This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Not just a number. Looking at HTTP Response codes

Anonymous
Not applicable
‎2016-06-07 09:23 AM

Sometimes, you just want the number.  The HTTP Response code number that is.

 

HTTP traffic represents one of the largest traffic types that our decoders see.  We parse quite a lot of traffic into meta and then indexed for future searching.  While we will parse certain error codes into the 'error' meta key, sometimes analysts just want the code number.  No text...no description.  Just the code number, like 200 or 404 or 302.

 

I wrote a quick Lua parser that does this and puts the data into 'result.code'.  The reason for using 'result.code' is that it is already used by log decoders and parsing of web proxy logs.  Having meta from both packets and logs in the same place seemed an ideal choice in this case.

 

pastedImage_0.png

 

A copy of the parser is attached.  It would only be deployed to packet decoders.  This functionality may be added to one of the existing parsers (http_lua most likely) in the future.

 

I hope you find this parser useful.  Happy hunting.

 

Chris

http_rcode.lua.zip
http_rcode.lua.zip
9 Comments
© 2022 RSA Security LLC or its affiliates. All rights reserved.