This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Parsing the HTTP ACCEPT Codes

RSAAdmin
Beginner
Beginner

‎2012-10-01 01:47 PM

I had an unusual request for a use case by a customer last week.  They wanted to be able to identify when a webserver issued an "Accept: Accept: */*" in the request.  I've rarely bothered to look in that line of the HTML request until the customer pointed me to this article which shows how some malware evades detection, or can communicate via these ACCEPT requests-

 

http://blog.lastline.com/post/17789095174/real-world-signature-evasion-by-malware

 

In the blog, they mention the following specific thing to watch for:

POST /Count/Count.asp HTTP/1.1

Accept: Accept: */*

Content-Type: application/x-www-form-urlencoded

User-Agent: MyApp

Host: www.baidu.com

Content-Length: 85

Cache-Control: no-cache

Mac=12-34-56-78-90-12&Os=Windows+XP&Ver=20091107&Key=..

 

So I modified an old parser I had lying around to pull out everything after the "Accept: " line to populate a meta key.

 

I chose to use the meta key of result.code-  its a key that is intended for use with NWFL, but the customer isn't using that feature, and these keys can be used without special modification of the index. 

 

Here is the parser, and I called it "accept.parser"

 

<?xml version="1.0" encoding="utf-8"?>

<parsers xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="parsers.xsd">

                <parser name="ACCEPT" desc="This extracts the ACCEPT code from the Accept http line">

                                <declaration>

                                                <token name="tAccept" value="Accept: " options="linestart" />

                                                <number name="vAcceptPosition" scope="stream" />

                                                <string name="vAccept" scope="stream" />

                                                <meta name="meta" key="result.code" format="Text" />

                                </declaration>

 

 

                                <match name="tAccept">

                                                <find name="vAcceptPosition" value="&#x0d;&#x0a;" length="512">

                                                                <read name="vAccept" length="$vAcceptPosition">

                                                                                <register name="meta" value="$vAccept" />

                                                                </read>

                                                </find>

                                </match>

                </parser>

</parsers>

 

The results in my test data set did show some unusual outliers for analysis-  a good way to capture the rarest nuggets from the results is to run an Informer report looking for the rarest 30 result.codes.

 

resultcodes.JPG

 

Feel free to deploy this and if you find anything really cool, be sure to share.

0 Likes
0 REPLIES 0
© 2022 RSA Security LLC or its affiliates. All rights reserved.