles all other unidentified protocols not included in this list. The policies apply the collect or drop actions based on protocol characteristics, regardless of the port that they are captured on.

The protocols in this list are supported for selective network data collection, and include several additional protocols that are supported with Live access in 11.5.1. The protocols that are added in 11.5.1 are indicated in the table in the New column. Several protocols from 11.5 have been updated with support from Lua parsers and Live access, and are indicated in the table in the Updated column. These protocols have descriptive tool tips in the user interface. You can choose how to handle each of these protocols individually by dropping, capturing metadata only, or capturing all data related to them. There is also an additional rule for each policy that handles all other unidentified protocols not included in this list. The policies apply the collect or drop actions based on protocol characteristics, regardless of the port that they are captured on.

                                                                                                                                     
CategoryProtocolDescription
Database

TNS

Transparent Network Substrate Oracle database networking protocol messages
 TDS Tabular Data Stream for SQL server communications
Email

SMTP

Simple Mail Transport Protocol messages
 POP3Post Office Protocol v3 messages (Email clients use to retrieve mail from server)
File

SMB

Server Message Block (or CIFS) network communication protocol file sharing communications
 

NFS

Network File System protocol messages

 

FTP

File Transfer Protocol messages

 TFTPTrivial File Transfer Protocol messages
Networking

SNMP

Simple Network Management Protocol messages

 DNS

Domain Name System messages

 

DHCP

Dynamic Host Configuration Protocol messages

 

NETBIOS

Network Basic Input/Output System networking protocol messages

Remote Access

SSH

Secure Shell secure remote connections

 

TELNET

Teletype network remote interface protocol messages

 SCCP

Cisco Skinny Client Control Protocol terminal control protocol messages

Routing

RIP

Routing Information Protocol distance-vector routing protocol messages

Social MediaGTalk

Google Talk or Google Chat instant text messages

 IRCInternet Relay Chat protocol text messages

 

NNTP

Network News Transfer Protocol for Usenet news articles

VoIPRTP

Real-time Transport Protocol audio and video streaming protocol messages

 

SIP

Session Initiation Protocol text-based messaging application control protocol messages

 H323ITU-T Q.931 based protocol for Voice over IP (VoIP)

Web

HTTP/HTTP2

HyperText Transfer Protocol 1.x/2.x messages

  HTTPS/TLSHyperText Transfer Protocol Secure over Transport Layer Security or Secure Sockets Layer encrypted messages

 

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           
CategoryProtocolDescriptionDependencyNew
Updated

Authentication

KERBEROS

Kerberos authentication

Kerberos

New

 

 

LDAP

Lightweight Directory Access Protocol

LDAP

New 

 

RADIUS

Remote Authentication Dial-In User Service (for Authentication and Authorization)

radius

New

 

 RADIUS-ACCOUNTINGRemote Authentication Dial-In User Service (for Authentication and Authorization)radiusNew 

Backup-Recovery

AVAMAR

Avamar Backup & Recovery

Avamar

New

 

 

RSYNC

Remote Sync

rsync

New 
DatabaseDB2IBM Database 2 Database Protocoldb2_lua

New

 

 ORACLE-T3T3 Protocol (Client Communications to WebLogic Server)Oracle_T3New 
 

TNS

Transparent Network Substrate Oracle database networking protocol messages

TNS

 

 

 TDS Tabular Data Stream for SQL server communications TDS  
EmailIMAPInternet Message Access Protocol (Email clients use to retrieve mail from server)IMAP_lua

New

 

 POP3Post Office Protocol v3 messages (Email clients use to retrieve mail from server) POP3_lua, vCard_lua, MAIL_lua Options, MAIL_l Updated
 

SMTP

Simple Mail Transport Protocol messages SMTP_lua Options, SMTP_lua, vCard_lua, MAIL_lua Options, M

 

Updated

FileBITSMicrosoft Background Intelligent Transfer Service

BITS

New 

 

BITTORRENTBittorrent Protocol

bittorrent_lua

New

 

 

FTP

File Transfer Protocol messages

FTP_lua

 Updated

 

GNUTELLAGnutella File Sharing Protocol

gnutella_lua

New

 

 

NFS

Network File System protocol messagesNFS  
 

SMB

Server Message Block (or CIFS) network communication protocol file sharing communications

SMB

 

Updated

 

SOULSEEKSoulSeek File Sharing ProtocolSoulSeek_luaNew 
 TFTPTrivial File Transfer Protocol messagesTFTP_lua

 

Updated

Financial_NetworkFIXFinancial Information eXchange ProtocolFIX_luaNew 

Industrial_Control_Systems

DNP3

Distributed Network Protocol 3 (for SCADA process automation systems)

DNP3_lua

New

 

 MODBUSModicon's communications protocol (for SCADA industrial control systems)modbusNew 
NetworkingCANON_BJNPCanon Printer Discovery Protocol

Canon_BJNP

New

 

 DCERPCMicrosoft Distributed Computing Environment / Remote Procedure CallDCERPCNew 
 

DHCP

Dynamic Host Configuration Protocol messages

DHCP

 

 

 DNS

Domain Name System messages

DNS Updated
 HL7Health Level 7hl7

New

 

 ISAKMPInternet Security Association and Key Management ProtocolISAKMPNew 

 

iSCSI

Internet Small Computer Systems Interface, IP Based Storage Networking

iSCSI

New

 

 

KASEYA

Kaseya System Monitoring

kaseya

New 

 

NETBIOS

Network Basic Input/Output System networking protocol messages

NETBIOS

 

Updated

 

NTP

Network Time Protocol

ntp_lua

New 
 PJLHP Printer Job Language Protocolpjl

New

 

 

SNMP

Simple Network Management Protocol messages

  Updated
 SOCKSSocks Protocol v4 and v5socks_lua

New

 

 

ZABBIX

Zabbix Monitoring Tool

zabbix

New 

Remote Access

JSON-RPCJSON-RPC 2.0 Streams

JSON-RPC

New

 

 

RDP

Remote Desktop Protocol

RDP_lua

New 

 

RLOGIN

Remote Login

rlogin

New

 

 

SCCP

Cisco Skinny Client Control Protocol terminal control protocol messages

SCCP

  
 SCREENCONNECTScreenconnect / ConnetWise Control (Remote Desktop Software)screenconnect

New

 

 

SSH

Secure Shell secure remote connections

SSH_lua

 Updated

 

TEAMVIEWERTeamviewer (Remote Desktop Software)teamviewer

New

 

 

TELNET

Teletype network remote interface protocol messages

TELNET

  
 TN3270EIBM Telnet 3270 Enhanced ProtocolTN3270E_lua

New

 

 

VNC

Remote Frame Buffer Protocol

VNC

New 
 WIREGUARDWireGuard VPN SessionsWireGuard

New

 

 

X11

X11 protocol (RFC 1013)

X11_lua

New 

Routing

BGPBorder Gateway ProtocolBGP_lua

New

 

 

RIP

Routing Information Protocol distance-vector routing protocol messages

RIP

  
Social MediaGTALK

Google Talk or Google Chat instant text messages

GTalk

 

 

 IRCInternet Relay Chat protocol text messagesIRC  
 KAKAOTALKKakaoTalk (KaTalk) Mobile Instant Messaging Applicationkakaotalk

New

 

 

LYNC

Microsoft Lync (formerly Microsoft Office Communicator & Windows Messenger)

Lync

New 

 

NNTP

Network News Transfer Protocol for Usenet news articles

NNTP

 

 

 

QQ

Tencent QQ Instant Messaging (formerly Open ICQ)

QQ_lua

New 
VoIPH.323ITU-T Q.931 based protocol for Voice over IP (VoIP) H323

 

 

 

RTMPReal Time Messaging Protocol (Macromedia/Adobe)

rtmp_lua

New 
 RTP

Real-time Transport Protocol audio and video streaming protocol messages

RTP

 

 

 

RTSP

Real Time Streaming Protocol

RTSP

New 

 

SIP

Session Initiation Protocol text-based messaging application control protocol messages

SIP

 

 

Web

HTTP/HTTP2

HyperText Transfer Protocol 1.x/2.x messages

HTTP_lua Options, HTTP_lua

 Updated
  HTTPS/TLSHyperText Transfer Protocol Secure over Transport Layer Security or Secure Sockets Layer encrypted messagesHTTPS

 

Updated

If you defined selective collection polices in 11.5 and have upgraded to 11.5.1, the following message is displayed on the Collection Policies main page to alert you to the new protocols supported in 11.5.1.

New protocols have been added to the available protocols. Check your policies and publish them to take advantage of the new content.

The new protocols are displayed on the EditDefine Policy page with descriptive tags, as shown in the following image.

Note: The descriptive tags are not displayed in the Policy Details page.

The New tag indicates that the protocol is included in 11.5.1, but not in 11.5. The Updated tag indicates protocols that were included in previously-defined policies, that have been replaced with a Lua parser from Live.

The New and Updated tags are displayed:

  • For protocols in unpublished policies.
  • If the rule action for a protocol is changed from Drop All back to Collect All or Collect Meta Only (the Updated tag is displayed for these protocols).
  • For new and updated protocols in predefined policies (you can not change rule actions in these policies, but the tags are still displayed).

The New and Updated tags are not displayed:

  • For protocols in published or failed policies.
  • If the rule action for a protocol is changed from Collect All or Collect Meta Only to Drop All.

Note: When selective network data collection is set up to collect metadata only for the HTTPS/TLS protocol, it truncates the traffic after the SSL/TLS handshake to ensure that all the certificates and other details are retained for analysis purposes while the encrypted packet payloads are dropped.

You are here
Table of Contents > Configure Common Settings on a Decoder > Configure Capture Settings > (Optional) Configure Selective Network Data Collection

Attachments

    Outcomes