This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

How to filter or block a specific ip in rsa

Inspirisys
Contributor
Contributor

‎2022-07-26 07:11 AM

Hi 

 

we are facing excessive logs from one specific internal ip. we need to block or filter the ip in our rsa tool. Can anyone help 

0 Likes
3 REPLIES 3

NickDaino
New Contributor New Contributor
New Contributor

‎2022-07-28 04:11 PM

https://community.netwitness.com/t5/netwitness-knowledge-base/system-level-bpf-packet-filtering-best-practices-and-examples/ta-p/9515

Be very careful if you implement a packet filter that you don't accidentally block other legitimate traffic.

0 Likes

YK
Occasional Contributor
Occasional Contributor

‎2022-08-08 08:13 AM

It required more information, if you want to finetune, or any specific alert is generating the log, then filter that specific app rule.

0 Likes

VincentWareham
Frequent Contributor Frequent Contributor
Frequent Contributor

‎2022-08-17 08:49 PM - edited ‎2022-08-17 08:55 PM

Hello Inspirisys

 

As will be obvious to you the best solution is to configure the device that is sending the excessive logs to stop doing that.  It will reduce the logs getting sent to NetWitness and reduce the unwanted traffic over your network.

 

Alternatively as NickDaino mentioned for Packet Decoder traffic you can configure Berkeley Packet Filter (BPF) rules to ignore traffic from a specific IP(s).

 

Reference: System-level (BPF) packet filtering best practices and examples for RSA NetWitness decoders and (Optional) Configure System-Level (BPF) Packet Filtering

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.