This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Looking for searching criteria on SA based on Filename

Go to solution
RSAAdmin
Beginner
Beginner

‎2014-05-22 03:50 AM

Dear Friends,

 

I want to search a infection based on file name and the filename information provided below

 

Find the below info which shows a successful exploit callback. I am not sure how to make search on SA with file name since the file name is alphanumeric and its gets change randomly. I believe there could be lots of infection with same pattern. We use only packet decoder so regex won't work.


Please note that i want search with only filename since the directory field is always empty.



 

orig_ip :  10.32.7.154

 

ip.addr :  10.32.7.154

 

action :  post

 

alias.ip :  188.165.235.115

 

directory :  /

 

filename :  6197C9EB5912A0CF20F5E130E79F0B14

 

content :  application/x-www-form-urlencoded

 

client :  Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0

 

alias.ip :  188.165.235.115

 

alert.id :  nw32550

 

risk.info :  http direct to ip request

 

threat.category :  spectrum

 

threat.source :  netwitness

 

orig_ip :  10.32.7.154

 


Thank you,


Awaiting for valuable response.



0 Likes
13 REPLIES 13

Go to solution
Anonymous
Not applicable
In response to RSAAdmin

‎2014-06-05 04:28 AM

@Fielder

Hi I observed lot many communication with the client application contains "gecko/20100101".

Does it mean all the source machines are infected?

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2014-06-05 09:35 AM

If I were a betting man, I'd bet that those hosts are communicating via an illegitimate application.  "infected" is a strong word, but your hosts definitely require investigation.

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2014-06-08 03:24 PM

So what did your investigation(s) into that UA string find?

0 Likes

Go to solution
Anonymous
Not applicable
In response to RSAAdmin

‎2014-06-09 04:29 AM

On my client side getting a host access is big challenge. Requested for the same.

 

But on the wire I saw few requests to 205.196.120.6 (mediafire.com) and 91.198.174.208 (bits.wikimedia.org)

 

Almost same kind of request which urlquery says for  91.198.174.208

_urlquery.net - Free url scanner

 

I drilled for dynamic dns but there is not hits found.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.