NetWitness Community

run into a weird issue. after adding the parser and keys I am finding only "Email content, encoding and MessageID" are populating.

I removed a few parts of the parser that were either commented out, or potentially causing the pointer to missing the inital "MAIL FROM" but Im still baffled.

<parser name="advanced_email" desc="advanced_email">

    <declaration>

      <!--

****

META DECLARATIONS

****

-->

      <meta name="fromaddy" key="email.fromaddy" format="Text" />

      <meta name="toaddy" key="email.toaddy" format="Text" />

      <meta name="emailip" key="email.ip" format="Text" />

      <meta name="emaildomain" key="email.domain" format="Text" />

      <meta name="mailer" key="email.mailer" format="Text" />

      <meta name="content" key="email.content" format="Text" />

      <meta name="encoding" key="email.encoding" format="Text" />

      <meta name="messid" key="email.messageid" format="Text" />

<meta name="ioc" key="soc.ioc" format="Text" />

<meta name="misc" key="soc.misc" format="Text" />

      <!--

****

STRINGS

****

-->

      <string name="myString_Temp" />

      <string name="myString_Empty" scope="constant"/>

      <!--

****

NUMBERS

****

-->

      <number name="myNum_offset"/>

      <number name="myNum_offset2"/>

      <number name="myNum_offset3"/>

      <number name="myNum_FoundEHLO" scope="stream"/>

      <number name="myNum_FoundPopLogic" scope="stream"/>

      <number name="myNum_FoundLogin" scope="stream"/>

      <number name="myNum_TriggeredAlertAlready" scope="stream"/>

      <!--

****

TOKENS

****

-->

      <token name="myToken_EHLO" value="EHLO" options="linestart" />

      <token name="myToken_EHLO" value="HELO" options="linestart" />

      <token name="myToken_FROM" value="MAIL From: &#x3C;" options="linestart" />

      <token name="myToken_FROM" value="MAIL From:&#x3C;" options="linestart" />

<token name="myToken_FROM" value="&#x4D;&#x41;&#x49;&#x4C;&#x20;&#x46;&#x52;&#x4F;&#x4D;&#x3A;&#x3C" options="linestart"/>

<token name="myToken_FROM" value="&#x4D;&#x41;&#x49;&#x4C;&#x20;&#x46;&#x52;&#x4F;&#x4D;&#x3A;&#x20;&#x3C" options="linestart"/>

<token name="myToken_FROM" value="MAIL FROM:<" options="linestart"/>

<token name="myToken_FROM" value="MAIL FROM: <" options="linestart"/>

      <token name="myToken_TO" value="RCPT To: &#x3C;" options="linestart" />

      <token name="myToken_TO" value="RCPT To:&#x3C;" options="linestart" />

<token name="myToken_TO" value="MAIL TO: <" options="linestart"/>

<token name="myToken_TO" value="MAIL TO:<" options="linestart"/>

<token name="myToken_TO" value="&#x52;&#x43;&#x50;&#x54;&#x20;&#x54;&#x4F;&#x3A;&#x3C" options="linestart"/>

<token name="myToken_TO" value="&#x52;&#x43;&#x50;&#x54;&#x20;&#x54;&#x4F;&#x3A;&#x20;&#x3C" options="linestart"/>

      <token name="myToken_Mailer" value="X-mailer: " options="linestart" />

      <token name="myToken_Mailer" value="X-Mailer: " options="linestart" />

      <token name="myToken_Forefront" value="X-Forefront-Antispam-Report: CIP:" options="linestart" />

      <token name="myToken_MessageID" value="Message-ID:" options="linestart" />

      <token name="myToken_ContentType" value="Content-Type:" options="linestart" />

      <token name="myToken_Encoding" value="Content-Transfer-Encoding:" options="linestart" />

    </declaration>

    <!--

****

FILTER MATCH

****

-->

    <match name="myToken_EHLO">

      <assign name="myNum_FoundEHLO" value="1"/>

    </match>

    <!--

****

REMAINING MATCHES

****

-->

    <match name="myToken_FROM">

      <if name="myNum_FoundEHLO" notequal="1">

        <end/>

      </if>

      <find name="myNum_offset" value="&#x3E;" length="64">

        <read name="myString_Temp" length="$myNum_offset">

<if name="myString_Temp" notequal="$myString_Empty">

<register name="fromaddy" value="$myString_Temp" />

<assign name="myString_Temp" value="$myString_Empty"/>

</if>

        </read>

      </find>

    </match>

    <match name="myToken_TO">

      <if name="myNum_FoundEHLO" notequal="1">

        <end/>

      </if>

      <find name="myNum_offset" value="&#x3E;" length="64">

        <read name="myString_Temp" length="$myNum_offset">

<if name="myString_Temp" notequal="$myString_Empty">

<register name="toaddy" value="$myString_Temp" />

<assign name="myString_Temp" value="$myString_Empty"/>

</if>

        </read>

      </find>

    </match>

    <match name="myToken_Mailer">

      <if name="myNum_FoundEHLO" notequal="1">

        <end/>

      </if>

      <find name="myNum_offset" value="&#x0D;" length="64">

        <read name="myString_Temp" length="$myNum_offset">

<if name="myString_Temp" notequal="$myString_Empty">

<register name="mailer" value="$myString_Temp" />

<assign name="myString_Temp" value="$myString_Empty"/>

</if>

        </read>

      </find>

    </match>

    <match name="myToken_ContentType">

      <if name="myNum_FoundEHLO" notequal="1">

        <end/>

      </if>

      <find name="myNum_offset" value="&#x0D;" length="64">

        <read name="myString_Temp" length="$myNum_offset">

<if name="myString_Temp" notequal="$myString_Empty">

<register name="content" value="$myString_Temp" />

<assign name="myString_Temp" value="$myString_Empty"/>

</if>

        </read>

      </find>

    </match>

     <match name="myToken_Encoding">

      <if name="myNum_FoundEHLO" notequal="1">

        <end/>

      </if>

      <find name="myNum_offset" value="&#x0D;" length="64">

        <read name="myString_Temp" length="$myNum_offset">

<if name="myString_Temp" notequal="$myString_Empty">

<register name="encoding" value="$myString_Temp" />

<assign name="myString_Temp" value="$myString_Empty"/>

</if>

        </read>

      </find>

    </match>

    <match name="myToken_MessageID">

      <if name="myNum_FoundEHLO" notequal="1">

        <end/>

      </if>

      <find name="myNum_offset" value="&#x0D;" length="64">

        <read name="myString_Temp" length="$myNum_offset">

<if name="myString_Temp" notequal="$myString_Empty">

<register name="messid" value="$myString_Temp" />

<assign name="myString_Temp" value="$myString_Empty"/>

</if>

        </read>

      </find>

    </match>

  </parser>

No doubt my tampering broke it more, but the mail from and to where not populating in its native form as per what you posted Fielder.

I get the feeling Netwitness just don't want me to know who the email's are from

Regards

Dave

Make sure your pcaps have matching tokens being called in the parser.

I have deployed it on my decoder, and its seeing loads of email traffic, just for some reason its not pulling the email's out. I confirmed the packets have "MAIL FROM:<" in them, meaning this parser should be hitting the Match statement.

... Confused.

on a side note. I still have the Enhanced Mail parser deployed via live. is that likely to cause any conflicts?

Dave