This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

I find myself spending more time on regex then using the platform

Go to solution
RSAAdmin
Beginner
Beginner

‎2014-03-27 12:48 PM

Seems I spend more time troubleshooting regexs instead of investigating events....for all the money spent on the tool its pretty primitive and time consuming to narrow the data down to what you want.

 

I figured simple things like ip.dst != 10.0.0.0/8 would simply work....or src.org !='org name" would work....

 

How about a better regex guide....I really dont have the time to figure out what works and what doesn't....

 

 

Scott,

23 REPLIES 23

Go to solution
Anonymous
Not applicable
In response to RSAAdmin

‎2014-04-10 03:14 PM

Thanks Scott!

 

My post was partly in response to the person who said that you never need to use regex, and partly my frustration in getting it to work.  I found that I needed the parentheses when testing in several web-based regex testers, but I'll delete them from now on.  Great catch to find the behavior by the fat client.

 

I'm a great fan of Python, so I"ll def use the sample REST app in the future.

 

regards

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2014-04-10 04:48 PM

Instead of using an app rule or custom drill to detect hex directories and filenames, try this as a parser:

 

local hexPath = nw.createParser("Hex_Path", "hex character directory and filename detection")


hexPath:setKeys({

     nwlanguagekey.create("risk.suspicious"),

})


function hexPath:checkDir(idx, vlu)

     if vlu then

         if string.find(vlu, "%X") then

             return

         end

         nw.createMeta(self.keys["risk.suspicious"], "hexadecimal directory name")

     end

end


function hexPath:checkFile(idx, vlu)

     if vlu then

         local dotPosition = string.find(vlu, "%.")

         if dotPosition then

             repeat

                 local loopControl = 0

                 local tmpPosition = string.find(vlu, "%.", dotPosition + 1)

                 if tmpPosition then

                     dotPosition = tmpPosition

                     loopControl = 1

                 end

             until loopControl == 0

             vlu = string.sub(vlu, 1, dotPosition - 1)

         end

         if string.find(vlu, "%X") then

             return

         end

         nw.createMeta(self.keys["risk.suspicious"], "hexadecimal file name")

     end

end


hexPath:setCallbacks({

     [nwlanguagekey.create("directory")] = hexPath.checkDir,

     [nwlanguagekey.create("filename"] = hexPath.checkFile

})

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2014-04-10 04:57 PM

Irimi,

 

I've found a workaround for you.  If you click the "Custom Drill" button on the toolbar, you can enter your query like this:

 

filename regex '([0-9a-zA-Z]{20,})'

 

And it will submit the query correctly without modifying the parens.  I've also fixed Investigator 9.8 so that it will not modify the regex.  Look for the fix in a future service pack.

 

Scott

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2014-04-11 09:23 AM

What is the malware that you see that makes these get requests?  Do you have a hash?  I might have better rules for detecting this that I could share.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.