AnsweredAssumed Answered

Question relating to Batch Scripting PCAPS into a Decoder

Question asked by RSA Admin Employee on Nov 18, 2015
Latest reply on Mar 17, 2016 by huan zhou

First I thank those that posted the hints on how to batch upload, and after a few tweaks to get my version of Windows to behave they worked perfectly except!

 

The way Netwitness is used here is by pcap ingestion and multiple analyses is carried out on the same Decoder/Concentrator.  These individual  analyses are identified by the identification of the folder containing the pcaps (a 6 digit number).  If the ingestion is carried out via the Administrator tool (and the analyst has remembered to tick the box!) then the FQPN of the pcap being ingested is included in the 'sourcefile' metadata field.  However if the build update mechanisms using curl are used only the actual file name is included.  This could be a potential problem with our form of use as two or more paps can have the same file name, (they are auto-generated,) but are distinguished by their holding folder's 6 digit name.

 

Does anybody have any suggestions on how the batch upload, or something like it, can be persuaded to store the FQPN instead of just the file name.  The reason for the question is that it is proposed to introduce an automated system that could undertake the ingest on a continuous basis as new pcaps become available rather than individual analysts fighting to gain control of the Decoder/Concentrator to upload their latest pcaps. (Only one analyst can upload at any time.)

 

This may have already been addressed as currently we are only on a version 9 and are awaiting the funding to undertake the upgrade to the Security Analytics 10,,, If this is only available on 10 and above then we stay with the current method and moan at the finance providers to be quicker, but if there is a 9 solution then it would allow some pre-development to take place.

Outcomes