000034116 - Feeds on Log Decoders don't correctly support IP ranges in RSA Security Analytics

Document created by RSA Customer Support Employee on Sep 30, 2016Last modified by RSA Customer Support on May 6, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000034116
Applies ToRSA Product Set: Security Analytics, NetWitness Logs & Network
RSA Product/Service Type: NetWitness Log Decoder, SA Log Decoder
RSA Version/Condition: 9.7, 9.8
RSA Version/Condition: 10.0.X, 10.1.X, 10.2.X, 10.3.X, 10.4.X, 10.5.X, 10.6.0.X, 10.6.1.X, 10.6.2.X
Platform: CentOS
O/S Version: 6
IssueWhen using the MetaCallback feature on ip.src and ip.dst within a feed, if the IPs are specified in ranges in the CSV (using either CIDR or low and high) the expected meta will not generate on Log Decoders. Two instances of meta based on ip.src will be generated (versus one based on ip.src and one based on ip.dst).

The same feed works as expected on Packet Decoders.
CauseFeeds were originally created for network sessions where ip.src and ip.dst are determined by their client stream.
In a log decoder, we don't have the information and can't distinguish correctly between ip.src and ip.dst.

As a result, when we define something like the following, it will create the instances of the 1st entry (srcname in this case, if we defined destname first instead then multiple instances of that would be generated).

<LanguageKey name="intranet" valuetype="Text" srcname="intranet.src" destname="intranet.dst" />

ResolutionThis has been documented in the RSA NetWitness 10.6.1 Release Notes
WorkaroundAs a workaround, 2 feeds can be created:

The limitations of this approach:
- as feeds use MetaCallback, we can't specify IPs in the CSV as CIDR ranges
- This will limit usefulness for Class A and Class B addresses due to the resulting size of feed that will be created.

Please find attached sample files:

For Log Decoder:

For Concentrator:
Sample index-concentrator-custom.xml