This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Who referred you? Getting more out of HTTP referer meta.

Anonymous
Not applicable
‎2016-06-07 08:47 AM

Last year, I was on an incident response engagement where we were investigating several drive-by attacks.  Packet decoders were deployed and picking up the sessions rather easily but we were trying to identify the path of redirection that the malware compromises were taking.  We had 'referer' meta but it was not indexed and would come in as a URL.  While valuable, it was not something we would query against. However, I could extract some key elements from that 'referer' meta and help tell the story.  And in case anyone is wondering why it's spelled 'referer' instead of 'referrer', please consult the Google.

 

The result was a Lua parser for extracting the PATH information from the referer meta. Essentially what it does is a meta-callback against the 'referer' meta key.  A meta callback is simply a lookup of meta already created in the session.  The parser then breaks out the key elements into individual meta keys.

pastedImage_4.png

 

Because I really only wanted the host that it came from, I created a custom key called 'referer.host' and indexed that.  You could remove the comments around the other elements such as directory, filename, extension, etc but I did not find a lot of value in using those in an investigation.

 

pastedImage_2.png

 

pastedImage_3.png

 

The result helped tell the story and looked a little like this:

 

pastedImage_1.png

 

As I stated above, this was done on a packet decoder.  However, you can run it on a log decoder too.  Several web proxies will log the referer information in the log which would get parsed into the referer meta key.  Since this parser is doing a meta callback, it can callback the meta from log sessions just as easily as it can from packets.  The only difference is that log decoders need the nwll.lua (Netwitness Lua Library) file.  By default, log decoders do not come with it.  You can download it as a package from Live and then deploy it to your log decoders.  The parser requires it for packet decoders too, but it is already there on a packet decoder.

 

Since this is going to use a custom meta key, you will want to add this to your index-concentrator-custom.xml on your concentrators.

<key description="Referer Host" level="IndexValues" name="referer.host" format="Text" valueMax="2500000" />

 

Edit that file and add the entry above.  Then, save it, and restart the concentrator service to start indexing the meta.

 

I hope you find this useful to your investigations.  Happy hunting.

 

Chris

lua_refererpath.lua.zip
lua_refererpath.lua.zip
© 2022 RSA Security LLC or its affiliates. All rights reserved.