This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Hi, I want to truncate the packet generated from Decoder also, receiving at the Concentrator!!?

PoojaSharma1
Beginner
Beginner

‎2016-05-17 04:38 AM

I want to truncate the packet generated from Decoder also, receiving at the Concentrator!!?

0 Likes
11 REPLIES 11

LeeKirkpatrick
Valued Contributor Valued Contributor
Valued Contributor

‎2016-05-17 05:41 AM

Hi Pooja,

 

In order to truncate packets, you need to utilise application rules. These run on the Decoder. For some examples, please see the following link:

 

Configure Application Rules - RSA Security Analytics Documentation

 

Cheers,

Lee

0 Likes

PoojaSharma1
Beginner
Beginner
In response to LeeKirkpatrick

‎2016-05-17 05:46 AM

Thanks for replying. Yes I have already applied an application rule on decoder to truncate payload. but still the managment traffic generated from decoder is not being truncated. I am talking about the system communication packets.

0 Likes

LeeKirkpatrick
Valued Contributor Valued Contributor
Valued Contributor
In response to PoojaSharma1

‎2016-05-17 05:58 AM

Just to clarify, after creating the application rule to truncate Security Analytics appliance traffic, you can still see the RAW logs within Investigator?

 

If this is the case, I would look into the ordering of the application rules, they will be processed from top to bottom. This rule order matters as some rules can have a "stop processing" flag set, which means rules below will not be processed if one above had matched.

 

Also, be aware that "truncate" means the RAW log will be removed but the metadata will still be available at the Concentrator level.

 

Cheers,

Lee

0 Likes

PoojaSharma1
Beginner
Beginner

‎2016-05-17 06:07 AM

Just to understand more, I would like to tell you that i am capturing Packets and not logs. And I am able to see the internal traffic from decoder i.e. the rabbitmq traffic, the traffic generated from that decoder itself for its internal comminuication, will those be also processed against application rules.

And if we can view raw packet at investigation even after truncate than how we can check that only meta is getting stored.

0 Likes

LeeKirkpatrick
Valued Contributor Valued Contributor
Valued Contributor
In response to PoojaSharma1

‎2016-05-17 06:19 AM

Yes, all traffic that is captured will be run against application rules. It may be worth setting your Capture Interface in Decoder --> Config to "packet_mmap_all", this means capture everything from all interfaces (em2, em3 and em4) except the management interface (em1).

 

If you would like to check whether only metadata is stored, click the green number next to the metadata you would expect to have been truncated and then double-click on one of the events, select "Best Reconstruction" and then "View Packets". If you see an error regarding data retrieval, this means the packet data is not stored but the metadata is.

 

Cheers,

Lee

0 Likes

PoojaSharma1
Beginner
Beginner
In response to LeeKirkpatrick

‎2016-05-17 08:50 AM

Hi, I can see the packet there. But that traffic is not which Decoder has captured on any interface, it is the traffic produced because of its service requests..May be SNMP, not sure because I don't see destination port as 161.

I would like to tell you my configuration of SNMP, I have made my SA server as 'master agent' in snmp.conf file reffering the Article 000026697-How to enable SNMP in RSA SA.pdf.  Will it generate Info packets for SA box?

0 Likes

LeeKirkpatrick
Valued Contributor Valued Contributor
Valued Contributor

‎2016-05-17 09:40 AM

The Decoder is only capable of capturing live information off of the wire. So this means that any traffic you see in the Investigation view has traversed over one of the interfaces (em1, em2, em3 or em4). Unless you have uploaded a PCAP.

 

As you have setup SNMP communications, this would traverse over em1, and if you are capturing traffic on em1 then you would see this communication.

 

If this is traffic you do not want to see at all, it may be worth utilising BPF filters instead to filter out based on IP's of the SA appliances:

 

Configure System-Level (BPF) Packet Filtering - RSA Security Analytics Documentation

 

not (host <SA-IP> or host <SA-IP> or host <SA-IP>)

 

Cheers,

Lee

0 Likes

PoojaSharma1
Beginner
Beginner

‎2016-05-18 04:00 AM

Hi Lee,

In my application rule, I have used condition as ip.proto='any'.

Could you please suggest if this sintax is correct? and as per my understanding this will check for each and every traffic?

I want to truncate every packet reaching the box and keep the Meta data.

0 Likes

LeeKirkpatrick
Valued Contributor Valued Contributor
Valued Contributor
In response to PoojaSharma1

‎2016-05-18 04:24 AM

Hey Pooja,

 

I would use the following syntax for your condition:

 

medium=1

 

The above specifies any packet traffic.

 

Cheers,

Lee

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.