This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Why is my direction meta incorrect for logs?

DionStempfley
Occasional Contributor
Occasional Contributor

‎2017-06-18 04:31 PM

I have deployed the traffic flow lua parser to my packet and log decoders as described in the guide Traffic Flow Lua Parser .  The traffic_flow_options.lua file has been configured with internal and external network configurations and pushed to all decoders.  The direction meta on log data is consistently wrong.  Does anyone know why this is happening?  Would I be better to remove the parser from my log decoders?

Dion Stempfley
Cybersecurity Analyst
Institute for Defense Analyses
0 Likes
4 REPLIES 4

Anonymous
Not applicable

‎2017-06-19 11:53 AM

Dion,

 

I have seen this as well.  The issue is that the log parser is also writing to the "Direction" metakey.  So what you have is the Traffic Flow Parser is writing to Direction for "Inbound/Outbond" based on its perspective based on the "Options" file "networks" you have defined.  The log device that is also writing to the "Direction" metakey is writing an "Inbound/Outbond" value based on its perspective, which is itself typically, so "Inbound" means inbound to the device and "Outbound" means outbound from the device.  So you have two definitions of "Direction", one being defined by "Networks", the other being defined by direction in/out of the "local device".

 

To resolve this I added the following to my table-map-custom.xml file.

 

<!-- Added to clean up direction metakey for traffic_flow_lua Parser meta START -->

<mapping envisionName="direction" nwName="direction.local" flags="None"/>

<!-- Added to clean up direction metakey for traffic_flow_lua Parser meta END -->

 

I also added a new index entry into the index-concentrator-custom.xml file.

 

<!-- Added to clean up direction metakey for traffic_flow_lua Parser meta START -->

<key description="Local Direction" level="IndexValues" name="direction.local" format="Text" valueMax="10000"/>

<!-- Added to clean up direction metakey for traffic_flow_lua Parser meta END -->

 

What this does is allows all Log Parsers to write their "Direction" metakey value to the "direction.local" metakey.  Allowing "Direction" to be exclusively used by the Traffic Flow Lua Parser, thus resolving the "direction clutter".

 

Leonard

MichaelPochan
Beginner
Beginner

‎2017-06-19 02:35 PM

We had a similar issue, but with packet decoders and mislabeling lateral traffic as outbound. Opened up a support ticket a few months ago, but they weren't able to replicate the issue. We ended up just using an app rule for direction and haven't heard anything back about a possible bug. 

0 Likes

DionStempfley
Occasional Contributor
Occasional Contributor

‎2017-06-19 06:32 PM

Thanks Leonard.  After some initial testing, your suggestion of adding an entry to the table-map-custom.xml seems to have cleared up the issue and the Traffic Direction is much more accurate.  We are getting the firewall to write to the direction.local meta instead of stomping on the value that the traffic flow lua parser is using.

 

/Dion

Dion Stempfley
Cybersecurity Analyst
Institute for Defense Analyses
0 Likes

Anonymous
Not applicable
In response to DionStempfley

‎2017-06-20 11:13 AM

You are welcome.  Glad to hear it resolved your issue.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.