Decoder: Configure Network Rules

Document created by RSA Information Design and Development on Sep 13, 2017Last modified by RSA Information Design and Development on Oct 11, 2017
Version 6Show Document
  • View in full screen mode
 

Network rules are applied at the packet level on a Decoder and are made up of rule sets from Layer 2, Layer 3, and Layer 4. Multiple rules can be applied at the packet level to a Decoder. Network rules can apply to multiple network layers (for example, when a network rule filters out specific ports for a specific IP address). Network rules do not apply to Log Decoders, they apply only to packet Decoders. 

You can create and manage network rules in the Services Config view > Network Rules tab.

Supported Meta Keys in Network Rule Conditions

The following table describes the meta keys that NetWitness Suite supports for use in network rule conditions. 

                                                                                     
Meta KeyDescription
eth.addr Ethernet source or destination address. Commonly known as the MAC address.
eth.dst Destination Ethernet address. This is the same as the Ethernet address field except that it selects only packets where the destination address matches the selected value(s).
eth.src Same as Ethernet destination except that it focuses on the source address.
eth.type Ethernet frame type. 
hdlc.type  Frame type of the HDLC frame.
ip.addr  IPv4 source or destination address in standard form. IP addresses can be entered in CIDR notation for subnets.
ip.dst Destination IPv4 address in standard form. IP addresses can be entered in CIDR notation for subnets.
ip.proto IPv4 protocol field. 
ip.src Source IPv4 address in standard form. IP addresses can be entered in CIDR notation for subnets.
ipv6.addr IPv6 source or destination address in hex format. Generally IPv6
addresses are written as eight groups of four hex digits, thus expressing
the entire 128 bit address length. Supports notation to represent multiple
blocks of 0000 in an address. Does not support CIDR notation.
ipv6.dst Destination IPv6 address in hex format.
ipv6.proto IPv6 protocol field. This maps to the Next Header field in the IPv6 header
and uses the same values as the IPv4 protocol field. 
ipv6.src Source IPv6 address in hex format.
tcp.dstport Destination TCP port. 
tcp.port TCP source or destination port.
tcp.srcport Source TCP port.
udp.dstport Destination UDP port. 
udp.port UDP source or destination port.
udp.srcport Source UDP port.

The following are sample network rules.

To truncate all SSL from the source port, create a rule as follows:

  • Rule Name: Truncate SSL
  • Condition: tcp.srcport=443
  • Rule Action: Truncate

To filter subnet traffic, create a rule as follows:

  • Rule Name: Subnet Filter
  • Condition: ip.addr=192.168.2.0/24
  • Rule Action: Filter

To add or edit a network rule:

  1. Go to ADMIN > Services, select a Decoder service, and The actions drop-down menu > View > Config
    The Services Config view for the selected service is displayed.

  2. Select the Network Rules tab.
    The Network Rules tab is displayed.
    This is an example of the Network Rules tab.
  3. In the Network Rules tab, do one of the following:
  • If adding a new rule, click The add icon.
  • If editing a rule, select the rule from the rules list and click The edit icon.
    The Rule Editor dialog is displayed.
    This is an example of the Rule Editor dialog.
  1. In the Rule Name field, provide a name for the rule. For example, for a rule that truncates all SSL from the source port, type SSL Truncate.
  2. In the Condition field, build the rule condition that triggers an action when matched. You can type directly in the field or build the condition in this field using meta from the window actions. As you build the rule definition, NetWitness Suite displays syntax errors and warnings. For example, to truncate all SSL from the source port, tcp.srcport=443.
    All string literals and time stamps must be quoted. Do not quote number values and IP addresses. Configure Decoder Rules provides additional details. Supported Meta Keys in Network Rule Conditions describes the meta keys that NetWitness Suite supports for use in network rule conditions.
  3. If you want rule evaluation to end with this rule, select the Stop Rule Processing checkbox.
  4. In the Session Data section, choose one of the following actions to apply when a matching packet is found:
  • Keep: The packet payload and associated meta are saved when they match the rule.
  • Filter: The packet is not saved when it matches the rule.
  • Truncate: The packet payload is not saved when it matches the rule, but packet headers and associated meta are retained.
  1. In the Session Options section, select all options that apply of these four.
  • Assemble: The assembler assembles the packet chain when it matches the rule.
  • Network Meta: The packet generates network metadata when it matches the rule.
  • Application Meta: The packet generates application metadata when it matches the rule.
  • Alert: The packet generates a custom alert when metadata matches the rule.
  1. To save the rule and add it to the rules list, click OK.
    The rule is added at the end of the list or inserted where you specified in the context menu.
  2. Check that the rule is in the correct execution sequence with other rules in the list. If necessary, move the rule.
  3. To apply the updated rule set to the Decoder, click Apply.
    NetWitness Suite saves a snapshot of the currently applied rules, then applies the updated set to the Decoder and removes the pending indicator from the rules that were pending.
You are here
Table of Contents > Configure Decoder Rules > Configure Network Rules

Attachments

    Outcomes