This topic introduces features of the Services Config view > General tab for Decoders and Log Decoders.
The General tab for a Decoder in the Services Config view provides a way to manage basic service configuration, configure data capture, and select the parsers that are applied to the captured data.
Settings that set up and tune data capture include:
- Adapter selection
- Cache specification
- Capture autostart and other capture parameters that affect cache, sessions, and timeouts
- Database file sizes
- Location of the hash directory
The first figure is an example of the General tab for a Decoder. The second is the General tab for a Log Decoder.
These are the four major sections in the General tab for Decoders and Log Decoders:
- System Configuration
- Decoder Configuration
- Parsers Configuration
- Service Parsers Configuration (Log Decoders only)
The System Configuration section manages service configuration for a Decoder. When a service is first added, default values are in effect. You can edit these values to tune performance.
The System Configuration section has these parameters.
|Compression||The minimum number of bytes that must be transmitted per response before compression. A setting of 0 disables compression. The default value is 0.|
A change in value is effective immediately for all subsequent connections.
|Port||Determines the port used by the service. |
Note: If you change the port number, ensure that you restart the service.
|SSL FIPS mode||If enabled, all the data transferred in the network will be encrypted using SSL.|
|SSL Port||Indicates the port used for encrypting using SSL.|
|Stat Update Interval||The number of milliseconds between statistic updates on the system. Lower numbers cause more frequent updates and can slow down other processes. The default value is 1000.|
A change in value is effective immediately.
|Threads||The number of threads in the thread pool to handle incoming requests. A setting of 0 lets the system decide.|
A change takes effect on service restart.
The Decoder Configuration section provides a way to view and edit service configuration parameters for a Decoder or Log Decoder. When a service is first added, default values are in effect. You can edit these values to manage traffic capture.
Scrolling to the bottom of the section reveals these additional Decoder Configuration parameters.
Adapter parameters configure the network interface for capture. The table below describes the Decoder Adapter settings. The default network adapters available are set at installation. Consult your System Administrator for more information.
|Berkley Packet Filter||Berkeley Packet Filters (BPF) are applied to the packet stream before the packets are copied to the Decoder adapter for analysis. This allows unwanted traffic to be efficiently discarded. However, any packets discarded are not accounted for in any Decoder statistics (capture rate, packets dropped, and packets filtered and total packets).|
|Capture Interface Selected||Select an adapter through which the Decoder captures packets. For the lower speed internal capture interface, use the packet_mmap_,7,eth1 adapter, which corresponds to the monitor port located on the motherboard. There are six additional capture ports: |
The Decoder also supports system-level packet filtering defined using tcpdump/libpcap syntax. Specifying a Libpcap filter can efficiently reduce packet volume based on Layer 2 ‐ Layer 4 attributes. A Libpcap filter is appropriate for use when a Decoder is receiving a traffic volume that is placing a load against the physical resources of the platform. In this scenario, the Decoder may consistently drop packets and have a large number of capture pages available (/decoder/stats/capture.pagefree is high).
The following is an example of a libpcap filter to keep only packets which do not have both source and destination addresses in the 10.21.0.0/16 subnet.
not (src net 10.21.0.0/16 and dst net 10.21.0.0/16)
For a full reference of the Libpcap filter syntax, see the main pages for:
- tcpdump (http://www.tcpdump.org/tcpdump_man.html).
- pcap-filter (http://www.unix.com/man-page/FreeBSD/7/pcap-filter/).
Cache parameters configure the cache directory and size for session cache files. The following table describes the cache settings.
|Cache Directory||The directory where session cache files are stored. The default value is /var/netwitness/decoder/cache. Change takes effect immediately.|
|Cache Size||The maximum size, in Megabytes (MB), that all files in the cache directory can attain before the oldest files are deleted. Once the threshold is reached, the cache size is reduced by 10%. The default value is 4 GB. Change takes effect immediately.|
The Capture Settings section provides a way to configure operational capture settings.
Note: By default, no capture rules are defined when you first install Security Analytics. Unless there are rules specified, the packets are not filtered. You can define capture rules before beginning to capture data (see Configure Network Rules, Configure Application Rules, and Configure Correlation Rules).
This table describes the capture settings.
|Capture Settings Parameter||Description|
|Assembler Maximum Size||Specifies the maximum size in bytes that a session’s packet data size can attain. The default value is 32 MB. Change takes effect immediately.|
|Assembler Minimum Size||Specifies the minimum size in bytes that a session must have in order to generate metadata. A value of 0 means every session has metadata generated. The default value is 0. Change takes effect immediately.|
|Assembler Session Flush||Specifies whether a session is removed from the assembler when the session’s last chain is removed from the assembler. The default value is 1. |
|Assembles Session Pool||Specifies the number of entries in the session pool. The default value is 350000. Change takes effect on service restart.|
|Assembler Timeout Packets||Specifies the number of seconds before a packet or chain is timed out. T default value is 60. Change takes effect immediately.|
|Assembler Timeout Session||Specifies the number of seconds before a session is timed out. Default value is 60. Change takes effect immediately.|
|Capture Autostart||Specifies whether capture begins automatically each time Decoder is started. When checked, the value = yes. When unchecked, the value = no. The default value is no. Change takes effect immediately.|
|Capture Buffer Size||The capture memory buffer allocation in Megabytes. Default value is 64 MB. Change takes effect on service restart.|
|Parse Maximum Bytes||The maximum number of bytes to scan a stream for additional tokens. When the first token is found, the stream is scanned up to the set number of bytes, but no further. A setting of 0 removes the early termination and the full stream is scanned regardless of size. The default value is 128 KB. Change takes effect immediately.|
|Parse Minimum Bytes||The minimum number of bytes to scan a stream for the first token. If no token is found within the set number of bytes, scanning is terminated. A setting of 0 removes the early termination and the full stream is scanned regardless of size. The default value is 1 KB. Change takes effect immediately.|
|Parse Threads||The number of parse threads to use for session parsing. A value of 0 means let the server decide. The default value is 0. Change takes effect on service restart.|
Database Max File Sizes
The Database Max File Sizes section controls the maximum file size for various databases. The following table describes the parameters.
|File Size Parameter||Description|
|Meta File Size||The maximum size in Gigabytes, of the meta database files. The default value is 3 GB. Change takes effect on service restart.|
|Packet File Size||The maximum size in Gigabytes, of the packet database files. The default value is 4 GB. Change takes effect on service restart.|
|Session File Size||The maximum size in Megabytes, of the session database files. The default value is 256 MB. Change takes effect on service restart.|
To calculate the drive sizes and free space for the meta, packet, and/or session, for your environment, perform the following:
- In the Security Analytics menu, select Administration > Services.
- Select a service and select > View > Explore.
The Service Explore View is opened.
- In the Node List select database and right-click and select Properties.
The Properties panel is displayed.
- In the properties panel, from the drop-down list, select reconfig .
- In the Parameters field, enter update = false.
- Click Send.
The Response Output displays the drive sizes and free space for the Meta, packet and session.
Controls data base file hashing options. There is a small performance penalty when hashing. The following table describes the hashing option.
|Hash Directory||The server directory where all hash files are written. If empty, each hash file is written to the same directory as the file being hashed. The default value is blank. Change takes effect on service restart.|
The Parsers Configuration panel provides a way to select parsers to use on the Decoder. Within some parsers, you can also configure the metadata that the parser creates.
Security Analytics has the ability to configure individual parsers that do not store generated metadata on disk (Transient option). This helps administrators to protect certain data and is usually done as part of a data privacy plan (see Data Privacy Management).
The following table describes the features of the Parsers Configuration section.
|These options provide a way to quickly select either all parsers or no parsers.|
|Name||The names of parsers available to the Decoder. A plus sign indicates that the metadata generated by the parser is configurable. Clicking the plus sign displays the metadata that the parser can create. In the example above, CMS_windows_executable has three selectable metadata that the parser can create: alert.id, error, and filetype.|
|Config Value||A drop-down list changes the setting for the parser or metadata to Enabled, Disabled, or Transient. |
Additional Service Parsers Configuration for Log Decoder
The Service Parsers Configuration section provides a way to select Service parsers to use on the Log Decoder.