Configure a Rule

You can create a new rule or deploy an existing rule from the Live Services which can be used in a report. You can use different conditions to refine the data or information in the data sources such as:

  • Select clause
  • Where clause
  • Group By
  • Order By and so on

For example, you can write a rule to view the top 20 web addresses that the users visit daily.

You can create different type of rules using different data sources. Based on your requirements you can select any of the following options to create a rule:

  • Create a Rule Using NetWitness Data Source
  • Create a Rule Using Warehouse Data Source
  • Create a Rule Using Respond Data Source

You can also use a list in a rule to refine a search result from the data source. Once a rule is created you can test a rule to see the results returned by the rule.

Create a Rule Group

To create a rule group or rule sub-group, perform the following:

  1. Go to Reports.

    The Manage tab is displayed.

  2. Do one of the following.

    • To define a rule group:

      1. In the Rules Groups Panel, click netwitness_110_run_config_add.png.
        ​The new rule group is added to the Rule Groups panel.

      2. Enter the name for the rule group and press ENTER.
    • To add a rule sub-group:

      1. In the Rules Groups panel, select the rule group to which you want to add a sub-group.
      2. Clicknetwitness_110_run_config_add.png.​
        The new rule sub-group is added to the rule group.

      3. Enter the name for the rule sub-group and press ENTER.

Create a Rule Using NetWitness Data Source

You can create a rule to fetch data or events from a NetWitness data source. The same procedure is used to define a rule to fetch data or events from an Archiver data source.

The Archiver data source can be added in the Services Config View of the Reporting Engine. For more information, see "(Optional) Add Archiver as a Data Source to Reporting Engine" topic in the Archiver Configuration Guide.

Prerequisites

Make sure that you understand how custom meta keys are created using custom feeds. For more information, see "Create Custom Meta Keys using Custom Feed" topic in the Decoder and Log Decoder Configuration Guide.

To create a rule to fetch data or events from a NetWitness Data Source, perform the following:

  1. Go to Reports.

    The Manage tab is displayed.

  2. In the Rules toolbar, click netwitness_110_run_config_add.png > NetWitness Platform DB.

    The Build Rule view tab is displayed.

    netwitness_110_build_rule_view1_506x597.png

  3. In the Rule Type field, NetWitness Platform DB is selected by default.
  4. In the Name field, enter a name that is used to Identify or label the rule in alerts and reports.
  5. The Summarize field determines the type of summarization or aggregation for the rule. Based on the type of rule to be defined, you must select one of the following:

    • To define a Non-Aggregate rule without any grouping, select: None
    • To define an Aggregate rule with special aggregation like the collection (sessions/events/packets) related aggregates, select one of the following:

      • Event Count
      • Packet Count
      • Session Size
    • To define an Aggregate rule with meta values and custom aggregates like sum(), count(), and so on, select: Custom

      Choosing 'Custom' in the Summarize field enables you to define aggregate function of your choice in the Select clause. For example, select ip.src, countdistinct(ip.dst), distinct(ip.dst).​ The supported aggregate functions are:

      • sum (<meta>)
      • count(<meta>)
      • countdistinct(<meta>)
      • min(<meta>)
      • max(<meta>)
      • avg(<meta>)
      • first(<meta>)
      • last(<meta>)
      • len(<meta>)
      • distinct(<meta>)

      For more detailed information about Aggregate and Non-aggregate rule, see "NWDB Rule Syntax section" in Rule Syntax.

  6. In the Select field, enter a meta or select a meta from the list of available meta types provided in the Meta Library. For more information, see "Meta Panel" in Build Rule View. The meta name to fetch raw log is raw. raw can only be used in the Select field. It cannot be used in the Where and Then fields. Multiple aggregate functions are supported for Custom aggregate rule in the Select field. For example, Select: ip.src, username, service, distinct(country.src), sum(payload).

  7. In the Alias field, enter the alias name for columns used in the Select clause.
  8. In the Where field, enter a meta or select a meta from the list of available meta types and use the operators to construct the Where clause for the base query criteria.
  9. The Group By field is a read-only field which gets populated with meta that are defined in the Select clause. For a Non-Aggregate function, this field is not visible. A maximum of six meta are supported in the Group By field.

    Note: In earlier versions of NetWitness, only one meta was supported for Custom aggregate rule in the Group By clause. From now, a maximum of six meta are supported in the Group By clause.

  10. In the Then field, enter the rule actions that manipulate the original result set of a rule in order to make the output in a report more concrete or add additional functionality other than querying data and displaying it, for example, creating a feed from the results. For a complete list of available rule actions, see "NWDB Rule Syntax" in Rule Syntax.

    Note: When a rule is executed for an Archiver data source, it is recommended not to use query intensive rule actions such as lookup_and_add() and show_whats_new().

  11. In the Order By field, perform the following:

    1. In the Column Name column, enter the name of the columns by which you want to sort the results. By default, the value is empty. The value gets populated based on the value selected in the Summarize field.

      • For Summarize 'None', if no Order By is selected, then by default it is ordered by session or collection time.
      • For other Summarize values, the default sorting is based on the first 'group by' meta selected when no 'order by' is defined. For Event Count, Packet Count, and Session size, the accepted values are Total and Value.
    2. In the Sort by column, select one of the following ways to sort the results:

      • Ascending Order
      • Descending Order
  12. In the Session Threshold field, enter the optimization setting to stop scanning the matching sessions for each possible unique value for the selected meta. The threshold is an integer between 0 (default) and 2147483647.

    Note: This is applicable to only NWDB Aggregate rules. If the default value is specified, all the matching sessions will be scanned and the accurate value will be returned. A higher session threshold allows accurate counts for a value. However, this causes longer rule execution time. For example, consider you set the Session Threshold as 1000 for ip.src. If there are 5000 matching sessions then for a particular ip.src value which is present in more than 1000 sessions, NWDB stops the scan after 1000 sessions and returns the extrapolated aggregate value. This optimizes the query execution time. If the value is present in less than 1000 sessions, then the actual value is returned.​

  13. In the Limit field, enter the limit to be put on the query while fetching data from the database. If a result set is sorted by event count, packet count, or session size, the limit represents the top (or bottom) N values to be returned. If the result set is not sorted, the first N values are returned.
  14. Click Save.

    Note: Unlike parsed meta, raw logs are fetched from decoders. When both raw log and parsed meta are queried in a single rule, due to different retention periods, parsed meta might be available and raw logs missing in the same session. So the result will have parsed meta values and empty raw value for those sessions. For example, for the rule Select ip.src, ip.dst, service, username, raw, the parsed meta might be populated and the raw meta remains empty for a few sessions.

Create a Rule Using Warehouse Data Source

You can create a rule to fetch data or events from a Warehouse event source. You can define the rules in two modes:

  • Default Mode
  • Expert Mode

Default Mode

In Default Mode, you can create rules containing simple SQL like HIVE queries that contain clauses like Select, Where, Group By, and Having. By default, you can create rules to query sessions or raw logs. For more information on "Simple query syntax and examples", see Warehouse DB Simple Rules Syntax.

The following figure is an example of the Build Rule view that displays when you select Warehouse DB for Rule Type without the Expert Mode selected.

netwitness_110_warehousedb1_829x438.png

 

Querying Raw Logs

The raw log format is used in the select or where clause to query for raw logs.

Note: The time range that you can specify in your query is a day (24 hours). If you have specified a time range less than a day in your query, the result set contains data of at least a day (24 hours).

The following figure is an example of the Build Rule view that displays when you select Warehouse DB for Rule Type and create a rule for querying raw logs.

netwitness_110_warehousedb2_812x612.png

Expert Mode

Advanced rules are defined using complex HIVE queries created using the clauses DROP, CREATE, and so on. Unlike simple rules, we always insert the results into a table. For more information on "Advanced HIVE query language", see HIVE language manual.

The following figure is an example of the Build Rule view that is displayed when you select Warehouse DB for Rule Type with Expert Mode selected.

netwitness_110_warehousedb3.png

If you want to generate a report for a specific time range, you need to manually define the time range in the query using the following two variables:

  • ${report_starttime} - The starting time of the range in seconds.
  • ${report_endtime} - The ending time of the range in seconds.

For example, SELECT col1, col2 FROM custom_table WHERE timecol >= ${report_starttime} AND timecol <= ${report_endtime};

Note: By default, Reporting Engine treats ${keyword} as a variable. If you want to specify HIVE variables, you must mention the complete syntax of a variable. For example, ${hiveconf:hive.exec.scratchdir}.

Prerequisites

Make sure that you understand how custom meta keys are created using custom feeds. For more information, see "Create Custom Meta Keys using Custom Feed" topic in the Host and Services Configuration Guide.

To create a rule to fetch data or events from a Warehouse data source, perform the following:

  1. Go to Reports.

    The Manage tab is displayed.

  2. In the Rules toolbar, click netwitness_110_add_button.png > Warehouse DB.

    The Build Rule view is displayed.

  3. In the Rule Type field, Warehouse DB is selected by default.

    If you are defining the rule in Default mode, perform the following:

    1. In the Name field, enter a name that is used to Identify or label the rule in alerts and reports.
    2. In the Select field, enter a meta or select the meta from the drop-down or select a meta from the list of available meta types provided in the Meta Panel. For more information, see " Meta Panel" in Build Rule View.
    3. In the From drop-down menu, select one of the following:

      • Session
      • Logs
    4. In the Alias field, enter the alias name for columns used in the Select clause.
    5. In the Where field, enter a meta or select a meta from the list of available meta types provided in the Meta Panel. The Where clause provides the base query criteria for the rule.
    6. In the Group By field, enter the meta selected in the Select clause, so that the result set is grouped based on the meta.
    7. In the Having field, enter the criteria to filter the result set for aggregated queries.
    8. In the Order By field, perform the following:

      1. In the Column Name column, enter the name of the columns by which you want to group the results.
      2. In the Sort by column, select one of the following ways to sort the results:

        • Ascending Order
        • Descending Order
    9. In the Limit field, enter the limit to be put on the query while fetching data from the database. If a result set is sorted by session count, packet count, or session size, the limit represents the top (or bottom) N values to be returned. If the result set is not sorted, the first N values are returned.
    10. Click Save.
  4. If you are defining the rule in Expert mode, select the Expert Mode checkbox and perform the following:

    1. In the Name field, enter a name that is used to Identify or label the rule in alerts and reports.
    2. In the Query field, enter the Hive query statement to query the data source.
    3. In the Alias field, enter the alias name for columns used in the Select clause.
    4. Click Save.

Create a Rule Using Respond Data Source

You can create a rule to fetch incidents or alerts from a Respond data source.

Prerequisites

Make sure that you:

  • Ensure Reporting Engine service is up and running.
  • Ensure the Incident Management service is up and running. For more information, see "Configure a Database for the Respond Server Service" topic in the NetWitness Respond Configuration Guide.
  • (Optional) Ensure the Event Stream Analysis service is up and running. For more information, see "Step 2. Configure Advanced Settings for an ESA Service" topic in the ESA Configuration Guide.
  • (Optional) Ensure the Malware Analysis service is up and running. For more information, see "(Optional) Configure Auditing on Malware Analysis Host" topic in the Malware Configuration Guide.

Note: You need to configure any one of the services (Event Stream Analysis, Reporting Engine, Malware Analysis, or Endpoint) based on your requirement and the type of alerts or incidents you want to generate.

To create a rule to fetch data or events from a Respond Data Source, perform the following:

  1. Go to Reports.

    The Manage tab is displayed.

  2. In the Rules toolbar, click netwitness_110_add_button.png > Respond DB.

    The Build Rule view tab is displayed.

  3. In the Rule Type field, Respond is selected by default.
  4. In the Name field, enter a name that is used to Identify or label the rule in alerts and incident reports.
  5. The Summarize field determines the type of summarization or aggregation for the rule. Based on the type of rule to be defined, you must select one of the following:
    • To define a Non-Aggregate rule without any grouping, select None
    • To define an Aggregate rule with meta values and custom aggregates select Custom

      Choosing 'Custom' in the Summarize field enables you to define aggregate function of your choice in the Select clause based on the report type you have selected.

      For more detailed information about Aggregate and Non-aggregate rule, see Rule Syntax.

  6. In the From field, based on the type of report output to be displayed, you must select one of the following:
    • Alert
    • Incident
    • incidentStats
    • incidentUserStats
  7. In the Selectfield, enter a meta or select a meta from the list of available meta types provided in the Meta Library. For more information, see "Meta Panel" in Build Rule View. It cannot be used in the Where field. Only one aggregate function is supported at a time in a query.

    For example, the supported metas for alert are:

    • alert_host_summary
    • alert.name
    • alert.numEvents
    • alert.severity
    • alert.source
    • alert.timestamp
    • incidentCreated
    • incidentId
    • receivedTime

    For example, the supported metas for incident are:

    • categories
    • created
    • priority
    • riskScore
    • sealed
    • status
    • assignee.id
    • tta (for more information on this meta, see View Basic Summary Information about the Incident topic in the Respond User Guide.)
    • ttd (for more information on this meta, see View Basic Summary Information about the Incident topic in the Respond User Guide.)
    • ttr (for more information on this meta, see View Basic Summary Information about the Incident topic in the Respond User Guide.)

      Note: When an incident is assigned, tta and assignee.id metas are populated. Similarly, when the task assigned is completed and the incident is closed, ttd and ttr metas are populated. Refer to the following figure.

      netwitness_tta_ttd_ttr_incident_metas.png

    For example, the supported metas for incidentStats are:

    • created

    • mtta.time - This meta displays the average time taken to acknowledge the incidents in a single day.

    • mtta.count - This meta displays the number of incidents acknowledged in a single day.

    • mttd.time - This meta displays the average time taken to detect the incidents in a single day.

    • mttd.count - This meta displays the number of incidents detected in a single day.

    • mttr.time - This meta displays the average time taken to resolve the incidents in a single day.

    • mttr.count - This meta displays the number of incidents resolved in a single day.

      incident_stats_reporting_user_guide.PNG

    For example, the supported metas for incidentUserStats are:

    • userName - This meta displays the assignee's or the user's ID for the associated user stats.

    • totalClosedCount - This meta displays the total number of Incidents closed by the assignee till date.

    • meanTimeToDetect - This meta displays the average time taken by the user to detect the incidents in the time range selected.

    • mttdCount - This meta displays the count of incidents contributing to the MTTD value computed.

    • incidentIds - This meta displays the list of incident IDs closed by the user during the time range selected.

      incident_user_stats_reporting_user_guide.PNG

    For more detailed information, see "Aggregate and Non-aggregate rule" topic in the Rule Syntax.

  8. In the Alias field, enter the alias name for columns used in the Select clause.
  9. In the Where field, enter a meta or select a meta from the list of available meta types and use the operators to construct the Where clause for the base query criteria.
  10. The Group By field is a read-only field which gets populated with meta that are defined in the Select clause. For a Non-Aggregate function, this field is not visible. A maximum of six meta are supported in the Group By field.

  11. ​In the Order By field, perform the following:

    1. In the Column Name column, enter the name of the columns by which you want to sort the results.

      Note: by default the first meta in the select clause will be dispalyed.

    2. In the Sort by column, select one of the following ways to sort the results:

      • Ascending Order
      • Descending Order
  12. In the Limit field, enter the limit to be put on the query while fetching data from the database. If a result set is sorted by the limit represents the top (or bottom) N values to be returned. If the result set is not sorted, the first N values are returned.
  13. Click Save.

Deploy a Rule

In NetWitness you can deploy the selected rules on the service (for example, Reporting Engine), using the Deployment Wizard.

Prerequisites

Make sure that:

  • The services on which you deploy a rule is up and running.
  • The Live Services is configured.

To deploy a rule, perform the following:

  1. Go to netwitness_configureicon_24x21.png (Configure) > LIVE CONTENT.
  2. In the Search Criteria panel, search Live resources (for example, search for the Application Rule resource Type).
  3. In the Matching Resources panel, select Show Results > Grid.

  4. Select the checkbox to the left or the rules that you want to deploy.

  5. In the Matching Resources toolbar, click netwitness_deploybtn.png.

  6. Click Next.
  7. Select the service on which you to deploy a rule (For example, Reporting Engine) and click Next.
  8. Click Deploy.
    The rule is deployed successfully.

Use Meta Aliases for Reporting

When you refer to meta data in Reports and Charts, you can only view aliases for the meta names. These aliases makes them more understandable to a broader audience.

You cannot provide alias values for any meta in the WHERE clause because NetWitness uses the WHERE clause to fetch data from the data source (for example, in the Concentrator) and data sources do not support aliases. In other words, you cannot provide the alias value HTTP for the HTTP port # 80.

Note: * You cannot create aliases for meta other than the ones that have existing aliases by Reporting Engine. Also, the format of the aliases cannot be changed.
* Aliases are not supported for Alerts and CSV reports.

To use alias in a rule, perform the following:

  1. Go to Reports.
    The Manage tab is displayed.
  2. In the Rules panel, do one of the following:
  • Select a rule and click netwitness_110_edit_button.png in the Rules toolbar.
  • Click netwitness_110_star_a.png > Edit.
  1. Specify the meta key with aliases in the Select field.

The following example specifies the eth.type, ip.proto, medium, service, tcp.dstport, and tcp.srcport meta in the Select field.
netwitness_110_meta_alias_fig1.png

  1. Click Test Rule.
    The following example displays the results under the eth.type, ip.proto, medium, service, tcp.dstport, and tcp.srcport alias columns that were specified in the Select field of the rule.

    netwitness_110_aliasusetestresults_new.png

Alias Definitions

The alias files in this section are examples only and are based on current alias definitions in the Reporting Engine. NetWitness cannot modify these definitions in the Reporting Engine depending on the changes in the concentrator xml file. Since any changes in the Concentrator xml file are not reflected in the Reporting Engine.

The details of different meta are explained in each of the meta.aliases.

eth.type

ALIAS_FORMAT=$alias
0=802.3
257=Experimental
512=Xerox PUP
513=Xerox PUP
1024=Nixdorf
1536=Xerox NS IDP
1537=XNS Address Translation (3Mb only)
2048=IP
2049=X.75 Internet
2050=NBS Internet
2051=ECMA Internet
2052=CHAOSnet
2053=X.25 Level 3
2054=ARP
2055=XNS Compatibility
2076=Symbolics Private
2184=Xyplex
2304=Ungermann-Bass network debugger
2560=Xerox IEEE802.3 PUP
2561=Xerox IEEE802.3 PUP Address Translation
2989=Banyan Systems
2991=Banyon VINES Echo
4096=Berkeley Trailer negotiation
4097=Berkeley Trailer encapsulation for IP
4660=DCA - Multicast
5632=VALID system protocol
6537=Artificial Horizons
6549=Datapoint Corporation (RCL lan protocol)
15360=3Com NBP virtual circuit datagram (like XNS SPP) not registered
15361=3Com NBP System control datagram not registered
15362=3Com NBP Connect request (virtual cct) not registered
15363=3Com NBP Connect repsonse not registered
15364=3Com NBP Connect complete not registered
15365=3Com NBP Close request (virtual cct) not registered
15366=3Com NBP Close response not registered
15367=3Com NBP Datagram (like XNS IDP) not registered
15368=3Com NBP Datagram broadcast not registered
15369=3Com NBP Claim NetBIOS name not registered
15370=3Com NBP Delete Netbios name not registered
15371=3Com NBP Remote adaptor status request not registered
15372=3Com NBP Remote adaptor response not registered
15373=3Com NBP Reset not registered
16972=Information Modes Little Big LAN diagnostic
17185=THD - Diddle
19522=Information Modes Little Big LAN
21000=BBN Simnet Private
24576=DEC unassigned
24577=DEC Maintenance Operation Protocol (MOP) Dump/Load Assistance
24578=DEC Maintenance Operation Protocol (MOP) Remote Console
24579=DECNET Phase IV
24580=DEC Local Area Transport (LAT)
24581=DEC diagnostic protocol (at interface initialization?)
24582=DEC customer protocol
24583=DEC Local Area VAX Cluster (LAVC)
24584=DEC AMBER
24585=DEC MUMPS
24592=3Com Corporation
28672=Ungermann-Bass download
28673=Ungermann-Bass NIUs
28674=Ungermann-Bass diagnostic/loopback
28675=Ungermann-Bass ??? (NMC to/from UB Bridge)
28677=Ungermann-Bass Bridge Spanning Tree
28679=OS/9 Microware
28681=OS/9 Net?
28704=LRT (England) (now Sintrom)
28720=Racal-Interlan
28721=Prime NTS (Network Terminal Service)
28724=Cabletron
32771=Cronus VLN
32772=Cronus Direct
32773=HP Probe protocol
32774=Nestar
32776=AT&amp;T/Stanford Univ.
32784=Excelan
32787=Silicon Graphics diagnostic
32788=Silicon Graphics network games
32789=Silicon Graphics reserved
32790=Silicon Graphics XNS NameServer
32793=Apollo DOMAIN
32814=Tymshare
32815=Tigan
32821=Reverse Address Resolution Protocol (RARP)
32822=Aeonic Systems
32823=IPX (Novell Netware?)
32824=DEC LanBridge Management
32825=DEC DSM/DDP
32826=DEC Argonaut Console
32827=DEC VAXELN
32828=DEC DNS Naming Service
32829=DEC Ethernet CSMA/CD Encryption Protocol
32830=DEC Distributed Time Service
32831=DEC LAN Traffic Monitor Protocol
32832=DEC PATHWORKS DECnet NETBIOS Emulation
32833=DEC Local Area System Transport
32834=DEC unassigned
32836=Planning Research Corp.
32838=AT&amp;T
32839=AT&amp;T
32840=DEC Availability Manager for Distributed Systems DECamds
32841=ExperData
32859=VMTP
32860=Stanford V Kernel
32861=Evans &amp; Sutherland
32864=Little Machines
32866=Counterpoint Computers
32869=University of Mass. at Amherst
32870=University of Mass. at Amherst
32871=Veeco Integrated Automation
32872=General Dynamics
32873=AT&amp;T
32874=Autophon
32876=ComDesign
32877=Compugraphic Corporation
32878=Landmark Graphics Corporation
32890=Matra
32891=Dansk Data Elektronik
32892=Merit Internodal
32893=Vitalink Communications
32896=Vitalink TransLAN III Management
32897=Counterpoint Computers
32904=Xyplex
32923=EtherTalk - AppleTalk over Ethernet
32924=Datability
32927=Spider Systems Ltd.
32931=Nixdorf Computers
32932=Siemens Gammasonics Inc.
32960=DCA Data Exchange Cluster
32966=Pacer Software
32967=Applitek Corporation
32968=Intergraph Corporation
32973=Harris Corporation
32975=Taylor Instrument
32979=Rosemount Corporation
32981=IBM SNA Services over Ethernet
32989=Varian Associates
32990=TRFS (Integrated Solutions Transparent Remote File System)
32992=Allen-Bradley
32996=Datability
33010=Retix
33011=AppleTalk Address Resolution Protocol (AARP)
33012=Kinetics
33015=Apollo Computer
33023=Wellfleet Communications
33026=Wellfleet BOFL
33027=Wellfleet Communications
33031=Symbolics Private
33067=Talaris
33072=Waterloo Microsystems Inc.
33073=VG Laboratory Systems
33079=IPX
33080=Novell Inc
33081=KTI
33087=M/MUMPS data sharing
33093=Vrije Universiteit (NL)
33094=Vrije Universiteit (NL)
33095=Vrije Universiteit (NL)
33100=SNMP
33103=Technically Elite Concepts
33169=PowerLAN
33149=XTP
33238=Artisoft Lantastic
33239=Artisoft Lantastic
33283=QNX Software Systems Ltd.
33680=Accton Technologies (unregistered)
34091=Talaris multicast
34178=Kalpana
34525=IPv6
34617=Control Technology Inc.
34618=Control Technology Inc.
34619=Control Technology Inc.
34620=Control Technology Inc.
34848=Hitachi Cable (Optoelectronic Systems Laboratory)
34902=Axis Communications AB
34952=HP LanProbe test?
36864=Loopback (Configuration Test Protocol)
36865=3Com XNS Systems Management
36866=3Com TCP/IP Systems Management
36867=3Com loopback detection
43690=DECNET
64245=Sonix Arpeggio
65280=BBN VITAL-LanBridge cache wakeups
34915=PPPoe
34916=PPPoe
2056=Frame Relay ARP
16962=IEEE bridge spanning protocol
25944=Bridged Ethernet/802.3 packet
65278=ISO CLNP/ISO ES-IS DSAP/SSAP

ip.proto

ALIAS_FORMAT=$alias
0=HOPOPT
1=ICMP
2=IGMP
3=GGP
4=IP
5=ST
6=TCP
7=CBT
8=EGP
9=IGP
10=BBN-RCC-M
11=NVP-II
12=PUP
13=ARGUS
14=EMCON
15=XNET
16=CHAOS
17=UDP
18=MUX
19=DCN-MEAS
20=HMP
21=PRM
22=XNS-IDP
23=TRUNK-1
24=TRUNK-2
25=LEAF-1
26=LEAF-2
27=RDP
28=IRTP
29=ISO-TP4
30=NETBLT
31=MFE-NSP
32=MERIT-INP
33=SEP
34=3PC
35=IDPR
36=XTP
37=DDP
38=IDPR-CMTP
39=TP++
40=IL
41=IPv6
42=SDRP
43=IPv6-Rout
44=IPv6-Frag
45=IDRP
46=RSVP
47=GRE
48=MHRP
49=BNA
50=ESP
51=AH
52=I-NLSP
53=SWIPE
54=NARP
55=MOBILE
56=TLSP
57=SKIP
58=IPv6-ICMP
59=IPv6-NoNx
60=IPv6-Opts
61=AnyHost
62=CFTP
63=AnyNetwork
64=SAT-EXPAK
65=KRYPTOLAN
66=RVD
67=IPPC
68=AnyFile
69=SAT-MON
70=VISA
71=IPCV
72=CPNX
73=CPHB
74=WSN
75=PVP
76=BR-SAT-MO
77=SUN-ND
78=WB-MON
79=WB-EXPAK
80=ISO-IP
81=VMTP
82=SECURE-VM
83=VINES
84=TTP
85=NSFNET-IG
86=DGP
87=TCF
88=EIGRP
89=OSPFIGP
90=Sprite-RP
91=LARP
92=MTP
93=AX.25
94=IPIP
95=MICP
96=SCC-SP
97=ETHERIP
98=ENCAP
99=AnyPrivate
100=GMTP
101=IFMP
102=PNNI
103=PIM
104=ARIS
105=SCPS
106=QNX
107=A/N
108=IPComp
109=SNP
110=Compaq-Pe
111=IPX-in-IP
112=VRRP
113=PGM
114=AnyHop
115=L2TP
116=DDX
117=IATP
118=STP
119=SRP
120=UTI
121=SMP
122=SM
123=PTP
124=ISIS
125=FIRE
126=CRTP
127=CRUDP
128=SSCOPMCE
129=IPLT
130=SPS
131=PIPE Pr
132=SCTP St
133=FC Fi
134=RSVP-E2E-
255=Reserved

medium

ALIAS_FORMAT=$alias
1=Ethernet
2=Tokenring
3=FDDI
4=HDLC
5=NetWitness
6=802.11
7=802.11 Radio
8=802.11 AVS
9=802.11 PPI
10=802.11 PRISM
11=802.11 Management
12=802.11 Control
13=DLT Raw
32=Logs

service

ALIAS_FORMAT=$alias
0=OTHER
20=FTPD
21=FTP
22=SSH
23=TELNET
25=SMTP
53=DNS
67=DHCP
69=TFTP
80=HTTP
110=POP3
111=SUNRPC
119=NNTP
123=NTP
135=RPC
137=NETBIOS
139=SMB
143=IMAP
161=SNMP
179=BGP
443=SSL
502=MODBUS
520=RIP
1024=EXCHANGE
1080=SOCKS
1122=MSN IM
1344=ICAP
1352=NOTES
1433=TDS
1521=TNS
1533=SAMETIME
1719=H.323
1720=RTP
2000=SKINNY
2040=SOULSEEK
2049=NFS
3270=TN3270
3389=RDP
3700=DB2
5050=YAHOO IM
5060=SIP
5190=AOL IM
5222=Google Talk
5900=VNC
6346=GNUTELLA
6667=IRC
6801=Net2Phone
6881=BITTORRENT
8000=QQ
8002=YCHAT
8019=WEBMAIL
8082=FIX
20000=DNP3
1000000=KERNEL
1000001=USER
1000003=SYSTEM
1000004=AUTH
1000005=LOGGER
1000006=LPD
1000008=UUCP
1000009=SCHEDULE
1000010=SECURITY
1000013=AUDIT
1000014=ALERT
1000015=CLOCK

tcp.dstport

ALIAS_FORMAT=$value ($alias)
7=echo
9=discard
13=daytime
17=qotd
19=chargen
20=ftp-data
21=ftp
22=ssh
23=telnet
25=smtp
37=time
42=nameserver
43=nicname
53=domain
70=gopher
79=finger
80=http
88=kerberos
101=hostname
102=iso-tsap
107=rtelnet
109=pop2
110=pop3
111=sunrpc
113=auth
117=uucp-path
119=nntp
135=epmap
137=netbios-ns
139=netbios-ssn
143=imap
158=pcmail-srv
170=print-srv
179=bgp
194=irc
389=ldap
443=https
445=cifs
464=kpasswd
512=exec
513=login
514=cmd
515=printer
520=efs
526=tempo
530=courier
531=conference
532=netnews
540=uucp
543=klogin
544=kshell
556=remotefs
636=ldaps
749=kerberos-adm
993=imaps
995=pop3s
1109=kpop
1433=ms-sql-s
1434=ms-sql-m
1512=wins
1524=ingreslock
1723=pptp
2053=knetd
1122=msn im
1352=notes
1521=tns
1533=sametime
1718=h323
1720=rtp
1863=msn im
2049=nfs
3389=rdp
5050=yahoo im
5060=sip
5190=aim
6346=gnuetella
6667=irc
9001=tor
9030=tor
9535=man

tcp.srcport

ALIAS_FORMAT=$value ($alias)
7=echo
9=discard
13=daytime
17=qotd
19=chargen
20=ftp-data
21=ftp
22=ssh
23=telnet
25=smtp
37=time
42=nameserver
43=nicname
53=domain
70=gopher
79=finger
80=http
88=kerberos
101=hostname
102=iso-tsap
107=rtelnet
109=pop2
110=pop3
111=sunrpc
113=auth
117=uucp-path
119=nntp
135=epmap
137=netbios-ns
139=netbios-ssn
143=imap
158=pcmail-srv
170=print-srv
179=bgp
194=irc
389=ldap
443=https
445=cifs
464=kpasswd
512=exec
513=login
514=cmd
515=printer
520=efs
526=tempo
530=courier
531=conference
532=netnews
540=uucp
543=klogin
544=kshell
556=remotefs
636=ldaps
749=kerberos-adm
993=imaps
995=pop3s
1109=kpop
1433=ms-sql-s
1434=ms-sql-m
1512=wins
1524=ingreslock
1723=pptp
2053=knetd
1122=msn im
1352=notes
1521=tns
1533=sametime
1718=h323
1720=rtp
1863=msn im
2049=nfs
3389=rdp
5050=yahoo im
5060=sip
5190=aim
6346=gnuetella
6667=irc
9001=tor
9030=tor
9535=man

udp.dstport

ALIAS_FORMAT=$value ($alias)
7=echo
9=discard
13=daytime
17=qotd
19=chargen
37=time
39=rlp
42=nameserver
53=domain
67=bootps
68=bootpc
69=tftp
88=kerberos
111=sunrpc
123=ntp
135=epmap
137=netbios-ns
138=netbios-dgm
161=snmp
162=snmptrap
213=ipx
443=https
445=cifs
464=kpasswd
500=isakmp
512=biff
513=who
514=syslog
517=talk
518=ntalk
525=timed
533=netwall
550=new-rwho
560=rmonitor
561=monitor
749=kerberos-adm
1167=phone
1433=ms-sql-s
1434=ms-sql-m
1512=wins
1701=l2tp
1812=radiusauth
1813=radacct
2049=nfsd
2504=nlbs

Test a Rule

You can test a rule based on the time range and the data source selected.

To test a rule, perform the following:

  1. Go to Reports.
    The Manage tab is displayed.
  2. In the Rules panel, do one of the following:
    • Select a rule and click netwitness_110_edit_button.png in the Rules toolbar.
    • Click netwitness_110_star_a.png > Edit.
      The Build Rule view tab is displayed.
  3. Click Test Rule.
    The Test Rule view is displayed.
    netwitness_110_test_rule_page.png

Note: When you click Test Rule, the rule is not saved. You have to click Savein the Build Rule view to save the rule.

  1. From the Data Source drop-down list, select a data source.
    You must select the appropriate data source for the rule defined.
  2. From the Format drop-down list, select the format in which you want the result displayed.
  3. From the Time Range drop-down list, select one of the following.
    • Past -To specify number of years, days, weeks, months, days or hours.
    • Range - To specify a date range and time period.

Note: In the User Interface (UI), the date or time displayed depends on the time zone profile selected by the user.

  1. X-Axis and Y-Axis are used to specify the meta to be plotted in charts.
    In X-Axis, the Meta for the 'Group by' rule is displayed. In Y-Axis, the aggregate functions used in the rule are displayed.

Note: Sum, Count, Countdistinct and Average are the supported aggregate functions for rule. By default, for Custom Rules with multiple 'Group by', you can select only the first meta in X-Axis.

  1. Click Run Test to execute the rule.
    The rule data (if any) for the selected time range is displayed.

Create a Lists or List Group

To create a list, perform the following:

Lists can be added within a group or in the root folder.

  1. Go to Reports, and click Lists.
    The List view is displayed.

    netwitness_110_list_view.png

  2. In the Lists toolbar, click netwitness_110_add_button.png.
    The Build List view tab is displayed.

    netwitness_build_list_view.png

  3. In the Name field, enter a unique name for the list.
  4. In the Description field, enter a description for the list.
  5. In the List Values field, do one of the following:
    • Click Insert Values and enter the values separated by commas. You can paste a list of values from a file or other lists.
    • In the Value column, enter the values.
  6. If you want quotes to be inserted directly for the values at runtime, select Quotes will be inserted for all the values.
  7. Click Save.

To create a list group, perform the following:

  1. Go to Reports, and click Lists.
    The List view is displayed.

    netwitness_110_list_view_925x270.png

  2. Do the following:

    • To create a list group:

      1. In the Lists Groups panel, click netwitness_110_add_button.png .

        A new list group is added to the List Groups panel.

        netwitness_add_group_208x226.png

      2. Enter the name for the list group and press ENTER.
    • To create a list subgroup:

      1. In the Lists Groups panel, select the list group to which you want to add a subgroup.
      2. Click netwitness_110_add_button.png.

        A new list subgroup is added to the list group.

      3. Enter the name for the list subgroup and press ENTER.