.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Issue
After configuring BPF rules on a Security Analytics 10G Decoder, the traffic is not being filtered as expected.
Cause
The PFRING driver used with 10G Decoders does not support the use of BPF and therefore will not filter the traffic.
Resolution
In order to filter network traffic on a 10G Decoder, a Network Rule must be created rather than using BPF.For example, if ports 553 and 55553 needed to be filtered, rather than using the not (port 553 or 55553) BPF syntax, a network rule similar to the rule shown below should be created.
Notes
For more information on configuring Network Rules, refer to the link https://community.netwitness.com/t5/netwitness-platform-online/services-config-view-network-rules-tab/ta-p/669206Product Details
RSA Product Set: Security Analytics, RSA NetWitness Logs & NetworkRSA Product/Service Type: 10G Decoder, Security Analytics UI
RSA Version/Condition: 11.x, 12.x
Platform: CentOS
O/S Version: EL6/7
Summary
After configuring BPF rules on a Security Analytics 10G Decoder, the traffic is not being filtered as expected.
Approval Reviewer Queue
Technical approval queue