This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Significance of Service type = OTHER?

Go to solution
LucasOlsen
Beginner
Beginner

‎2019-07-30 04:15 PM

Hello,

In my company's SIEM, there is a significant amount of traffic with service type = OTHER. 

 

What is the significance of all this traffic? Is there a way to correctly link device ips to the correct service type? I tried following this documentation (https://community.rsa.com/docs/DOC-77908 ), but it doesn't seem to work properly.

 

Any advice or help is greatly appreciated!

 

Thank you.

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
NaushadKasu1
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2019-07-30 04:22 PM

Lucas,

 

The link you shared is specifically for Log Decoder -> Parser mapping and would not be applicable to Packet (Network) Decoder.

 

The Service Type = OTHER falls into 2 categories:

 

1. Datasets for which RSA has deemed uninteresting traffic (for the most part, forensically) and does not parse it.

2. Datasets for which is custom or unique to your environment that we have no parser support for it.

 

In either case, the process would be to take sample PCAPs of that traffic, analyze it and write a parser if required. For example, we (RSA) do not have an official Spotify parser for example but several community members have written them and can be used on an as-is basis. You can also write custom parsers -- see link below.

 

https://community.rsa.com/docs/DOC-41370

View solution in original post

3 REPLIES 3

Go to solution
NaushadKasu1
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2019-07-30 04:22 PM

Lucas,

 

The link you shared is specifically for Log Decoder -> Parser mapping and would not be applicable to Packet (Network) Decoder.

 

The Service Type = OTHER falls into 2 categories:

 

1. Datasets for which RSA has deemed uninteresting traffic (for the most part, forensically) and does not parse it.

2. Datasets for which is custom or unique to your environment that we have no parser support for it.

 

In either case, the process would be to take sample PCAPs of that traffic, analyze it and write a parser if required. For example, we (RSA) do not have an official Spotify parser for example but several community members have written them and can be used on an as-is basis. You can also write custom parsers -- see link below.

 

https://community.rsa.com/docs/DOC-41370

Go to solution
LucasOlsen
Beginner
Beginner
In response to NaushadKasu1

‎2019-07-30 04:27 PM

Hi Naushad,

 

Thank you for the quick response. I'll read through the documentation you provided.

 

Cheers!

0 Likes

Go to solution
JohnKisner
Valued Contributor Valued Contributor
Valued Contributor

‎2019-07-30 05:09 PM

Lucas,

 

As an addition to what Naushad has said. There is another time you can see the Service = Other thought it fits in with one of Naushad's examples. This is usually when a session is larger than can fit into the decoder's assembler buffer, either by time or size. As an example, lets say you were downloading a 1GB file from the internet. The decoder would pickup the download request and the file would start to download to the end user. The decoder won't be able to contain the entire 1GB file in the assembler/parser memory. So the decoder, in an effort to be as efficient as possible, will only hold about 30MB or 30 seconds of this session at a time, whichever happens first. It will then run the parsers over it and it will see that it was a  HTTP file download. It will generate all the meta and interesting stuff and write it to disk. However the file itself is still downloading. So the decoder creates a new synthetic (split) session for the remainder of the download. In this case several split sessions due to the file size. As the initial headers were in the first part of the session there is nothing at the beginning of this new split session that identifies what it is. No HTTP headers or anything of that nature, only the basic source/destination IP address and ports generally. The decoder denotes these split sessions as Service = Other since it doesn't have the beginning tags that the first part of the full download session had and the decoder can't identify what the session is. Later versions of Netwitness are able to show on the first session all the the split session meta so you can see when this artificial split happens and you have all your data in one place. 

 

As you can see this falls under what Naushad called "uninteresting traffic" for the decoder as there isn't any header information for it to parse.

 

I hope this helps.

© 2022 RSA Security LLC or its affiliates. All rights reserved.