I want to truncate the packet generated from Decoder also, receiving at the Concentrator!!?
In order to truncate packets, you need to utilise application rules. These run on the Decoder. For some examples, please see the following link:
Configure Application Rules - RSA Security Analytics Documentation
Thanks for replying. Yes I have already applied an application rule on decoder to truncate payload. but still the managment traffic generated from decoder is not being truncated. I am talking about the system communication packets.
Just to clarify, after creating the application rule to truncate Security Analytics appliance traffic, you can still see the RAW logs within Investigator?
If this is the case, I would look into the ordering of the application rules, they will be processed from top to bottom. This rule order matters as some rules can have a "stop processing" flag set, which means rules below will not be processed if one above had matched.
Also, be aware that "truncate" means the RAW log will be removed but the metadata will still be available at the Concentrator level.
Just to understand more, I would like to tell you that i am capturing Packets and not logs. And I am able to see the internal traffic from decoder i.e. the rabbitmq traffic, the traffic generated from that decoder itself for its internal comminuication, will those be also processed against application rules.
And if we can view raw packet at investigation even after truncate than how we can check that only meta is getting stored.
Yes, all traffic that is captured will be run against application rules. It may be worth setting your Capture Interface in Decoder --> Config to "packet_mmap_all", this means capture everything from all interfaces (em2, em3 and em4) except the management interface (em1).
If you would like to check whether only metadata is stored, click the green number next to the metadata you would expect to have been truncated and then double-click on one of the events, select "Best Reconstruction" and then "View Packets". If you see an error regarding data retrieval, this means the packet data is not stored but the metadata is.
Hi, I can see the packet there. But that traffic is not which Decoder has captured on any interface, it is the traffic produced because of its service requests..May be SNMP, not sure because I don't see destination port as 161.
I would like to tell you my configuration of SNMP, I have made my SA server as 'master agent' in snmp.conf file reffering the Article 000026697-How to enable SNMP in RSA SA.pdf. Will it generate Info packets for SA box?
The Decoder is only capable of capturing live information off of the wire. So this means that any traffic you see in the Investigation view has traversed over one of the interfaces (em1, em2, em3 or em4). Unless you have uploaded a PCAP.
As you have setup SNMP communications, this would traverse over em1, and if you are capturing traffic on em1 then you would see this communication.
If this is traffic you do not want to see at all, it may be worth utilising BPF filters instead to filter out based on IP's of the SA appliances:
Configure System-Level (BPF) Packet Filtering - RSA Security Analytics Documentation
not (host <SA-IP> or host <SA-IP> or host <SA-IP>)
In my application rule, I have used condition as ip.proto='any'.
Could you please suggest if this sintax is correct? and as per my understanding this will check for each and every traffic?
I want to truncate every packet reaching the box and keep the Meta data.
I would use the following syntax for your condition:
The above specifies any packet traffic.
Thanks! I hope this will solve the issue. Will let you know about this!!
It is showing me an old packet, when i am checking for last 5 min data. I am not sure why..Other than this i am not able to see any packet, which is not an issue as i have selected packet_mmap_ALL and there is no traffic on these ports.
Retrieving data ...