This topic introduces feeds and parsers and provides procedures for working Decoder and Log Decoder feeds and parsers.
Feeds and parsers are responsible for analyzing the packets and logs when captured or imported in a Decoder or Log Decoder. Most commonly, they are used for static meta extraction and service identification. The flexible definition allows custom extension of the core defined services to provide extra service type identification and metadata extraction. This is important due to the volume of custom applications that are used on networks.
Security Analytics has a set of core parsers that are defined by the system as well as the ability to add additional parsers. Each parser is configurable in the Services Config View - General Tab. The Parser Configuration panel provides a way to enable or disable parsers to use on the Decoder in addition to limiting the metadata that the parser creates.
There are several types of custom configurable parsers:
- GeoIP–This parser associates the IP addresses with actual geographical locations.
- Search–This parser is user‐configured to generate metadata by scanning for pre‐defined keywords and regular expressions.
- FLEXPARSE–This is a generic parser definition language for extending the existing application protocol support of the Decoder.
- Lua–This parser is defined using the Lua scripting language for extending the existing application protocol support of the Decoder.
- enVision–This application parser supports the Log Decoder and is configured to generate metadata by scanning log files.
- SNORT®–This parser supports the payload detection capabilities of SNORT® IDS rules.
In the Services Config view > Parsers tab, you can view deployed parsers on a Decoder, upload parsers, and delete deployed parsers. The user interface includes an Indicator if the parser originated from Live, installed through Security Analytics, or uploaded manually. Parsers can be added and removed while a Decoder is running without affecting capture.
In addition, you can download parsers using Security Analytics Live.
Security Analytics uses feeds to create metadata based on externally defined metadata values. A feed is a list of data that is compared to sessions as they are captured or processed. For each match, additional metadata is created. This data could identify and classify malicious IPs or incorporate additional information such as department and location based on internal network assignments. Some examples of feeds include threat feeds to identify BOTNets, DHCP mappings, or even active directory information such as physical location or logical department.
You can use the Live module in Security Analytics to obtain feeds from outside sources. The Live Content in Security Analyticstopic in Live Services Management provides an overview of the Live content management tool.
Within the Security Analytics user interface, you can view the list of currently deployed feeds, along with an indicator if the feed originated from Security Analytics Live was installed through Security Analytics, or manually. Feeds can be added, removed, and updated while a Decoder is running without affecting capture.
Security Analytics has a Custom Feed wizard, which streamlines the task of creating and managing custom feeds, as well as populating the feeds to selected Decoders and Log Decoders. In addition, you can download existing feed files and edit the files, then edit the feed or create a new feed using the edited file.