This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Best way to filter out IPs?

Go to solution
Anonymous
Not applicable

‎2013-12-06 09:10 AM

I am looking to to create dashboards that show our outgoing/incoming network connections.  What is the best way to filter out large cidr blocks?  Is it better to create an app rule to have it run during collection?  Currently I am trying out doing a ip.dst != '10.0.0.0/8' 

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Anonymous
Not applicable

‎2013-12-06 12:05 PM

Do you already have your internal ranges mapped out? As analyst best practice I typically using a feed to map out IP ranges in a CSV, to provide some additional context (unless you have the Archer integration already doing this).

 

10.1.0.0/16 = site1

10.1.1.1 = to_proxy (site 1)

x.x.x.x = from proxy (site 1)

10.2.0.0/16 = site2

10.2.1.1 = to_proxy (site 2)

x.x.x.x = from proxy (site 2)

10.3.0.0/16 = VPN range

10.4.0.0/16 = Guest wireless

 

You could use a application rule to create custom meta although a feed is much more efficient. Once you have this additonal meta you can easily build rules around the new meta.

 

Craig

View solution in original post

2 REPLIES 2

Go to solution
Anonymous
Not applicable

‎2013-12-06 12:05 PM

Do you already have your internal ranges mapped out? As analyst best practice I typically using a feed to map out IP ranges in a CSV, to provide some additional context (unless you have the Archer integration already doing this).

 

10.1.0.0/16 = site1

10.1.1.1 = to_proxy (site 1)

x.x.x.x = from proxy (site 1)

10.2.0.0/16 = site2

10.2.1.1 = to_proxy (site 2)

x.x.x.x = from proxy (site 2)

10.3.0.0/16 = VPN range

10.4.0.0/16 = Guest wireless

 

You could use a application rule to create custom meta although a feed is much more efficient. Once you have this additonal meta you can easily build rules around the new meta.

 

Craig

Go to solution
Anonymous
Not applicable
In response to Anonymous

‎2013-12-06 12:50 PM

What meta does it filter on? 

 

What I want the chart to do is all outbound tagged traffic without showing our clients/networks IPs.  So if the log or packet is say 10.1.1.30 to 63.2.45.3.  When I tell it to filter out all my networks (10.0.0.0/8), will it keep that log and show me that 63.2.45.3 is outbound traffic?

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.