SMTP Lua Parser Options

Document created by RSA Information Design and Development on Jul 16, 2018Last modified by RSA Information Design and Development on Nov 15, 2018
Version 16Show Document
  • Comment0
  • View in full screen mode
 

Caution: RSA strongly suggests that you do not subscribe to the options file. Subsequent downloads of this file will overwrite all changes that you have made to the file.

Note the following:

  • If you deploy the options file, it can be found in the same directory as parsers: /etc/netwitness/ng/parsers/.
  • The parser is not dependent upon the options file. The parser will load and run even in the absence of the options file. The options file is only required if you need to change the default settings.
  • If you do not have an options file (or if your options file is invalid), the parser uses the default settings.

Note: The parser will never use both the defaults and customized options. If the options file exists and its contents can be loaded, then the defaults will not be used at all.

The SMTP_lua_options file contains the following options for controlling the parser:

  • registerEmailSrcDst
  • registerAddressHosts
  • errorCodeOnly

To change an option from false to true, edit the line inside the corresponding function, from

return false

to

return true

And similarly to go from true to false.

registerEmailSrcDst

Default value: false

Determines whether or not to register email address meta using the index keys email.src and email.dst.

  • If set to false, all email address meta is registered with the index key email.

  • If set to true:

    • Originating email addresses are registered with the index key email.src
    • Recipient email addresses are registered with the index key email.dst
    • Targets of EXPN and VRFY are registered with the index key email.dst

Note: Modifying this option requires a service restart to take effect; a simple parser reload is insufficient.

registerAddressHosts

Default value: false

Determines whether or not to register the host portion of email addresses as meta. The key used to register is alias.host, alias.ip, or alias.ipv6 as appropriate.

errorCodeOnly

Default value: true

Determines whether or not to register error codes only, or the entire error messages.

  • If set to true, only the error code (such as "450", "550", and so on) is registered.
  • If set to false, the entire error message is registered (e.g., "550 unknown user"). In the case of a 421 server greeting, the server name is removed from the error text and be registered as alias.[host|ip|ipv6] instead.
Previous Topic:LDAP Parser Options
You are here
Table of Contents > RSA NetWitness Platform Content > Parsers > Lua Packet Parsers > SMTP Parser Options

Attachments

    Outcomes