This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Mail_Lua Parser extracting hosts from the message body

DionStempfley
Occasional Contributor
Occasional Contributor

‎2023-07-24 10:42 AM - edited ‎2023-07-24 10:59 AM

I noticed today that some of my emails have host information that is being parsed from the message body.  I just want to know if this a bug or a feature.  For example the sender includes alternate email addresses in their signature and because of the format I think it's being seen as a header item.  I get meta for tld (com), sld (alternatedomain), domain (alternatedomain.com), and alias.host (networking.alternatedomain.com).  This was a problem when the user mistyped their signature and included a domain that we had rules to alert on.  I looked in the Mail_Lua.options and function parseReceived() is set to return true, which the comments say could be problematic.  Are these the problems referred to?  If so, what do I lose if I change it to false? 

Example signature:

 

v/r

Bob

Alternate: bob@networking.alternatedomain.com<mailto:bob@networking.alternatedomain.com>

 

----

Edit:

As an additional note, I noticed that some messages have parsed information from the html portion of the message.  The xmlns portion of message parsed out schemas.microsoft.com as host information similar to the above.

 

xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http://www.w3.org/TR/REC-html40">

 

 

Dion Stempfley
Cybersecurity Analyst
Institute for Defense Analyses
0 Likes
1 REPLY 1

JohnKisner
Valued Contributor Valued Contributor
Valued Contributor

‎2023-10-25 03:59 PM

Dion,

 

I don't know if you have gotten an answer to your issue yet or not. Unfortunately I don't have a direct answer for what will happen if you turn the option to false. However, I did want you to know that some strange behavior can occur if your decoder captures email bursts to and from your mail server. We have seen that most email servers bundle multiple emails together and send them at the same time. What tends to happen is that the decoder will detect these emails as a single session from the email server. This can cause what appears to be emails merged together, emails with very different email addresses associated with them, multiple attachments that do not seem appropriate, as well as max meta reached error messages on the decoder. This is why it is very important to know how your decoder is capturing these messages as they go by.

 

If you are still experiencing issues and would like more directed assistance, please feel free to open a NetWitness Support case and one of my people will be happy to assist with your questions.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.