Configure Parsers

NetWitness has a set of native parsers that are defined by the system, and also provides the option to add additional parsers. Each parser is configurable in the Services Config View - General Tab. The Parser Configuration panel provides a way to enable or disable parsers to use on Decoders in addition to limiting the metadata that the parser creates.

There are also several types of custom configurable parsers:

  • GeoIP2 – This parser associates IP addresses with geographical locations. For new installations and upgrades, the GeoIP2 parser is enabled by default. For more information on these parsers, see GeoIP2 Parsers.
  • Search – This parser is user‐configured to generate metadata by scanning for pre‐defined keywords and regular expressions.
  • FLEXPARSE (deprecated) – This is a generic parser definition language for extending the existing application protocol support of the Decoder. By default this parser is disabled (see Enable or Disable Lua and Flex Parsing Systems).
  • Lua – This parser is defined using the Lua scripting language for extending the existing application protocol support of the Decoder.
  • Log – This application parser supports the Log Decoder and is configured to generate metadata by scanning log files.
  • Snort® – This parser supports the payload detection capabilities of Snort IDS rules. Snort rules and configuration are added to the parsers/snort directory for Investigation and Decoder (see Decoder Snort Detection).

In the Services Config view > Parsers tab, you can view deployed parsers on a Decoder, upload parsers, and delete deployed parsers. The user interface includes an Indicator if the parser originated from Live Services, installed through NetWitness, or uploaded manually. Parsers can be added and removed while a Decoder is running without affecting capture.

Note: To pass options to parsers, you must first give the name of the parser and then the options to be passed in this format: <ParserName>="<ParserOptions>"<Whitespace><ParserName2>="<Parser2Options>"
Each ParserName=Value option must be separated by whitespace. Normally, the Value must have double quotes around it. The Value itself can sometimes list multiple Option=Value pairs, each separated by whitespace, and if those values have whitespace, they must be in escaped double quotes. To escape a quote, place a backslash before it: \".
This is an example of defining options for Parser1, Parser2, and Parser3:
Parser1="Option1=\"Option1 Value With Space\" Option2=Option2ValueNoSpace" Parser2="Option1=Value" Parser3="op1=val1 op2=val2 op3=\"another value\""

In addition, you can download parsers using NetWitness Live Services.