RSA NetWitness^® Platform Discussions

RSAAdmin · ‎2015-04-28

Hi,

I am working on an Informer Report and the for the query, I am trying to filter based on IP Range in Informer.

I wanted to confirm if CIDR based filtering is possible?

Query:

ip.src!='$WEBTIER' (in WHERE query)

or

filter_out('$WEBTIER', 'ip.src'); (in THEN Field)

I know != is expensive and hence i prefer the second option to filter_out() however none of them are working

$WEBTIER is a list of CIDRs

10.x.x.x/23,

11.x.x.x/36,

125.x.x.x

Currently in either of the options above, result is not filtering the IPs that fall in that cidr.

Any help is greatly appreciated.

Thanks,

Uma

DeepanshuSood · ‎2015-04-28

RSAAdmin · ‎2015-04-28

The syntax appears to be valid, however the query will also likely be quite taxing on the system. If this is a one-time needed search, you are at the mercy of the system resources to complete the query - which comprises of a myriad of factors specific to your system architecture and size of your data set. If you intend to run a query like this in the future, a more efficient approach would be to have the Decoder tag those known CIDR nets before the sessions are filed away in the database by leveraging a custom feed. Then you would have significantly quicker responses from your query/report when searching on whatever meta you define that corresponds to that feed.

DeepanshuSood · ‎2015-04-28

RSA NetWitness® Platform Discussions

Filtering CIDR in Netwitness Informer

RSA NetWitness^® Platform Discussions