NetWitness Community

Anonymous · ‎2013-12-09

Hello

im trying to write a decoder rule to generate some new metadata. im looking for spesific traffic but i want to filter some domains unfotunatly

decoder does not have !containsfilter option. so i cannot do something like alias.host !contains microsoft.com. any ideas on how can accomplish a similer result?

RSAAdmin · ‎2013-12-09

Consider a two-rule approach; the first rule generates some temporary or pivoting meta, and you can use that temporary meta as part of a second query to do what you're actually interested in doing.

Rule 1 matches the domains you want to filter out:

filter_domains = alias.host contains microsoft.com, intranet.local, filter.org

session options:

- Alert into "alert" key (or other key as desired)

- Transient

Rule 2 does whatever you're actually interested in, excluding your filtered domains

the_real_deal = alert != filter_domains && [ your other filter(s) of interest here ]

My understanding is that the "transient" option on Rule 1 will cause that meta to be available for other app rules but not be stored in the metadb, so you're not clogging up your DB with alert = filter_domains records that you may not really care about.

(Under certain circumstances, Rule 1 may be better served by being set up as a feed instead of an app rule, but it will be left to the reader to determine those conditions - or to start another thread to determine them.)

View solution in original post

Anonymous · ‎2013-12-09

This is a challenge, but as we have GeoIP information this makes things easier, I would use a logic such as:

org.dst != microsoft

Craig

RSAAdmin · ‎2013-12-09

Consider a two-rule approach; the first rule generates some temporary or pivoting meta, and you can use that temporary meta as part of a second query to do what you're actually interested in doing.

Rule 1 matches the domains you want to filter out:

filter_domains = alias.host contains microsoft.com, intranet.local, filter.org

session options:

- Alert into "alert" key (or other key as desired)

- Transient

Rule 2 does whatever you're actually interested in, excluding your filtered domains

the_real_deal = alert != filter_domains && [ your other filter(s) of interest here ]

My understanding is that the "transient" option on Rule 1 will cause that meta to be available for other app rules but not be stored in the metadb, so you're not clogging up your DB with alert = filter_domains records that you may not really care about.

(Under certain circumstances, Rule 1 may be better served by being set up as a feed instead of an app rule, but it will be left to the reader to determine those conditions - or to start another thread to determine them.)

Anonymous · ‎2013-12-10

Hi Thanks for the replay. not all sessions contains a org.dst so i get a lot of false positives.

Anonymous · ‎2013-12-10

thanks for the replay its soemthing that crossed my mind as well. can you explain about the transient option? im unfamilier with it and can seem to find it on the rule building screen on administrator.

RSAAdmin · ‎2013-12-10

There is a post on here about transient meta in the context of NWFL, but I think the principal is still the same in NWFP.

true

NetWitness Community

Creating new Meta