Mail Lua Parser Options

Document created by RSA Information Design and Development on Jan 12, 2017Last modified by RSA Information Design and Development on Aug 16, 2018
Version 113Show Document
  • View in full screen mode
 

Caution: RSA strongly suggests that you do not subscribe to the options file. Subsequent downloads of this file will overwrite all changes that you have made to the file.

Note the following:

  • If you deploy the options file, it can be found in the same directory as parsers: /etc/netwitness/ng/parsers/.
  • The parser is not dependent upon the options file. The parser will load and run even in the absence of the options file. The options file is only required if you need to change the default settings.
  • If you do not have an options file (or if your options file is invalid), the parser uses the default settings.

Note: The parser will never use both the defaults and customized options. If the options file exists and its contents can be loaded, then the defaults will not be used at all.

The Mail_lua_options file contains the following options for controlling the parser:

  • registerEmailSrcDst

  • parseQuoted

  • registerAddressHosts

  • parseReceived

To change an option from false to true, edit the line inside the corresponding function, from

return false

to

return true

And similarly to go from true to false.

Note: Modifying any of these options requires a service restart to take effect; a simple parser reload is insufficient.

registerEmailSrcDst

Default value: false

This option determines whether to register email address meta using the index keys email.src and email.dst.

If set to false, all email address meta is registered with the index key email.

If set to true:

  • Originating email addresses will be registered with the index key email.src
  • Recipient email addresses will be registered with the index key email.dst

parseQuoted

Default value: false

If set to false (default) then meta will not be extracted from headers which are contained within an email message (i.e., from a quoted message).

If set to true, then headers from quoted messages will be parsed.

registerAddressHosts

Default value: false

This option determines whether to register the host portion of email addresses as meta. The key used to register is alias.host, alias.ip, or alias.ipv6, as appropriate.

parseReceived

Default value: true

This option determines whether to register meta from Received: headers.

Many mail transfer agents (MTAs) add badly formatted information into Received: headers. This often manifests as as alias.host meta that is not a hostname. If this is problematic in your environment, disable parsing of Received: headers by setting the value to false.

You are here
Table of Contents > RSA NetWitness Platform Content > Parsers > Lua Packet Parsers > Mail Lua Parser Options

Attachments

    Outcomes