This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

HTTP_lua Parser: missing expected meta

DavidGassman2
Occasional Contributor
Occasional Contributor

‎2019-12-10 10:32 AM

Is anyone else having issues finding expected meta from the HTTP_lua parser?

 

Particularly I'm concerned that the latest version of the parser may not be parsing out these pieces of meta <below> but there may be others:

 

http post no get
http suspicious 4 headers
http suspicious no cookie

 

I have the latest HTTP_lua parser deployed from Live, dated 2019-11-11 7:09 PM

 

Example:

For 'http post no get' testing I used this query <below> to identify sessions that match the scenario:

 

service = 80 && action = 'post' && ~(action='get')

 

However, when I look through those returned sessions I do not see expected meta for analysis.service='http post no get'

 

Help?

 

Thanks in advance,

David

2 REPLIES 2

LeeKirkpatrick
Valued Contributor Valued Contributor
Valued Contributor

‎2019-12-10 10:40 AM

Hey David,

 

That metadata and others get populated by turning on a function in the HTTP_lua_options.lua file located on the Decoder (Admin --> Services --> Decoder --> View --> Config):

pastedImage_1.png

 

There is a function called advanced in this file which defaults to false, you will want to set it to true and reload the parsers;

pastedImage_2.png

 

I would also make sure you have not subscribed to this file from RSA Live as it will overwrite changes.

 

Cheers,

Lee

0 Likes

DavidGassman2
Occasional Contributor
Occasional Contributor
In response to LeeKirkpatrick

‎2019-12-10 10:44 AM

Thanks Lee -- very helpful! 

 

~David

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.