Decoder: Map IP Address to Service Type

Document created by RSA Information Design and Development on Jun 25, 2017Last modified by RSA Information Design and Development on Sep 25, 2017
Version 2Show Document
  • View in full screen mode
  

This topic describes the procedure to map an IP address to a service type for log parsing.

The Log Collector discovers event source type on a per-message basis. If the correct parser is not used for the specific event source, the messages that are common between event source types are misclassified. The misidentified messages will not populate service rules and alerts, and the reports will not have proper information. Also, if there are multiple services associated with an IP address, it can be difficult for the parsers to identify the exact service from which the log is generated. 

If you map an IP address to its services, the log decoder can identify the service from which the log is generated. When messages come into the log decoder from a mapped service, the assigned parsers are loaded to find event matches. 

You can assign service types to IPV4, IPV6 or hostname value of the event source. You can also assign multiple service types to a single IP address. You can also use the CollectorID when different service types with the same IP address are sent to different collectors.

Procedure

To map an IP address to a service type, do the following:

  1. In the Security Analytics menu,  select Administration > Services.
  2. In the Services view, select a Log Decoder, and in the Actions column, select Actions menu cropped > View > Explore.
  3. Go to /decoder/parsers node, right-click parsers, and select Properties.
  4. In the Properties view, specify the ipdevice command with the following parameters:
    op=add/remove entries="ipaddress=service” (for example, op=add entries="10.100.201.300=ciscoasa")
  5. Click Send.

IPdevice Command

In the ipdevice command, three operations are available:

  • add: This operation adds or updates entries in the ipdevice map. Multiple space delimited address/type pairs may be specified.
    op=add entries="<address>=<service type>"
  •  remove: This operation removes entries from the ipdevice map. Multiple space delimited address/type pairs may be specified.
    op=remove entries="<address>"
  • describe: This operation returns the values currently in the ipdevice map.

Time Zone Support

The Log Decoder currently has the ability to configure the system so that a given log device source can be associated with a time zone so that the event can be correctly converted to UTC across all devices.

Three time zone formats are currently accepted and are shown in the following examples:

  1. Olson format:
    America/Anguilla
  2. POSIX formats:
    EST5EDT
    AST2:45ADT0:45,M4.1.6/1:45,M10.5.6/2:45
  3. Offset by Hours formats:
    EST
    -500

Note: Offset by Hours time zone formats do not change for Daylight Savings Time.

Result

Security Analytics maps the IP address to a time zone in the log decoder. Event time meta is updated according to their respective mappings.

Procedure

To map an IP address to a time zone, do the following:

  1. In the Security Analytics menu, select Administration > Services.
  2. In the Services view, select a Log Decoder, and in the Actions column, select Actions menu cropped> View > Explore.
  3. Go to /decoder/parsers node, right click Parsers, and select Properties.
  4. In the Properties view, specify the iptmzone command with the following parameters:
    op=add entries="ipaddress=timezone" (for example, op=add entries="10.10.10.10=Africa/Addis_Ababa")
  5. Click Send.

iptmzone Command

In the iptmzone command, three operations are available:

  • add: This operation adds or updates entries in the iptmzone map. Multiple space delimited address/type pairs may be specified.
    op=add entries="<address>=<time zone>"
  • remove: This operation removes entries in the iptmzone map. Multiple space delimited address/type pairs may be specified.
    op=remove entries="<address>"
  • describe: This operation returns the values currently in the iptmzone map.

Examples

The following examples provide instances fro mapping IP addresses to time zones:

  • If you want to map two different entries with different IPV4 values and time zone, enter the following parameter in the iptmzone command and click Send
    "op=add entries=”10.10.10.10=America/Anguilla 10.10.10.11=Pacific/Rarotonga”
  • If you want to remove an entry for a single IPV4 value and time zone, enter the following parameter in the iptmzone command and click Send.

"op=remove entries=10.5.245.9"

  • If you want to create a single entry for an IPV6 value and time zone, enter the following parameter in the iptmzone command and click Send.

op=add entries=”2001:DB8:85A3::8A2E:370:7334=America/Anguilla”

  • If you want to map a single device to a time zone or offset, you can create an entry by using:

    op=add entries="<address>=<time>"
    Where <address> is an IPV4, IPV6, or hostname and where <time> is an integer offset or a time zone Olson, or POSIX format. Enter the following parameter in the iptmzone command and click Send.

    For example:
    op=add entries="10.168.0.2=EST5EDT"

    Alternately, you can enter
    the following parameter in the iptmzone command and click Send.

    For example:
    op=add entries="10.168.0.2=America/Anguilla 2001:DB8:85A3::8A2E:370:7334=0500 nwappliance21=EST5EDT,M3.2.0/2,M11.1.0"

 

You are here
Table of Contents > Additional Procedures > Map IP Address to Service Type

Attachments

    Outcomes