This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Creating Feeds

Go to solution
Anonymous
Not applicable

‎2013-02-22 10:37 AM

i have been tasked with compiling feeds based on known bad hosts that we receive a list from. The list has 3 parts, ip’s, fqdn’s, hashes.  I’ve been able to compile a feed for the ip information but I am unable to do the same for the hostnames.  Nwconsole fails to compile the .feed file.

Ive done some looking through the administrator documents relating to the feeds but cant seem to find if I am doing it wrong with the language, etc.

 

thanks

Mark

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
JonathanSaxon
Employee
Employee

‎2013-02-22 12:51 PM

A feed can fail to compile due to syntax or xml formatting errors. 

 

Please take a look at Primus article a58924, "Manually Compiling and Deploying Custom Feeds" and Primus atricle a59743, "Creating and Deploying Custom Feeds Using Live Manager 2.x" for additional details.

 

If you can create a case through SCOL/Case Management we can take a quick look at the feed files and see if there are any obvious errors. 

 

If the files aren't sensitive, consider posting there as others may be able to review as well. 

 

Access SCOL at https://knowledge.rsasecurity.com or call 800.995.5095, Option 9. 

 



View solution in original post

0 Likes
3 REPLIES 3

Go to solution
JonathanSaxon
Employee
Employee

‎2013-02-22 12:51 PM

A feed can fail to compile due to syntax or xml formatting errors. 

 

Please take a look at Primus article a58924, "Manually Compiling and Deploying Custom Feeds" and Primus atricle a59743, "Creating and Deploying Custom Feeds Using Live Manager 2.x" for additional details.

 

If you can create a case through SCOL/Case Management we can take a quick look at the feed files and see if there are any obvious errors. 

 

If the files aren't sensitive, consider posting there as others may be able to review as well. 

 

Access SCOL at https://knowledge.rsasecurity.com or call 800.995.5095, Option 9. 

 



0 Likes

Go to solution
Anonymous
Not applicable
In response to JonathanSaxon

‎2013-02-22 01:17 PM

ok i think i have found the error i didnt have anything for metacallback.

 

so can i assume that there is no way to search the incoming packet data for md5 hashes?

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2013-03-01 02:04 PM

If MD5 hashes are transmitted in the payload of a TCP packet, then sure.  But that's not the way the protocol works.  Some applications might communicate that way-  for instance between sandboxes-  and if its a cleartext protocol thats being captured a parser can be created to capture this meta. 

 

But it is my experience that MD5 hashes on files is not a good way to hunt for malware- 

 

What is your goal?  To look for new malware?

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.