IP Range in Filter based on the Private IP range in basic report creation
You are best to tag your network ranges with an app rule on your logdecoder or decoder and then use this meta in your reports.
You will see an tremendous speed increase from doing this.
Optimization Techniques - RSA Security Analytics Documentation
The best way is to have have a feed file to that will tag your networks.
I include a post made by Davide Veneziano
created by Davide Veneziano on Jan 2, 2014 7:46 AM, last modified by Lisa Bayen on Jul 20, 2015 8:48 AM
Inspired by Jim Hollar's attempt to revamp our application rule structure, I've put together some simple applications rules trying to build a standard naming convention and approach for the way we can "tag" inbound/outbound connections as well as for naming our customers' networks.
Since every time I found myself re-inventing the wheel and creating similar rules from scratch for every single packet PoC, I hope this attempt could be useful also for somebody else.
First of all we need to create the following custom meta keys:
Then the application rules provided will populate the net.src and net.dst meta accordingly with:
and the direction meta with:
The meta net.name.src, net.name.dst, net.env.src and net.env.dst are not instead populated by the application rules but can be optionally populated by a custom feed.
The application rules, the custom decoder and concentrator index files, sample feeds as well as screenshots are provided in attachment.
An event better way is described by William Motley here cidr.lua
There's a parser similar to cidr.lua that should be coming to Live soon for packet decoders to provide both subnet naming and directionality.
Retrieving data ...