This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Odd response to investigator queries

MikeKupec
Beginner
Beginner

‎2016-09-06 11:28 AM

I have a question about how the query function in Investigator is supposed to work. 

If I do a query on a meta value like ip.src such as:   ip.src  =  128.177.108.37

The results will show just 128.177.108.37 in meta value Source IP Address (ip.src) along with everything associated with it within investigator. 

 

However, if I do the same kind of filter on a meta key like "filename" like so:  filename = 'index.php' 

I get that entry listed in the filename meta value plus lots of other file names. 

 

Shouldn't it filter out all the other filenames? Or is this SOP for the way Investigator queries work?

 

Currently running 10.6.1.0 BTW. 

0 Likes
2 REPLIES 2

DavidWaugh1
Employee
Employee

‎2016-09-06 01:22 PM

Hi this is working as expected.

Let me explain a bit further.

 

when you do filename = 'index.php' what you are asking is "return me all sessions where there is a filename containing index.php" In a session there can be more than one filename. For example in a web session then many different files may be contained.

 

This is why when you may see more than one filename in a session (and get other filenames returned)

 

A Session can only have one source IP and destination IP associated with it, and so this is why you only get one ip shown in these cases.

 

Hope that is clear.

 

In general a session is:

 

1) A single log line

2) Anything that happens between the TCP three way handshake and when the TCP Connection is terminated. 

3) A UDP Packet. 

MikeKupec
Beginner
Beginner
In response to DavidWaugh1

‎2016-09-06 02:28 PM

OK, that makes some sense. 

I was under the impression it was similar to a database query where I'm asking NW to give me anything that had a file with the filename "index.php". That was how I looked at what the Meta Key "filename" represented. 

 

Never really paid much attention to queries that delved into more that IP, Service Type, Source & Destination countries & Hostname Alias Records.  Been delving more into the latest Live feeds that just came out (like KeyBase KeyLogger) and in that feed part of the query has "filename = 'post.php'..."  We fortunately haven't had that kind of malware hit us, so I was testing it with other filenames like "index.php" and saw the odd result I was asking about. 

 

Thanks again for the response. 

© 2022 RSA Security LLC or its affiliates. All rights reserved.