Decoder: Configure Transaction Handling on a Decoder

Document created by RSA Information Design and Development on Sep 13, 2017Last modified by RSA Information Design and Development on Oct 11, 2017
Version 7Show Document
  • View in full screen mode
 

Beginning with 11.0, administrators can configure a Decoder to subdivide incoming sessions into smaller transaction sessions when using LUA parsers designed to create transactions. The feature allows analysts to perform analytics on the split sessions in downstream services such as Investigate.

Transaction Handling

The Decoder service configuration node has a new parameter for configuration of transaction handling: /decoder/parsers/config/parser.transaction.mode. This node controls the behavior of the Decoder when a parser defines a transaction within a network session.

The values for parser.transaction.mode correspond to the operating modes:

  • {{off}} (transactions off)
  • {{meta}} (transactions represented as meta Items)
  • {{split}} (transactions split sessions)

Transactions Off

When transactions mode is off, any application-level transactions created by parsers are ignored, and nothing is stored in the collection to represent the transaction.

Transactions Represented as Meta Items

In this mode of operation, when a parser generates an application-level transaction, a new meta item of type {{trans}} is added to the session in which the transaction occurred. The {{trans}} meta item contains a list of other meta items that constitute the transaction.

Transactions Split Sessions

In this mode of operation, when a parser generates an application-level transaction, the session is split. The session splitting is accomplished by:

  1. A new session item is created.
  2. Network meta items are copied from the parsed session into the new session.
  3. Meta items marked in the transaction are moved from the original session to the new session.

The following meta items are duplicated into the split session from the session that was parsed:

  • time
  • medium
  • eth.src
  • eth.dst
  • eth.type
  • ip.proto
  • ip.src
  • ip.dst
  • ipv6.src
  • ipv6.dst
  • ipv6.proto
  • tcp.srcport
  • tcp.dstport
  • tcp.flags
  • udp.srcport
  • udp.dstport
  • service
  • udp.srcport
  • udp.srcport
  • tls.premaster
You are here
Table of Contents > Decoder and Log Decoder Additional Procedures > Configure Transaction Handling on a Decoder

Attachments

    Outcomes