NetWitness Community

Anonymous · ‎2014-02-25

Can anyone help me with this rule, it is not working properly:

Select: ip.dst

Where: ip.src=10.10.10.10

Then:
lookup_and_add('ip.src','ip.dst',5);

lookup_and_add('size','ip.dst',5);

lookup_and_add('ip.dstport','ip.dst',5);

lookup_and_add('payload','ip.dst',5;);

lookup_and_add('packets','ip.dst',5;);

This just creates a list of ip.dst and does not take any action on the "lookup and add". Anyone know why this isn't working?

Anonymous · ‎2014-02-27

This going to sound odd, but try:

ip.src='10.10.10.10'

Adding the two single quotes might make it work.

Anonymous · ‎2014-02-27

No Dice that did not change the results of the rule.

RSAAdmin · ‎2014-02-27

If you are specifying your ip.src in your where clause why are you adding it back in with a lookup and add? Just curious.

There is no such thing as ip.dstport. You might want tcp.dstport

Payload and Packets are not indexed, so I don't think you will get those values back on the query.

Anonymous · ‎2014-02-28

when i do lookup and adds i always change each line to point to the previous

#lookup_and_add('ip.src','ip.dst',5); < was prob causing all the issues as it would return the same values if none of these lines below existed. >

lookup_and_add('size','ip.src',5);

lookup_and_add('ip.dstport','size',5);

lookup_and_add('payload','ip.dstport',5;);

lookup_and_add('packets','payload',5;);

Informer Rule Not Working Properly