We are rolling out the new NwConsole fileHash feature across our packet sensors. For other scripts we used tlogin so we don't have to store a password in the script or config file. This does not seem to work for sdk commands.
My first try:
# NwConsole
RSA NetWitness NextGen Console 11.5.0.1
Copyright 2001-2020, RSA Security Inc. All Rights Reserved.
Type "help" for a list of commands or "man" for a list of manual pages.
> tlogin server=localhost port=56005 username=admin group=Administrators cert=/etc/pki/nw/node/node-cert.pem key=/etc/pki/nw/node/node-key.pem
Successfully logged in to localhost:56005 as session 40759260
[localhost:56005] /> sdk content session=now-u where="filename exists" maxDirSize=20mb fileHash=md5,sha1,sha256 linkMeta=sessionid,time,did,uuid deviceType=filehash logDecoder="10.1.2.3:514" session
Persist=/var/netwitness/NwConsole-filehash.persist render=111
Collection not open
Ok, so the sdk collection needs to be opened first. However:
[localhost:56005] /> sdk open
Usage: sdk open {RSA NetWitness NextGen URL}
RSA NetWitness NextGen URL is in the form nw://username:password@server:port
For SSL connections, use the protocol nws
"sdk open" seems to require a username/password. Let's try to use it with "cd /sdk":
[localhost:56005] /> cd /sdk
[localhost:56005] /sdk
[localhost:56005] /sdk> content session=now-u where="filename exists" maxDirSize=20mb fileHash=md5,sha1,sha256 linkMeta=sessionid,time,did,uuid deviceType=filehash logDecoder="10.1.2.3:514"
sessionPersist=/var/netwitness/NwConsole-filehash.persist render=111
Parameter session: Value 'now-u' is not a valid unsigned integer
When fixing that session error (by giving an integer) I get:
Unrecognized parameter 'render'. Did you mean 'renderType'?
Is there any way around this?
