How many characters does Netwitness query filtering able to afford?
My rules is to check for hits from the list, which the list might contains quite a huge data.
For example the rule is: ip.dst = $
List: 220.127.116.11, 18.104.22.168,......, etc.
When I drill in to particular hits, the query should be: (ip.dst = 22.214.171.124, 126.96.36.199, ....... +2000 character).
But it end up to be: (ip.dst = 188.8.131.52, 184.108.40.206, ......., 220.127.116.11
It stops half way. And having issues of syntax error, which in this case is due to the "(".
- Community Thread
- Forum Thread
- Query Issue
- RSA NetWitness
- RSA NetWitness Platform
if you are doing this query in RE, then you need to tag the IP's first using a feed, lists should not exceed about 100 entries). Create a feed from the list to tag the IP addresses in a metakey (I usually create a couple of custom metakeys for my customers, like "customer.info" and "customer.alert" (the "customer" part is usually the Company initials, or a Security team code like CIRC or SOC) and use the .info key for putting values in from rules tagging data for use in alerts of RE/ESA rules) so in your case, create an ip.dst feed to match the list of IP's and create a value in "customer.info" that relates to the rule, like "watchlist_ip", then your RE rule would be: customer.info = 'watchlist_ip'