Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000030296 - BPF rules are not filtering traffic on RSA NetWitness Platform 10G Decoders

Document created by RSA Customer Support

on Jun 14, 2016•Last modified by RSA Customer Support on Aug 27, 2019

Version 4Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000030296
Applies To	RSA Product Set: Security Analytics, RSA NetWitness Logs & Network RSA Product/Service Type: 10G Decoder, Security Analytics UI RSA Version/Condition: 10.4.x, 11.x Platform: CentOS O/S Version: EL6
Issue	After configuring BPF rules on a Security Analytics 10G Decoder, the traffic is not being filtered as expected.
Cause	The PFRING driver used with 10G Decoders does not support the use of BPF and therefore will not filter the traffic.
Resolution	In order to filter network traffic on a 10G Decoder, a Network Rule must be created rather than using BPF. For example, if ports 553 and 55553 needed to be filtered, rather than using the not (port 553 or 55553) BPF syntax, a network rule similar to the rule shown below should be created.
Notes	More information on configuring Network Rules can be found in the RSA Security Analytics 10.4 User Guide.

Attachments

Outcomes

0 Comments

Recommended Content

Incoming Links

Re: Filter on Packet Decoder