Sniffer overload issues examples

In some circumstances, the Guardium sniffer can be overloaded with unnecessary traffic. These three examples show how to prevent the traffic that can overload the sniffer, while still allowing other traffic through.

Example 1: Ignore any traffic from the SAP HANA statistics service.
  • Session level criteria
    • Database type = SAP HANA
    • Source application = STATISTICSSERVICE
  • Rule action = IGNORE SESSION
Example 2: Optimized method to log only traffic from specified ports.
  • Session level criteria - Server port In Group where:
    • Group type = Server port
    • Members = A list of the server ports to log.
  • Rule action = SELECT SESSION

Example 3: Ignore traffic from Zabbix (a third-party product). This example requires three rules.

Rule 1 - If the session is not logged after 30 packets are received on the collector, then ignore this session.
  • Session level criteria - No criteria
  • Rule action = IGNORE SESSION

    Packets limit = 30

Rule 2 - Transform all dynamic source program strings that contain the phrase "ZABBIX" to the string ZABBIX.
  • Session level criteria
    • Database type = ORACLE
    • Operating system user = ZABBIX
  • Rule action = TRANSFORM SOURCE PROGRAM NAME
    • Source = SOURCE PROGRAM NAME
    • Match pattern = .*ZABBIX.*
    • Output format = ZABBIX
Rule 3: Log any session where the source program is not ZABBIX. The first rule ignores the session if the session is not available within the first 30 packets. Since the session does not fall under the SELECT_SESSION rule, it is not forwarded to the Logger and is ignored.
  • Session level criteria - Source application = ZABBIX
  • Rule action = TRANSFORM SOURCE PROGRAM NAME
    • Source = SOURCE PROGRAM NAME
    • Match pattern = .*ZABBIX.*
    • Output format = ZABBIX

SR language example

Example 1:
SR_POLICIES
{
        IF (DB_TYPE = 'SAP HANA' SOURCE_PROGRAM = 'statisticsService')
        {
                IGNORE_SESSION
        }
}
Example 2:
SR_POLICIES
{
        IF (SERVER_PORT = (1434, 1) )
        { SELECT_SESSION }
        
         GROUP_ID = 1 TYPE = INTEGER SIZE = 3 { 1435 1436 1437 }
}
Example 3:
SR_POLICIES
{
        IF (*) { IGNORE_SESSION PACKETS_LIMIT = 30 }
        
        IF (DB_TYPE = 'ORACLE' OS_USER = 'ZABBIX' )
        { 
                TRANSFORM_SOURCE_PROGRAM MATCH_PATTERN = '.*ZABBIX.*' OUTPUT_FORMAT = 'ZABBIX'
        }

        IF ( SOURCE_PROGRAM == 'ZABBIX' ) { SOFT_DISCARD_SESSION }
}