System Parsers

Document created by RSA Information Design and Development on May 25, 2016Last modified by RSA Information Design and Development on Oct 8, 2018
Version 164Show Document
  • View in full screen mode
 

This topic lists the native parsers available in RSA Security Analytics.

Context

Packet parsers identify the application layer protocol of sessions seen by the Decoder, and extract meta data from the packet payloads of the session.

Every packet parser is able to extract meta from every session. For example, a webmail session will be parsed by both an HTTP parser which identifies the session as HTTP and extracts meta from HTTP headers, and by a MAIL parser which extracts email-related meta from message headers. Further, if the session were to contain an executable file, its presence would be detected by a windows executable parser.

Packet parsers in RSA NetWitness may be broadly classified as:

  • System or Native parsers: These are compiled into the Decoder base code. Updates are delivered along with updates to RSA NetWitness. Many system parsers have Lua equivalents. In these cases, generally, the native parser may perform faster, while the Lua parser may extract more meta.
  • Lua parsers: these are written in the Lua programming language, and delivered via Live. Customers can write their own custom Lua parsers.
  • Flex parsers: these were written in a proprietary scripting language, Flex, and delivered via Live. These are now considered Legacy content: every existing Flex parser has a better Lua equivalent, and all customers using NetWitness version 10.2 or later should not be using Flex parsers.

System Parsers in RSA NetWitness Platform

The following table describes the system parsers delivered with RSA NetWitness Platform.

         

Note

For content that has been discontinued, see Discontinued Content.

                                                                                                                                               
NameDescription
ALERTSAlerts
DHCPDynamic Host Configuration Protocol
DNSDomain Name Service
enVisionLog Decoder Service
FTPFile Transfer Protocol
GeoIPGeographic data based on ip.src
GTalkGoogle Talk
H323H.323 Teleconferencing Protocol
HTTPHyper Text Transport Protocol
HTTPSSecure Socket Layer Protocol
IRCInternet Relay Chat Protocol
MAILStandard E-Mail Format (RFC822)
NETBIOSNETBIOS computer name and parser
NETWORKNetwork Layer parser
NFSNetwork File System
NNTPNetwork News Transport Protocol
PGPPGP blocks within network traffic parser
POP3Post Office Protocol
RIPRouting Information Protocol
RTPReal Time Protocol for audio/video
SCCPCisco Skinny Client Control Protocol
SEARCHSearches content for keywords and/or regular expressions
SIPSession Initiation Protocol
SMBServer Message Block
SMIMESMIME blocks within network traffic
SMTPSimple Mail Transport Protocol
SNMPSimple Network Management Protocol
SSHSecure Shell
TDSMSSQL and Sybase Database Protocol
TELNETTELNET Protocol
TFTPTrivial File Transfer Protocol
TNSOracle Database Protocol
VCARDExtracts Full Name and E-mail information
Previous Topic:Parsers
You are here
Table of Contents > RSA NetWitness Platform Content > Parsers > System Packet Parsers

Attachments

    Outcomes