This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Top Level Domain (TLD) Lua Parser for Logs

EricPartington
Employee
Employee
‎2018-04-16 07:05 AM

The TLD parser has been updated to now deploy on Log Decoders.  

 

The parser looks for the following keys from log devices to parse out the same information as packets:

  • Alias.host
  • Host.src
  • Host.dst
  • Domain.dst
  • Domain.src
  • FQDN

 

Which writes out information into:

* alert.id - mapped to risk meta
* analysis.service - hostname characteristics
* cctld - (nonstandard) (optional) country-code top level domain, e.g., www.amazon.co.uk -> co.uk
* sld - (nonstandard) (optional) second level domain, e.g. www.amazon.co.uk -> amazon
* tld - top level domain, e.g. www.amazon.com -> com

 

When searching for Lua and Log in the RSA Live deployment screen you will see the following:

pastedImage_2.png

 

And linked dependancies:

pastedImage_3.png

 

So this is a really simple method of getting nwll.lua deployed to a log decoder if your custom parser requires that library (PaloAlto URL.raw parser for instance).

2 Comments
© 2022 RSA Security LLC or its affiliates. All rights reserved.