Mapping System Parsers to Lua Parsers

Document created by RSA Information Design and Development on Jul 14, 2017Last modified by RSA Information Design and Development on Apr 10, 2018
Version 52Show Document
  • View in full screen mode
 

This applies to only customers with Packet Decoders deployed.  Mapping of system parsers to Lua parsers.  System parsers are typically better performance, however, Lua parsers typically extract more metadata.

                                                                                                                                                                                                                                         
System ParserLua Parser EquivalentNotes

AIM

AIM_lua

AIM system parser was removed in favor of the AIM_lua Lua parser.

ALERTS

None

This parser enables or disables the application and correlation rules.  If you disable it entirely, the rules are not evaluated at all.  If you disable the keys, they are evaluated, but the that key won’t be registered.

DHCP

DHCP_lua

 

DNS

DNS_verbose_lua

 

FeedParser

None

This parser enables or disables the feeds.  If you disable it entirely, feeds are not evaluated at all.  If you disable a key, feeds are evaluated, but meta going to that key from a feed won't be registered. 

FTP

FTP_lua

 

GeoIP

None

Geographic data based on source and destination information (ip.src, ip.dst, country.src, country.dst, city.src, city.dst) that may be helpful during investigations and writing content for alerting.

Gtalk

None

 

H323

None

 

HTTP

HTTP_lua

 

HTTPS

TLS_lua

 

IRC

IRC_verbose_lua

 

LotusNotes

None

Obsolete

MAIL

MAIL_lua

 

MSN

None

Obsolete

Net2Phone

None

Obsolete

NETBIOS

NetBIOS_lua

 

NETWORK

None

Network Layer parser is required to extract basic information about the session such as the service, IPs, ports and payload

NFS

NFS_lua

 

NNTP

None

 

PGP

None

 

POP3

POP3_lua

 

RIP

ripng_lua

 

RTP

None

 

SAMETIME

None

Obsolete

SCCP

SCCP_lua

 

SEARCH

None

Enables search.ini. If you disable it entirely, regular expressions in search.ini will not be evaluated nor generate meta.

SIP

SIP_lua

 

SMB

SMB_lua

 

SMIME

None

 

SMTP

SMTP_lua

 

SNMP

SNMP_lua

 

Snort

None

Enables evaluation of snort signatures. If you disable this entirely, snort signatures will not be evaluated nor generate meta.

SSH

SSH_lua

 

TDS

TDS_lua

 

TELNET

None

 

TFTP

TFTP_lua

 

TNS

None

 

VCARD

vCard_lua

 

VlanGre

None

This is an extension of the NETWORK parser. It is required to extract information about VLAN tags and GRE endpoints.

WEBMAIL

None

Obsolete

WLAN

None

This is an extension of the NETWORK parser. It is required to extract information about WiFi networks.

YCHAT

None

Obsolete

YMSG

None

Obsolete

You are here
Table of Contents > Content Quick Start > Mapping of System Parsers to Lua Parsers

Attachments

    Outcomes