This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

question on parsers and rules

huanzhou1
Beginner
Beginner

‎2014-04-09 11:57 AM

Hi Guys,

 

Just to get confirmation, when events or network session parsed by decoder, each event or session ran though all the parsers and rules?

0 Likes
2 REPLIES 2

RSAAdmin
Beginner
Beginner

‎2014-04-09 12:21 PM

Generally, yes, but they don't have to.

 

You can create app/net rules with the "Stop rule processing" option to force no further rule processing for a matching session.  This is often done if you are using app or net rules to filter out and discard traffic - if you want to get rid of it, there may be no reason to run it through all of your other rules.

 

I believe you can disable individual parsers (/decoder/parsers/definitions/<parsername>/enabled  = no) and feeds (/decoder/parsers/feeds/<feedname>/feed.enabled = no), though I haven't actually tried these.

0 Likes

huanzhou1
Beginner
Beginner
In response to RSAAdmin

‎2014-04-09 07:31 PM

Thanks. So far parsers, the event or session has to pass all the enabled parsers?

For rules, it will pass all the rules unless "stop rule processing" enabled. Does it apply to one type of rules? For example, i have network rules and app rules, one of the network rules contains "stop rule procession", will the app rules contine to process?

 

thanks.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.