NetWitness Community

pcalamar · ‎2019-12-05

We are seeing a lot of sessions come through with Brotli compression. Is there any thoughts about uncompressing this traffic so that the Netwitness parsers can leverage the uncompressed packet? Notice the "br" tag on the response.

GET /search?q=love+rosie&addon=opensearch HTTP/1.1
Host: www.xxxx.xxx
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Sec-Fetch-User: ?1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: ECAS=1575476662016; ECFG=a=1:as=1:cs=0:dt=pc:f=i:fr=0:fs=0:l=en:lt=1575476661:mc=en-gb:nf=1:nt=0:t=86:tt=na:tu=auto:wu=auto:ma=1; ecosia_sp2id.3d5d=691ed3ee-9523-4745-9233-c08e477a4de3.1574854898.25.1575476666.1575471428.dc7a65a4-d3f4-4232-9417-4d692ae6c093

ScottMoore1 · ‎2019-12-06

I will add it to Decoder's Use Case backlog. Thanks for bringing this up!

Scott

VincentWareham · ‎2022-09-04

Hello pcalamar

I am adding a comment for closure on this request.

Support for Brotli Decompression was added to NetWitness from version 11.6 and above.

Reference: RSA announces the release of RSA NetWitness Platform 11.6 - https://community.netwitness.com/t5/netwitness-platform-product/rsa-announces-the-release-of-rsa-netwitness-platform-11-6/ta-p/606807