This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

MAS question.

JamesCreel
New Contributor
New Contributor

‎2018-03-28 03:35 PM

I have a question from an internal customer:

 

would like to get RSA engaged and find out how to further tune false positives from the spectrum/malware analysis appliance. For instance if we saw a mcafee dat file fire that was a false positive, we would like to tune this filename/hash /various other characteristics from preventing the tool to fire in the future. If we can get this to tune as requested, would like to ingest syslog into the SIEM and look at potential alerts .

 

The customer already has RSA Security Analytics User Documentation.  Is there any other resource he can access to help answer his questions?

0 Likes
5 REPLIES 5

EricPartington
Employee
Employee

‎2018-03-29 01:00 PM

https://community.rsa.com/community/products/netwitness/blog/2016/12/23/malware-spectrum-whats-involved?sr=search&searchId=d8ea1080-dd50-4cf0-ae09-45b1a7b3e641&searchIndex=0 

https://community.rsa.com/message/907852?sr=search&searchId=d8ea1080-dd50-4cf0-ae09-45b1a7b3e641&searchIndex=1 

I would take a look at these items to see where you have the opportunity to filter out files from the malware pipeline.

 

most likely you will add an app rule to mark that file type/extension or other combination with a value of spectrum.filter into the content metakey to remove that flow from being sent to the MA appliance.

0 Likes

JoeGumke
Beginner
Beginner
In response to EricPartington

‎2018-03-29 01:26 PM

thanks eric. how do we tune this within the spectrum appliance? We shouldn't have to go into and modify tags outside of the appliance just to tune this.

 

For instance we want to tune out / in filenames/hashes/extensions from iocs that fire here

0 Likes

JohnSnider
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2018-03-29 01:38 PM

Several things to do to filter down the traffic to Malware Appliance:

  1. Limit to "outbound" only sessions, make sure you have the traffic_flow parser deployed and the traffic_flow_options configured for your networks ranges, so directionality meta is correct. Then add (direction=outbound) to the spectrum.consume application rule
  2. use feeds to tag items to filter (filenames/extensions/domains...) have the tag be "spectrum.filter" to the "content" metakey.
  3. If the item can't be tagged with a feed properly, create a lua parser to generate the "spectrum.filter" meta in "content" for the action.
  4. In MA itself, you can right click a hash for a file and "blacklist" or "whitelist"
    1. Blacklist means trigger alert immediately if seen.
    2. Whitelist means ignore this hash
0 Likes

EricPartington
Employee
Employee
In response to JoeGumke

‎2018-03-29 01:41 PM

select * where content='spectrum.consume' || content='spectrum.consume11'

 

that is the filter command from spectrum, you could try to adjust that but its not scaleable to try to update that for specific filters.

Using a feed or app rule to filter in or out items from the MA pipeline is the best way to do it as far as I know.

 

In the MA > Config > Hash tab you can search for an MD5 in there and add it to trusted (edit the entry and save it).  That way you can trust certain hashes that have come in already.

0 Likes

JohnSnider
Trusted Contributor Trusted Contributor
Trusted Contributor
In response to EricPartington

‎2018-03-29 02:57 PM

Actually, spectrum parser now only tags sessions with appropriate files as “spectrum.analysis” then the Application Rule applies the filtering:

 

spectrum.consume content=’spectrum.analysis’ && content != ‘spectrum.filter’

 

As I noted before, adding && direction=’outbound’ will drastically cut down on the number of sessions even sent to MA, cutting out Lateral (internal-internal) and inbound (external-internal) sessions.

 

so to filter sessions PRIOR to MA even getting them, use either an app rule, feed, or custom parser to tag those sessions with ‘spectrum.filter’ in the “content” metakey.

 

This is far more effective than filtering them by hash in the appliance itself.

 

A Long time ago, I helped create filtering for your deployment Joe, if you are still at the same company. I cut it down from 60000 sessions per hour to 600 sessions per hour being consumed, but I fear all that filtering was lost some time in the past.

 

John E. Snider | Senior Consultant, SME, Professional Services | GCIH, GCFA | RSA

m: +1 (281) 813-7147 |e: john.snider@rsa.com<mailto:john.snider@rsa.com> | www.rsa.com<http://www.rsa.com/> | Time Zone: America/Central Time (CST6DST)

 

<http://www.rsa.com/>

<https://community.rsa.com/welcome>

Preview file
3 KB
Preview file
5 KB
0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.