000034116 - Feeds on Log Decoders don't correctly support IP ranges in RSA Security Analytics

Document created by RSA Customer Support Employee on Sep 30, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000034116
Applies ToRSA Product Set: Security Analytics, NetWitness
RSA Product/Service Type: NetWitness Log Decoder, SA Log Decoder
RSA Version/Condition: 9.7, 9.8
RSA Version/Condition: 10.0.X, 10.1.X, 10.2.X, 10.3.X, 10.4.X, 10.5.X, 10.6.0.X, 10.6.1.X, 10.6.2.X
Platform: CentOS
O/S Version: 6
IssueWhen using the MetaCallback feature on ip.src and ip.dst within a feed, if the IPs are specified in ranges in the CSV (using either CIDR or low and high) the expected meta will not generate on Log Decoders. Two instances of meta based on ip.src will be generated (versus one based on ip.src and one based on ip.dst).
The same feed works as expected on Packet Decoders.
CauseFeeds were originally created for network sessions where ip.src and ip.dst is determined by its client stream.
In a log decoder we don't have the information and and so can't distinguish correctly between ip.src and ip.dst.
As a result when we define something like the following, it will create the instances of the 1st entry (srcname in this case, if we defined destname first instead then multiple instances of that would be generated).
<LanguageKey name="intranet" valuetype="Text" srcname="intranet.src" destname="intranet.dst" />

ResolutionBased on JIRA SATCE-260, the fix is currently targeted for SA 10.6.3
WorkaroundAs a workaround, 2 feeds can be created:
The limitations of this approach:
- as feeds use MetaCallback, we can't specify IPs in the CSV as CIDR ranges
- This will limit usefulness for Class A and Class B addresses due to the resulting size of feed that will be created.
Please find attached sample files:
For Log Decoder:

For Concentrator:
Sample index-concentrator-custom.xml