2014-02-28 02:49 PM
I am pretty new to RSA (we have Security Analytics 10.3.1) and am just trying to understand what some of these things mean. Below are some of the application rules that we have that I'm trying to figure out:
attachment count 4-u (what does this mean??)
service != 443 && tcp.dstport = 443 && streams = 2 (what does the streams=2 mean??)
risk.info count 3-u (what does this mean??)
service = '80' && tcp.dstport = l-79,81-u && streams =2 (what does tcp.dstport=l-79,81-u mean??)
Also, there are a number or alert id's that I'm seeing in Investigator that are not in the application rules. Where could these alert id's be coming from? I'm just trying to understand what they mean and if I should be alerting on them. Thanks a bunch for any additional information!
2014-02-28 05:36 PM
Hyphen is a range operator, and "u" and "l" are upper and lower bound, respectively. A comma operates as a logical OR in an equivalence comparison, or a logical AND in a not-equals comparison. It's a bit confusing and I won't go into it all; for the purposes of starting out, a comma is an "OR".
So:
attachment count 4-u
means any session with 4 or more attachments.
tcp.dstport = l-79,81-u
means TCP destination ports 1 (the lower boundary for port numbers) through 79 OR 81 through 65535 (upper boundary). In other words, everything except port 80.
Streams
In NW/SA-speak a stream is a flow of traffic in one direction within a session. So src->dest is a stream ("request stream"), and dest->src is a stream ("response stream"). If the session only has one stream, you've only seen unidirectional traffic, perhaps half of the session. streams=2 is a means of saying "we've seen traffic in both directions for the session".
2014-03-03 08:44 AM
I'm seeing a bunch of alerts that are not application rules, any ideas of where those could be coming from?
2014-03-03 05:26 PM
Those are likely from other parsers loaded onto the system.
2014-03-04 08:35 AM
Is there a way to find out where they are or look at them?
2014-03-04 12:48 PM
If we are strictly talking about meta in the ALERT key, then yes, you can likely see those parsers. On the decoder management interface look for FILES. If you have custom parsers loaded on there you should be able to read them in plain text format. What specific alerts are you curious about?
2014-03-04 01:28 PM
For example in my Alert ID key, I am seeing nw32765 & nw32750 show up & I would like to know what those alerts are referring to so I can know whether or not I should be alerting on them. They are not in my application rules. It looks like I have a NwFlex.parser file, but I don't see any mention of those in there either.
2014-03-04 03:35 PM
Those sound like NetWitness rules that are supposed to be alerting under a readable name in risk.info, warning and suspicious. You might have installed some rules or parsers from live that required content dependencies.
2014-03-12 06:15 AM
You must have other parsers applied. Please search Live using the alert ID, you can find what you need.
HTTP Header - RSA FlexParser
nw32535 , nw32540 , nw32545 , nw32550 , nw32555 , nw32560 ,nw32565 , nw32570 , nw32575 , nw32580 , nw32585 , nw32590 ,nw32595 , nw32600 , nw32605 , nw32610 , nw32615 , nw32620 ,nw32625 , nw32630 , nw32635 , nw32640 , nw32645 , nw32650 ,nw32655 , nw32660 , nw32665 , nw32670 , nw32675 , nw32680 ,nw32685 , nw32690 , nw32695 , nw32700 , nw32705 , nw32710 ,nw32715 , nw32720 , nw32725 , nw32730 , nw32735 , nw32740 ,nw32745 , nw32750 , nw32755 , nw32760 , nw32765 , nw32770 ,nw32775
edited to remove the embedded urls. -Fielder