NetWitness Community

sconz:  i would like to know more detail regarding your queries.. . for example,. what does the order parameter do ? 

Do you hae any other useful queries you utilize in day to day analytic work ? 

I have a similar technique i use to detect blackhole all tho its more generic,.   ;  client = java && filetype contains 'exe'

The order is just present if you export rules form a Decoder. If you were to export all your rules from a Decoder and then open them up in a text editor you'd see the "order" is the order in which the rules are processed.

I have a lot of queries and rules that I use, unfortunately most are written towards custom parsers that I've written as well. I'll dig through them and see if which ones will work with the default Live content.

Thank you for that clarification..  i look forwrd to checking out what you have regarding queries.

Do you know if anyone has created a parser to detect buffer overflows by checking for a large number of consecutive 0x40, 0x41's , 0x42's(ABC) in the payload ?

Hi..

I am a complete noob to netwitness.  we just got it online and i havent gone to their training yet. ive been reading the little material i have from them.

can you tell me where you enter the information you posted ?

name="vr possible drive by" rule="filetype = 'java jar','java class',pdf && filetype = 'windows executable'" order=34 alert=alert type=application

name="vr suspicious jar file" rule="filetype = 'java jar','java class' && extension = 'php'" order=35 alert=alert type=application

name="vr jvm exe download" rule="filetype = 'windows_executable','windows executable' && client contains 'java' && alias.host != 'sdlc-esd.sun.com'" order=13 alert=alert type=application

as well as this one:

client = java && filetype contains 'exe'

i see some places to enter filters and rules but am unsure at this point where i would enter those.

i know this post is old so i hope someone can answer it.

id also take another other good rules, filters, etc... that anyone might have.

thanks to everyone in advance.

You can toss them in Investigator under Edit -> rules -> app rules (then pick file import or network capture). And on a Decoder by clicking the network adapter icon, then clicking the Application Rules tab.

You can copy/paste the name into the "Rule Name" box, then the contents of rule=" " should be copy/pasted into the "Definition" box.

Uncheck "stop rule processing" and click the "Alert" box at the bottom. From there the alert= is what you want to select from the drop down menu (this is where the rule information (name) will be populated. For most of them I'd simply select "Alert"

i usually enter these type of queries int he custom drill down.

client = java && filetype contains 'exe'

I had the same thought as dniz0r.  I would put those queries into a custom drill in Investigator for a on-demand search or create an Alert in Informer so I get an email when something like that happens from a user.  I haven't used app/network rules extensively but will look into them as a resource.  I recently wrote a blog about detecting blacole/redkit HTTP and HTML metarefresh redirections to files like a pdf with javascript, jar or class file, windows exe, etc.  See my ECN profile for the website, if you want to check it out.

One thing I noticed is that in investigator to find .jar or .class files I use "filetype begins java_"  as opposed to "filetype = java jar" or "filetype = java class" as sconz mentioned. I don't doubt his searches are working so I'm curious if  there are subtle changes to meta like space vs. underscore between Netwitness versions or maybe that's an artifact of the rule export from the decoder?  If meta descriptions change that would be unfortunate as then we'd possibly have to rewrite rules, bookmarks, and alerts on version upgrades.

thanks everyone for the advice.

i will have to get some time to explore what everyone is advising.

with this just going live ive been swamped so hopefully i can get a chance to explore these options in the next day or so.

thanks again... any other advice is gladly welcome.