This topic lists the native parsers available in RSA Security Analytics.
Packet parsers identify the application layer protocol of sessions seen by the Decoder, and extract meta data from the packet payloads of the session.
Every packet parser is able to extract meta from every session. For example, a webmail session will be parsed by both an HTTP parser which identifies the session as HTTP and extracts meta from HTTP headers, and by a MAIL parser which extracts email-related meta from message headers. Further, if the session were to contain an executable file, its presence would be detected by a windows executable parser.
Packet parsers in RSA NetWitness may be broadly classified as:
- System or Native parsers: These are compiled into the Decoder base code. Updates are delivered along with updates to RSA NetWitness. Many system parsers have Lua equivalents. In these cases, generally, the native parser may perform faster, while the Lua parser may extract more meta.
- Lua parsers: these are written in the Lua programming language, and delivered via Live. Customers can write their own custom Lua parsers.
- Flex parsers: these were written in a proprietary scripting language, Flex, and delivered via Live. These are now considered Legacy content: every existing Flex parser has a better Lua equivalent, and all customers using NetWitness version 10.2 or later should not be using Flex parsers.
System Parsers in RSA NetWitness Platform
The following table describes the system parsers delivered with RSA NetWitness Platform.
For content that has been discontinued, see Discontinued Content.