This topic provides instructions for creating a custom feed that is needed for the Rogue DHCP Server Detected RSA Application Rule.
You can create the necessary custom feed using the Custom Feed wizard. To complete this procedure, you need a feed data file in .csv format. The Custom Feed wizard creates the feed based on the supplied feed data file.
The feed data file (.csv) must be available on the local file system.
To create the custom feed:
Create a file, known_dhcp_server.csv. This should be a whitelist of DHCP servers with the following format:
ip_address_iwith an actual IP address for a DHCP server.
Depending on your version:
- For NetWitness 11.x: In the NetWitness menu, select CONFIGURE > Custom Feeds.
- For Security Analytics 10.x: In the Security Analytics menu, select Live > Feeds.
In the toolbar, click +.
The Setup Feed dialog is displayed.
To select the feed type, click Custom Feed and Next.
The Configure a Custom Feed wizard is displayed, with the Define Feed form open.
Fill in the following values:
- For the Name, enter RogueDHCPServerDetected.
- For the file, navigate to your known_dhcp_server.csv file, using the Browse button.
The Select Services form is displayed.
To identify services on which to deploy the feed, select one or more Decoders, and click Next.
The Define Columns form is displayed.
To map columns in the Define Columns form:
- Select IP for the Index type, and select 1 for the index column.
- Select alert for the language key to apply to the data in each column from the drop-down list.
The Review form is displayed. Your form should look like this:
- Review the feed information, and if correct, click Finish.