This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by NetWitness experts.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to configure efficient traffic filtering on RSA NetWitness PlatformDecoders

Article Number

000001941

Applies To

RSA Product Set: NetWitness Logs and Network
RSA Product/Service Type: Packet Decoder
RSA Version/Condition: 10.6.x and 11.x

Resolution

A common task in the care and maintenance of your RSA NetWitness Decoders is the review of traffic types to apply the appropriate network rule and application rule filters.  Filtering unwanted traffic is good for the overall health of the system.

Why filter traffic coming into your decoder(s)?

Network traffic allowed into your network should be covered by some type of governance or policy e.g. an information classification system.  If there are security controls in place that regulate traffic, then a decision may be made to accept the risk associated with certain types of common traffic and NOT monitor this traffic using the RSA NetWitness NextGen system.

One of the factors in this decision will be if this common traffic comprises a significant portion of daily collected traffic.

 Goals of Filtering

  • Improve visibility into unknown and untrusted traffic
    Once the more common traffic has been filtered, this allows for unusual or untrusted traffic to become more readily visible to your security analysts.      As an analogy, once you remove the forest, the trees become easier to see.
  • Reduce database overhead
    The decoders are essentially huge databases that have to categorize and store meta and session information on all traffic captured.      If large volumes of common traffic are filtered, then the database doesn't have to work as hard to maintain this data storage.
  • Speed queries, faster index
    If database overhead is reduced, queries for traffic become quicker and the index is more responsive.
  • Dedicate storage to uncommon and interesting
    Your long term storage of packet and meta information is important for historical purposes during incident response.      By filtering, you are able to dedicate more storage space that is retained for longer by eliminating traffic that is irrelevant to your forensic investigations.
  • Creates more meaningful alerts
    The alerts that come with RSA NetWitness or custom content become more valuable when you know that it is not alerting on false positives triggered by a common, trusted site or known accepted traffic.

Notes

Some useful links for other KBs related to traffic filtering:

https://community.rsa.com/docs/DOC-80164

https://community.rsa.com/docs/DOC-80199

https://community.rsa.com/docs/DOC-47636
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2022-02-10 12:49 PM
Updated by:
Administrator Administrator

Related Content

© 2022 RSA Security LLC or its affiliates. All rights reserved.