This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

IP Range in Security Analytics

RahulSharma2
New Contributor
New Contributor

‎2016-06-02 05:00 AM

IP Range in Filter based on the Private IP range in basic report creation

Regards
Rahul sharma
0 Likes
3 REPLIES 3

DavidWaugh1
Employee
Employee

‎2016-06-02 05:54 AM

You are best to tag your network ranges with an app rule on your logdecoder or decoder and then use this meta in your reports.

 

You will see an tremendous speed increase from doing this.

 

See

Optimization Techniques - RSA Security Analytics Documentation

 

The best way is to have have a feed file to that will tag your networks.

 

I include a post made by Davide Veneziano

 

Tagging networks and inbound/outbound connections

created by Davide Veneziano on Jan 2, 2014 7:46 AM, last modified by Lisa Bayen on Jul 20, 2015 8:48 AM

Inspired by Jim Hollar's attempt to revamp our application rule structure, I've put together some simple applications rules trying to build a standard naming convention and approach for the way we can "tag" inbound/outbound connections as well as for naming our customers' networks.

 

Since every time I found myself re-inventing the wheel and creating similar rules from scratch for every single packet PoC, I hope this attempt could be useful also for somebody else.

 

First of all we need to create the following custom meta keys:

  • Source/Destination Network Class (net.src, net.dst): this is to identify if a session is coming/going to an IP internal or external to our organization (e.g. intranet, extranet)
  • Source/Destination Network Name (net.name.src, net.name.dst): this is for (optionally) "tag" the source/destination network with a specific name (e.g. finance, workstation, etc.)
  • Source/Destination Network Environment (net.env.src, net.env.dst): this is for (optionally) "tag" the source/destination network environment with a specific name (e.g. production, test, development, etc.)
  • Direction (direction): this is for tagging the connection as inbound or outbound

Then the application rules provided will populate the net.src and net.dst meta accordingly with:

  • intranet (if coming/going to a RFC 1918 IP)
  • extranet (if coming/going to a NOT RFC 1918 IP)

and the direction meta with:

  • intranet (intranet to intranet communication)
  • external (extranet to extranet communication)
  • inbound (extranet to intranet communication)
  • outbound (intranet to extranet communication)

 

The meta net.name.src, net.name.dst, net.env.src and net.env.dst are not instead populated by the application rules but can be optionally populated by a custom feed.

 

The application rules, the custom decoder and concentrator index files, sample feeds as well as screenshots are provided in attachment.

direction-meta_v1.0.zip

DavidWaugh1
Employee
Employee

‎2016-06-02 06:10 AM

An event better way is described by William Motley​ here cidr.lua

WilliamMotley1
Frequent Contributor Frequent Contributor
Frequent Contributor
In response to DavidWaugh1

‎2016-06-02 09:28 AM

There's a parser similar to cidr.lua that should be coming to Live soon for packet decoders to provide both subnet naming and directionality.

© 2022 RSA Security LLC or its affiliates. All rights reserved.