This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Questions on using Decoder parsers

Go to solution
Anonymous
Not applicable

‎2015-07-13 05:11 PM

I'm trying to solve two separate problems and running into brick walls with both.

 

Background:  Running NetWitness 9.8.5.20 - Decoders + Concentrators + Broker.

 

Problem #1:  I want to set an alert if a *packet* has a certain number of bytes in the data payload. 

I went down the road of thinking the snort engine could do this with the "dsize" directive, but it appears this isn't implemented

in the NW snort parser.  Note:  I'm looking for a specific *packet*, not the whole session/stream.

 

Problem #2: I want to see if an HTTP Cookie matches a PCRE and set an alert.   Similar issue-- thinking snort parser, but PCRE on snort parser only looks at URI. Should I try the Search engine for this (setting PATTERN to be "Cookie: <My PCRE>", or is there a better way?

 

Thanks for any insight-

 

--- Cris

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2015-07-16 05:37 PM

One way in lua would be:

 

string.find(someString, "%u%u%u?%u?%u?=%a+")

 

%u is any upper case character

%a is any character (case-insensitive)

 

I'll write up a quick lua parser proof of concept for you soon.

View solution in original post

0 Likes
3 REPLIES 3

Go to solution
RSAAdmin
Beginner
Beginner

‎2015-07-14 11:07 AM

(1) Correct, the snort implementation doesn't include dsize.  This could be accomplished in flex, but it would be very painful - possibly crippling the decoder.  You'd have to, starting at the beginning of each stream, loop (a) moving 1 byte, (b) getting a packetid, while (c) keeping a count of how many moves it takes for the packetid to increment.

 

However, lua on 10.x+ could do this easily - still a bit painful for the decoder, but not debilitating.  Unfortunately, lua on 9.8 doesn't have the necessary functionality.

 

(2) A flex parser can do this.  Match on "Cookie: ", use the <regex ... > function.  However, it would be much easier and more efficient in lua, and a 9.8 lua parser can do this.  Lua parsers aren't officially supported on 9.8, and don't have the full functionality of lua parsers on 10.x+, but it can be used.  Caveat is that lua itself doesn't have full regex - but lua's pattern matching and string manipulation can accomplish pretty much any logic that can be done in regex.

 

If you can give me an example of what you're looking for in a cookie, I'll post a POC lua parser for you when I have a chance.

Go to solution
Anonymous
Not applicable
In response to RSAAdmin

‎2015-07-15 09:36 AM

I don't know much about LUA, but I'd like to see how you'd handle this with a LUA parser.

 

For an example PCRE cookie search, something like:

 

[A-Z]{2,5}=[A-Za-z]+

 

(basically being able to specify character sets and min/max occurrences.)

 

Thanks!

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2015-07-16 05:37 PM

One way in lua would be:

 

string.find(someString, "%u%u%u?%u?%u?=%a+")

 

%u is any upper case character

%a is any character (case-insensitive)

 

I'll write up a quick lua parser proof of concept for you soon.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.