This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

App Rule Lookup

JoeGumke
Beginner
Beginner

‎2016-11-17 08:39 AM

I have an interesting use case that I need a solution for.

 

Use Case: Need to identify if user credentials are contained in the url string of a web request.

Log source : proxy logs

Requirements : Want to build an app rule to leverage to query/reporting/esa rule usage that looks at, and identifies if the user requesting the web request (user.src) is contained within the URL string of the webrequest.

 

The problem is that i'm not sure if its feasible within this product to do lookups of tags within another tag?

So essentially, i'd want to do an app rule that does this, but not sure if possible. The contains only allows for string matches right? Not tag values?

user.src tag is contained within the URL tag?

15 REPLIES 15

JoeGumke
Beginner
Beginner
In response to WilliamMotley1

‎2017-01-17 12:16 PM

thanks william. Is there a log version of this available?

I was playing around yesterday, and attempting to build one, but ran into a snag...

Is we able to only make a callback to one tag through a function?

In all of the LUA parsers, I've only seen one tag make a callback, is it possible to call back 2 or more tags in one function? So the below user.src, could be user.src and device.type calling lua_userInURL.srcUserCheck

pastedImage_1.png

0 Likes

WilliamMotley1
Frequent Contributor Frequent Contributor
Frequent Contributor
In response to JoeGumke

‎2017-01-17 01:27 PM

It should work on a log decoder as-is.  On a packet decoder it won't work, but only because neither user.src nor url are keys used by packets.

 

You can get callbacks for multiple keys.  The parser I posted above gets callbacks for both user.src and url.

 

If you mean "can multiple callbacks call the same function", then yes:

 

    someParser:setCallbacks({

      ["foo"] = someParser.functionA,

      ["bar"] = someParser.functionA,

      ["hello"] = someParser.functionB,

      ["world"] = someParser.functionB

    })

 

Both "foo" and "bar" call functionA.  Both "hello" and "world" call functionB.

0 Likes

JoeGumke
Beginner
Beginner
In response to WilliamMotley1

‎2017-01-18 02:15 PM

thanks william. I just tried on our UAT decoder, and it doesnt work. I can send you a sample log if needed.

0 Likes

WilliamMotley1
Frequent Contributor Frequent Contributor
Frequent Contributor
In response to JoeGumke

‎2017-01-18 02:32 PM

I wouldn't need the actual log message, just the meta produced from the log.

 

Also make sure /decoder/parsers/config lua.enabled = yes

0 Likes

Anonymous
Not applicable
In response to WilliamMotley1

‎2017-01-18 04:34 PM

Also make sure the 'nwll.lua' file is in the /etc/netwitness/ng/parsers directory.

 

It is not on a log decoder by default.

 

Chris

0 Likes

WilliamMotley1
Frequent Contributor Frequent Contributor
Frequent Contributor
In response to Anonymous

‎2017-01-18 05:26 PM

Actually, nwll isn't necessary for the parser posted above.

 

It isn't a general requirement for all lua parsers.  Parsers that explicitly require it will have a line like:

 

    local nwll = require('nwll')

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.