This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Parsers

CristianoAlves
Beginner
Beginner

‎2019-03-18 02:10 PM

H, 

I need understand, if exist the possible for crerate a new field for this logs :

{"User":"00006063180","Password":"34831123"}

we need create a field (meta) with 

User: 

Password

Preview file
9 KB
0 Likes
19 REPLIES 19

DaveGlover
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2019-03-18 04:22 PM

Alves

 

You can create meta within the system.

 

Is this for logs or packets?

 

Thanks

 

Dave

0 Likes

CristianoAlves
Beginner
Beginner
In response to DaveGlover

‎2019-03-18 04:49 PM

Packet.

I did need konw, how create a field with regex.

Is possible ?

 

I don't know how create this field.

Preview file
11 KB
0 Likes

DaveGlover
Trusted Contributor Trusted Contributor
Trusted Contributor
In response to CristianoAlves

‎2019-03-18 04:54 PM

Alves

 

This will have to be written in LUA for the packet parsing.

 

Does the value already parse? Do you want to do finer parsing than what is there?

 

Dave

0 Likes

CristianoAlves
Beginner
Beginner
In response to DaveGlover

‎2019-03-18 05:05 PM

I know nothing about LUA.
What i need do for beginning ?

 

Or can you help create this ?

0 Likes

WilliamMotley1
Frequent Contributor Frequent Contributor
Frequent Contributor
In response to CristianoAlves

‎2019-03-19 09:57 AM

This is untested but syntactically correct.  It should get you at least close.

 

local userpass = nw.createParser("userpass", "custom for Cristiano Alves")
userpass:setKeys({
  nwlanguagekey.create("user"),
  nwlanguagekey.create("password"),
})
function userpass:streamBegin()
  self.streamVars = {}
end
function userpass:onUser(token, first, last)
  self.streamVars.userBegin = last + 1
end
function userpass:onPassword(token, first, last)
  if self.streamVars.userBegin then
    local payload = nw.getPayload(self.streamVars.userBegin, last + 64)
    local userEnd = first - self.streamVars.userBegin
    local passwordBegin = last - self.streamVars.userBegin + 2
    self.streamVars.userBegin = nil
    if payload then
      local passwordEnd = payload:find('"}', passwordBegin, -1)
      if passwordEnd then
        local userString = payload:tostring(1, userEnd)
        local passwordString = payload:tostring(passwordBegin, passwordEnd - 1)
        if user and password then
          nw.createMeta(self.keys["user"], userString)
          nw.createMeta(self.keys["password"], passwordString)
        end
      end
    end
  end
end
userpass:setCallbacks({
  [nwevents.OnStreamBegin] = userpass.streamBegin,
  ['{"User":"'] = userpass.onUser,
  ['","Password":"'] = userpass.onPassword,
})
 

CristianoAlves
Beginner
Beginner
In response to WilliamMotley1

‎2019-03-19 10:15 AM

Tnks Motley.

Can i save with .lua ?

0 Likes

WilliamMotley1
Frequent Contributor Frequent Contributor
Frequent Contributor
In response to CristianoAlves

‎2019-03-19 10:26 AM

Yep.  Save it with a .lua extension, place it in /etc/netwitness/ng/parsers/ then reload parsers.

0 Likes

CristianoAlves
Beginner
Beginner
In response to WilliamMotley1

‎2019-03-19 03:00 PM

Hi, Motley.

We upload script.lua and reload parsers, but don't see events with parsers.

Exist one troubleshooting this ?

0 Likes

WilliamMotley1
Frequent Contributor Frequent Contributor
Frequent Contributor

‎2019-03-19 03:24 PM

Without a pcap to test against it's difficult to troubleshoot.  And since it would obviously contain sensitive information, I expect you'd be hesitant to share one.

 

Next best thing would be to add some lines to the parser that log what the parser is doing.  Caveat is that the log could easily be flooded depending on how many sessions the parser is seeing.

 

Load this, watch the log ('tail -f /var/log/messages | grep userpass'), and reload parsers.

 

local userpass = nw.createParser("userpass", "custom for Cristiano Alves")
nw.logInfo("userpass - parser loaded")
userpass:setKeys({
  nwlanguagekey.create("user"),
  nwlanguagekey.create("password"),
})
function userpass:streamBegin()
  self.streamVars = {}
end
function userpass:onUser(token, first, last)
  nw.logInfo("userpass - saw onUser")
  self.streamVars.userBegin = last + 1
end
function userpass:onPassword(token, first, last)
  nw.logInfo("userpass - saw onPassword")
  if self.streamVars.userBegin then
    nw.logInfo("userpass - have userBegin")
    local payload = nw.getPayload(self.streamVars.userBegin, last + 64)
    local userEnd = first - self.streamVars.userBegin
    local passwordBegin = last - self.streamVars.userBegin + 2
    self.streamVars.userBegin = nil
    if payload then
      nw.logInfo("userpass - have payload")
      local passwordEnd = payload:find('"}', passwordBegin, -1)
      if passwordEnd then
        nw.logInfo("userpass - found passwordEnd")
        local userString = payload:tostring(1, userEnd)
        local passwordString = payload:tostring(passwordBegin, passwordEnd - 1)
        if user and password then
          nw.logInfo("userpass - user '" .. user .. "', password '" .. password .. "'")
          nw.createMeta(self.keys["user"], userString)
          nw.createMeta(self.keys["password"], passwordString)
        end
      end
    end
  end
end
userpass:setCallbacks({
  [nwevents.OnStreamBegin] = userpass.streamBegin,
  ['{"User":"'] = userpass.onUser,
  ['","Password":"'] = userpass.onPassword,
})
0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.