This topic discusses and describes the packet (Lua) parsers available in RSA Security Analytics. If you need a parser that does not already exist, you can Request a Parser.
Packet parsers identify the application layer protocol of sessions seen by the Decoder, and extract meta data from the packet payloads of the session.
Every packet parser is able to extract meta from every session. For example, a webmail session will be parsed by both an HTTP parser which identifies the session as HTTP and extracts meta from HTTP headers, and by a MAIL parser which extracts email-related meta from message headers. Further, if the session were to contain an executable file, its presence would be detected by a windows executable parser.
Packet parsers in RSA Security Analytics may be broadly classified as:
- System or Native parsers: These are compiled into the Decoder base code. Updates are delivered along with updates to Security Analytics. Many system parsers have lua equivalents. In these cases, generally, the native parser may perform faster, while the lua parser may extract more meta.
- Lua parsers: these are written in the lua programming language, and delivered via Live. Customers can write their own custom lua parsers.
- Flex parsers: these were written in a proprietary scripting language, Flex, and delivered via Live. These are now considered Legacy content: every existing Flex parser has a better lua equivalent, and all customers using Security Analytics version 10.2 or later should not be using Flex parsers.
Packet Parsers in NetWitness
The following table describes the Lua parsers delivered with Security Analytics.
Discontinued Packet Parsers
The following table lists the Lua parsers that have been removed from the system.