This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

regex on Netwitness 9.8

Anonymous
Not applicable

‎2016-03-29 10:46 AM

Running Investigator 9.8.5.19.  Trying (unsuccessfully) to use a regex expression to look for specific HTTP Cookie patterns.

 

As a simple test, I've tried this custom drill  (after narrowing results to HTTP and specific alerts):

 

req.uniq regex 'C5=;'

 

(Single quotes surrounding expression, and literally looking for the 4 character string).  This runs successfully, but returns no results. If I look at the sessions, there clearly are sessions with this string in req.uniq.

 

What's magic about trying to get regex working?  Will they work properly on a meta data item that may exist multiple times in session?

My end goal is a more complex regex, but if I can't get a simple match to work, more complicated certainly won't...

Thanks--

0 Likes
3 REPLIES 3

Anonymous
Not applicable

‎2016-04-07 10:03 AM

Well, it seems that req.uniq and res.uniq are from the IR pack and since they deal with widely varying data ARE NOT INDEXED. So, to answer my own question:

 

No, I CANNOT use regex with Investigator to find this pattern, but I CAN use regex in an App Rule to set meta, based on this pattern.

0 Likes

Anonymous
Not applicable
In response to Anonymous

‎2016-04-13 06:44 AM

Hi Cris,

 

You are correct! I would advise however that you try to avoid "regex" in rules as much as possible as there is a considerable performance impact.

 

We recently completely rewrote the IR content pack to replace all regex rules with equivalent logic as much as possible.

 

For example, a two characters .exe  rule would have been changed from

 

filename regex '.{1,2}\.exe'

to

filename length 5-6 && extension='exe'

 

So depending on your goal this may be a better option. Please feel me to send me a direct message if you want me to look at your specific case.

 

Thank you,

 

Rui

0 Likes

Anonymous
Not applicable
In response to Anonymous

‎2016-04-13 10:30 AM

In my case, I was looking for a specific value (pattern) of a cookie (especially, since none of the NW parsers currently break out individual cookies in web sessions, AFAIK). Similar comments for using the SNORT engine-- there are times when REGEX syntax or SNORT syntax would make searching much more simple. I wish they could be used with less risk of a performance penalty. 

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.