This topic provides instructions for creating a custom feed that is needed for the Rogue DHCP Server Detected RSA Application Rule.
Context
You can create the necessary custom feed using the Custom Feed wizard. To complete this procedure, you need a feed data file in .csv format. The Custom Feed wizard creates the feed based on the supplied feed data file.
Note: As an alternative to creating the feed manually as shown in the following procedure, you can follow the procedure described in the Create a Custom Feed topic in the Live Services Guide.
Procedure
The feed data file (.csv) must be available on the local file system.
To create the custom feed:
-
Create a file, known_dhcp_server.csv. This should be a whitelist of DHCP servers with the following format:
ip_address_1, known_dhcp_server
ip_address_2, known_dhcp_server
ip_address_3, known_dhcp_serverReplace each
ip_address_i
with an actual IP address for a DHCP server. -
Depending on your version:
- For NetWitness 11.x: In the NetWitness menu, select CONFIGURE > Custom Feeds.
- For Security Analytics 10.x: In the Security Analytics menu, select Live > Feeds.
-
In the toolbar, click +.
The Setup Feed dialog is displayed.
-
To select the feed type, click Custom Feed and Next.
The Configure a Custom Feed wizard is displayed, with the Define Feed form open.
-
Fill in the following values:
- For the Name, enter RogueDHCPServerDetected.
- For the file, navigate to your known_dhcp_server.csv file, using the Browse button.
-
Click Next.
The Select Services form is displayed.
-
To identify services on which to deploy the feed, select one or more Decoders, and click Next.
The Define Columns form is displayed.
-
To map columns in the Define Columns form:
- Select IP for the Index type, and select 1 for the index column.
- Select alert for the language key to apply to the data in each column from the drop-down list.
-
Click Next.
The Review form is displayed. Your form should look like this:
- Review the feed information, and if correct, click Finish.