Decoder: Supported Meta Keys in Network Rules

Document created by RSA Information Design and Development on Nov 23, 2016Last modified by RSA Information Design and Development on Mar 28, 2017
Version 4Show Document
  • View in full screen mode
  

Network rules consist of rule sets from Layer 2, Layer 3, and Layer 4. Multiple rules can be applied at the packet level to a Decoder. Rules can be applied to multiple layers (for example, when a network rule filters out specific ports for a specific IP address). You can create and manage network rules in the Services Config view > Network Rules tab.

Supported Meta Keys in Network Rule Conditions

The following table describes the meta keys that Security Analytics supports for use in network rule conditions. 

                                                                                     
Meta KeyDescription
eth.addrEthernet source or destination address. Commonly known as the MAC address.
eth.dstDestination Ethernet address. This is the same as the Ethernet address field except that it selects only packets where the destination address matches the selected value(s).
eth.srcSame as Ethernet destination except that it focuses on the source address.
eth.typeEthernet frame type. 
hdlc.type Frame type of the HDLC frame.
ip.addr IPv4 source or destination address in standard form. IP addresses can be entered in CIDR notation for subnets.
ip.dstDestination IPv4 address in standard form. IP addresses can be entered in CIDR notation for subnets.
ip.protoIPv4 protocol field. 
ip.srcSource IPv4 address in standard form. IP addresses can be entered in CIDR notation for subnets.
ipv6.addrIPv6 source or destination address in hex format. Generally IPv6
addresses are written as eight groups of four hex digits, thus expressing
the entire 128 bit address length. Supports notation to represent multiple
blocks of 0000 in an address. Does not support CIDR notation.
ipv6.dstDestination IPv6 address in hex format.
ipv6.protoIPv6 protocol field. This maps to the Next Header field in the IPv6 header
and uses the same values as the IPv4 protocol field. 
ipv6.srcSource IPv6 address in hex format.
tcp.dstportDestination TCP port. 
tcp.portTCP source or destination port.
tcp.srcportSource TCP port.
udp.dstportDestination UDP port. 
udp.portUDP source or destination port.
udp.srcportSource UDP port.
Previous Topic:Network Rules Tab
You are here
Table of Contents > References > Services Config View - Rules Tab > Network Rules Tab > Supported Meta Keys in Network Rules

Attachments

    Outcomes