Do you have the "Traffic_Flow" parser and the "Traffic_Flow_Options" file deployed to your decoders from RSA Live?
Once deployed:
- Go to Administration -> Services -> <Decodername> - View -> config -> Files tab
- Select the "Traffic_flow_options" file from the drop down menu.
- If your internal networks are something other than RFC1918 networks (10/8, 172.16/12, 192.168/16) add them to the file in the same formats as the RFC1918 networks. The name can be changed from "private" to something more descriptive ("DMZ", "Internal", "Partner") and save the file, then push to All your decoders)
- Add the following keys to index-concentrator-custom.xml on your Concentrators and restart your concentrator service(s), broker service(s) and UI (restart jettysrv)
<key description="Network Name" level="IndexValues" name="netname" format="Text" valueMax="10000"/>
<key description="Traffic Flow Direction" level="IndexValues" name="direction" format="Text" valueMax="10000"/>
In the "Network Name"(netname) key, you will see values like "private.src" & "private.dst", whatever names you put on the networks will show up with .src and .dst entries. any networks NOT defined will show up as "external..src" & "external.dst"
In the "Traffic Flow Direction"(direction) key, you will get three entries, "inbound", "outbound" & lateral"
Inbound = Unknown Source Network to Known Destination Network
Outbound = Known Source Network to Unknown Destination Network
Lateral - Known Source Network to Known Destination Network
For partners nets, if you name them "partner", then you could add application rules for those directions:
internal-partner netname='internal.src' && netname='partner.dst' alert=direction
partner-internal netname='partner.src' && netname='internal.dst' alert=direction
The partner nets would show up in the direction key as both "lateral" & 'internal-partner' or 'partner-internal'
Now you can use the direction key for tuning your rules and alerts
Hope this helps
