Network rules consist of rule sets from Layer 2, Layer 3, and Layer 4. Multiple rules can be applied at the packet level to a Decoder. Rules can be applied to multiple layers (for example, when a network rule filters out specific ports for a specific IP address). You can create and manage network rules in the Services Config view > Network Rules tab.
Supported Meta Keys in Network Rule Conditions
The following table describes the meta keys that Security Analytics supports for use in network rule conditions.
|eth.addr||Ethernet source or destination address. Commonly known as the MAC address.|
|eth.dst||Destination Ethernet address. This is the same as the Ethernet address field except that it selects only packets where the destination address matches the selected value(s).|
|eth.src||Same as Ethernet destination except that it focuses on the source address.|
|eth.type||Ethernet frame type.|
|hdlc.type||Frame type of the HDLC frame.|
|ip.addr||IPv4 source or destination address in standard form. IP addresses can be entered in CIDR notation for subnets.|
|ip.dst||Destination IPv4 address in standard form. IP addresses can be entered in CIDR notation for subnets.|
|ip.proto||IPv4 protocol field.|
|ip.src||Source IPv4 address in standard form. IP addresses can be entered in CIDR notation for subnets.|
|ipv6.addr||IPv6 source or destination address in hex format. Generally IPv6|
addresses are written as eight groups of four hex digits, thus expressing
the entire 128 bit address length. Supports notation to represent multiple
blocks of 0000 in an address. Does not support CIDR notation.
|ipv6.dst||Destination IPv6 address in hex format.|
|ipv6.proto||IPv6 protocol field. This maps to the Next Header field in the IPv6 header|
and uses the same values as the IPv4 protocol field.
|ipv6.src||Source IPv6 address in hex format.|
|tcp.dstport||Destination TCP port.|
|tcp.port||TCP source or destination port.|
|tcp.srcport||Source TCP port.|
|udp.dstport||Destination UDP port.|
|udp.port||UDP source or destination port.|
|udp.srcport||Source UDP port.|