This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

App Rule Lookup

JoeGumke
Beginner
Beginner

‎2016-11-17 08:39 AM

I have an interesting use case that I need a solution for.

 

Use Case: Need to identify if user credentials are contained in the url string of a web request.

Log source : proxy logs

Requirements : Want to build an app rule to leverage to query/reporting/esa rule usage that looks at, and identifies if the user requesting the web request (user.src) is contained within the URL string of the webrequest.

 

The problem is that i'm not sure if its feasible within this product to do lookups of tags within another tag?

So essentially, i'd want to do an app rule that does this, but not sure if possible. The contains only allows for string matches right? Not tag values?

user.src tag is contained within the URL tag?

15 REPLIES 15

DavidWaugh1
Employee
Employee

‎2016-11-17 08:50 AM

Hi Joe, Have you got a sample log with an anonymised username in it that you can post here. I think a LUA parser is the way to go here. Can you let me know what meta key you would like the "user.src contained in URL Tag" alert sent to.

 

Should be able to knock up something this afternoon!

0 Likes

JoeGumke
Beginner
Beginner

‎2016-11-17 09:04 AM

thanks david. Can we not just use a query syntax like

url contains user.src?

 

I hate to add more content in our infrastructure that we cant manage "lua parsers"

0 Likes

DavidWaugh1
Employee
Employee
In response to JoeGumke

‎2016-11-17 09:07 AM

Unfortunately, (and I'm ready to be corrected on this) I dont think you can use variables in App Rules. eg read the contents of one metakey and compare it to another.

0 Likes

DavidWaugh1
Employee
Employee
In response to JoeGumke

‎2016-11-17 09:39 AM

Another method would be to use an ESA Rule. 10.6.2 allows you to match /join two events like ip.src and ip.dst

 

You could then send the ESA Alert as syslog back into your logdecoder to generate an alert if you wished.

0 Likes

Anonymous
Not applicable

‎2016-11-17 09:41 AM

The only way to do so within the log decoder itself would be through the use of a Lua Parser.

 

You would need to pull in both the url meta and the user.src meta.  Then, essentially store the user.src meta as a Lua variable and perform a string.find for that syntax within the variable holding the url meta.

Anonymous
Not applicable

‎2016-11-21 02:42 PM

I haven't had time to look at creating a parser for something like this, but a quick layout of what it might start to look like in a Lua interpreter is as follows:

 

Lua 5.2.3 Copyright (C) 1994-2013 Lua.org, PUC-Rio
> url = "http://www.someurl.com/login.php?uname=rsuave&browser=chrome&os=win7&platform=64bit"
> user_src = "rsuave"
> tagf,tagl = string.find(url, user_src)  -- This simply finds the first position and last position of our string.find.  In this case, the 'r' and the 'e' in 'rsuave'.
> if tagf then
>> print("user_name_found_in_url")
>> else
>> print("nothing_to_see_here")
>> end
user_name_found_in_url

 

There would have to be some checks in the parser to look for BOTH the url and user.src meta.  Given that these would be for a logs on a log decoder, we could probably leverage SessionEnd and do the check for us as the session is about to exit the decoder.

0 Likes

JoeGumke
Beginner
Beginner
In response to Anonymous

‎2016-12-19 04:16 PM

thanks chris! Have you had a chance to look into this more/develop anything?

0 Likes

Anonymous
Not applicable
In response to JoeGumke

‎2016-12-20 08:32 AM

I have not.  

0 Likes

WilliamMotley1
Frequent Contributor Frequent Contributor
Frequent Contributor
In response to Anonymous

‎2016-12-20 09:03 AM

Here's one way to go about it.

 

WARNING:  UNTESTED.  PROVIDED FOR DEMONSTRATION PURPOSES ONLY.

 

local userInUrl = nw.createParser("userInUrl", "User meta in url meta detection")
userInUrl:setKeys({
    nwlanguagekey.create("alert")
})
function userInUrl:sessionBegin()
    self.users, self.urls = nil, nil
end
function userInUrl:findUser()
    if self.users and self.urls then
        for i, user in ipairs(self.users) do
            for j, url in ipairs(self.urls) do
                if string.find(url, "^.*" .. user) then
                    nw.createMeta(self.keys.alert, "user.src found in url")
                    break
                end
            end
        end
    end
end
function userInUrl:onUser(idx, vlu)
    self.users = self.users or {}
    table.insert(self.users, string.lower(vlu))
    self:findUser()
end
function userInUrl:onUrl(idx, vlu)
    self.urls = self.urls or {}
    table.insert(self.urls, string.lower(vlu))
    self:findUser()
end
userInUrl:setCallbacks({
    [nwlanguagekey.create("user.src")] = userInUrl.onUser,
    [nwlanguagekey.create("url")] = userInUrl.onUrl
})
© 2022 RSA Security LLC or its affiliates. All rights reserved.