Decoder: Services Config View - General Tab

Document created by RSA Information Design and Development on Jul 26, 2016Last modified by RSA Information Design and Development on Sep 28, 2016
Version 4Show Document
  • View in full screen mode
 

This topic introduces features of the Services Config view > General tab for Decoders and Log Decoders. 

The General tab for a Decoder in the Services Config view provides a way to manage basic service configuration, configure data capture, and select the parsers that are applied to the captured data.

Settings that set up and tune data capture include:

  • Adapter selection
  • Cache specification
  • Capture autostart and other capture parameters that affect cache, sessions, and timeouts
  • Database file sizes
  • Number of open database files
  • Location of the hash directory

The first figure is an example of the General tab for a Decoder. The second is the General tab for a Log Decoder.

ParsConDeTran.png

Services Config View - Log Decoder

Features

These are the four major sections in the General tab for Decoders and Log Decoders:

  • System Configuration section
  • Decoder Configuration section
  • Parsers Configuration section
  • Service Parsers Configuration section (Log Decoders only)

System Configuration Section

The System Configuration section manages service configuration for a Decoder. When a service is first added, default values are in effect. You can edit these values to tune performance.

104SysConfigField.png

The System Configuration section has these parameters.

                      
ParameterDescription
CompressionThe minimum number of bytes that must be transmitted per response before compression. A setting of 0 disables compression. The default value is 0.
A change in value is effective immediately for all subsequent connections.
PortThe port on which the service service listens. The default ports are:
  • 50001 for Log Collectors
  • 50002 for Log Decoders
  • 50003 for Brokers
  • 50004 for Decoders
  • 50005 for Concentrators
  • 50007 for other services
SSLWhen enabled (on), the security of data transmission is managed by encrypting information and providing authentication with SSL certificates. The default value is off.
Stat Update IntervalThe number of milliseconds between statistic updates on the system. Lower numbers cause more frequent updates and can slow down other processes. The default value is 1000.
A change in value is effective immediately.
ThreadsThe number of threads in the thread pool to handle incoming requests. A setting of 0 lets the system decide. The default value is 15
A change takes effect on service restart.

Decoder Configuration Section

The Decoder Configuration Section provides a way to view and edit service configuration parameters for a Decoder or Log Decoder. When a service is first added, default values are in effect. You can edit these values to manage traffic capture.
104DecoderConfigField1.png

Scrolling to the bottom of the section reveals these additional Decoder Configuration parameters.

104DecoderConfigField2.png

Adapter

Adapter parameters configure the network interface for capture. The table below describes the Decoder Adapter settings. The default network adapters available are set at installation. Consult your System Administrator for more information.

             
Adapter ParameterDescription
Berkeley Packet FilterBerkeley Packet Filters (BPF) are applied to the packet stream before the packets are copied to the Decoder adapter for analysis. This allows unwanted traffic to be efficiently discarded. However, any packets discarded are not accounted for in any Decoder statistics (capture rate, packets dropped, and packets filtered and total packets).
Capture Interface SelectedSelect an adapter through which the Decoder captures packets. For the lower speed internal capture interface, use the packet_mmap_,7,eth1 adapter, which corresponds to the monitor port located on the motherboard. There are six additional capture ports:
  • packet_mmap_,1,lo (bpf)
  • packet_mmap_,2,eth2 (bpf)
  • packet_mmap_,3,eth3 (bpf)
  • packet_mmap_,4,eth4 (bpf)
  • packet_mmap_,5,eth5 (bpf)
  • packet_mmap_,8,ALL (bpf)
There are three wireless capture services available:
  • packet_netmon_ (Microsoft Netmon)
  • packet_mac80211_ (Linux mac80211)
  • packet_airport_ (Mac OS X AirPort)

The Decoder also supports system-level packet filtering defined using tcpdump/libpcap syntax. Specifying a Libpcap filter can efficiently reduce packet volume based on Layer 2 ‐ Layer 4 attributes. A Libpcap filter is appropriate for use when a Decoder is receiving a traffic volume that is placing a load against the physical resources of the platform. In this scenario, the Decoder may consistently drop packets and have a large number of capture pages available (/decoder/stats/capture.pagefree is high).
The following is an example of a libpcap filter to keep only packets which do not have both source and destination addresses in the 10.21.0.0/16 subnet.
not (src net 10.21.0.0/16 and dst net 10.21.0.0/16)
For a full reference of the Libpcap filter syntax, see the main pages for:

Cache

Cache parameters configure the cache directory and size for session cache files. The following table describes the cache settings.

             
Cache ParameterDescription
Cache DirectoryThe directory where session cache files are stored. The default value is /var/netwitness/decoder/cache. Change takes effect immediately.
Cache SizeThe maximum size, in Megabytes (MB), that all files in the cache directory can attain before the oldest files are deleted. Once the threshold is reached, the cache size is reduced by 10%. The default value is 4 GB. Change takes effect immediately.

Capture Settings

The Capture Settings section provides a way to configure operational capture settings.

Note: By default, no capture rules are defined when you first install Security Analytics. Unless there are rules specified, the packets are not filtered. You can define capture rules before beginning to capture data (see Configure Network Rules, Configure Application Rules, and Configure Correlation Rules).

This table describes the capture settings.

                                        
Capture Settings ParameterDescription
Assembler Maximum SizeSpecifies the maximum size in bytes that a session’s packet data size can attain. The default value is 32 MB. Change takes effect immediately.
Assembler Minimum SizeSpecifies the minimum size in bytes that a session must have in order to generate metadata. A value of 0 means every session has metadata generated. The default value is 0. Change takes effect immediately.
Assembler Session FlushSpecifies whether a session is removed from the assembler when the session’s last chain is removed from the assembler. The default value is 1.
  • 2 = if the first packet of a session times out of assembler, the session is removed from assembler after parsing is complete. Any subsequent packets for this session create a new session in assembler.
  • 1 = If the last chain of a session times out of assembler, the session is removed from assembler. Any subsequent packets for this session create a new session in assembler.
  • 0 = If the last chain of a session times out of assembler, the session is left in assembler until it times out. Any subsequent packets for this session are filtered
Change takes effect on service restart.
Assembles Session PoolSpecifies the number of entries in the session pool. The default value is 350000. Change takes effect on service restart.
Assembler Timeout PacketsSpecifies the number of seconds before a packet or chain is timed out. T default value is 60. Change takes effect immediately.
Assembler Timeout SessionSpecifies the number of seconds before a session is timed out. Default value is 60. Change takes effect immediately.
Capture AutostartSpecifies whether capture begins automatically each time Decoder is started. When checked, the value = yes. When unchecked, the value = no. The default value is no. Change takes effect immediately.
Capture Buffer SizeThe capture memory buffer allocation in Megabytes. Default value is 64 MB. Change takes effect on service restart.
Parse Maximum BytesThe maximum number of bytes to scan a stream for additional tokens. When the first token is found, the stream is scanned up to the set number of bytes, but no further. A setting of 0 removes the early termination and the full stream is scanned regardless of size. The default value is 128 KB. Change takes effect immediately.
Parse Minimum BytesThe minimum number of bytes to scan a stream for the first token. If no token is found within the set number of bytes, scanning is terminated. A setting of 0 removes the early termination and the full stream is scanned regardless of size. The default value is 1 KB. Change takes effect immediately.
Parser ThreadsThe number of parse threads to use for session parsing. A value of 0 means let the server decide. The default value is 0. Change takes effect on service restart.

Database Max File Sizes

The Database Max File Sizes section controls the maximum file size for various databases. The following table describes the parameters.

                
File Size ParameterDescription
Meta File SizeThe maximum size of meta database files in Megabytes. The default value is 10 MB. Change takes effect on service restart.
Packet File SizeThe maximum size of packet database files in Megabytes. The default value is 10 MB. Change takes effect on service restart.
Session File SizeThe maximum size of session database files in Megabytes. The default value is 100 MB. Change takes effect on service restart.

Database Open Files

The Database Open Files section controls the number of files open at a given time for various databases. More files open at a time generally improves query performance. The following table describes the parameters.

                
Open Files  ParameterDescription
Meta Open FilesThe maximum number of meta files to keep open at any one time. The Default value is 100. Change takes effect on service restart.
Packet Open FilesThe maximum number of packet files to keep open at any one time. The default value is 300. Change takes effect on service restart.
Session Open FilesThe maximum number of session files to keep open at any one time. The default value is 10. Change takes effect on service restart.

Hash

Controls data base file hashing options. There is a small performance penalty when hashing. The following table describes the hashing option.

          
Hash ParameterDescription
Hash DirectoryThe server directory where all hash files are written. If empty, each hash file is written to the same directory as the file being hashed. The default value is blank. Change takes effect on service restart.

Parsers Configuration

The Parsers Configuration panel provides a way to select parsers to use on the Decoder. Within some parsers, you can also configure the metadata that the parser creates. 

Security Analytics 10.5 has the added ability to configure individual parsers that do not store generated metadata on disk (Transient option). This feature helps administrators to protect certain data and is usually done as part of a data privacy plan. For more information, see Data Privacy Management guide.

ParCfDetl.png

The table describes the features of the Parsers Configuration section.

                
FeatureDescription

Enable All

Disable All

These options provide a way to quickly select either all parsers or no parsers.
NameThe names of parsers available to the Decoder. A plus sign indicates that the metadata generated by the parser is configurable. Clicking the plus sign displays the metadata that the parser can create. In the example above, CMS_windows_executable has three selectable metadata that the parser can create: alert.id, error, and filetype.
Config ValueA drop-down list changes the setting for the parser or metadata to Enabled, Disabled, or Transient.
  • When Enabled, the Decoder is using the parser to filter traffic.
  • When Transient, the Decoder is using the parser to filter traffic, and the generated metadata is not stored on disk. The transient metadata is available in memory to additional content (that is, parsers, feeds, and application rules) on that Decoder.
  • When Disabled, the Decoder is not using the parser.
If the generated metadata for the parser is configurable, clicking the plus sign to expand the parser displays configurable meta keys and the same drop-down list selects the meta key the parser will create.

Additional Service Parsers Configuration for Log Decoder

The Service Parsers Configuration section provides a way to select Service parsers to use on the Log Decoder.

104ServParseConfigField.png

You are here: References > Services Config View - General Tab

Attachments

    Outcomes