This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Search for "login" from IP Address?

Go to solution
RSAAdmin
Beginner
Beginner

‎2012-11-27 10:32 AM

All,

 

I am currently analyzing emails with NetWitness, one indicator I typically see used in spear phishing incidents is the use of logging in with a different IP than the sending mail server. I am noticing this behavior mostly with yahoo. Is there a way in NetWitness to create a search to pull up all network related sessions in this way? I am not seeing this as a searchable piece of meta data. I created a regex to try to search with no luck.

 

Thanks

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2012-12-07 11:05 AM

br0g,

What you are looking to do is to create a parser to pull and create this meta for you.  The original IP address is what you are trying to get, which will be a variable. 

 

A parser to addrtess this will match first on the "X-Yahoo-SMTP:" as a token to begin its work.  Next it should look for the Received: at the beginning of a line and then capture the IP in question as the variable token you are looking for.

View solution in original post

0 Likes
3 REPLIES 3

Go to solution
Anonymous
Not applicable

‎2012-11-29 09:56 AM

It's difficult to qualify why your regex isn't working without seeing the session data and the regex, but in the end that's likely not the most efficient way to do it anyway. If you have a group of IPs that you've identified associated with this behavior, you could simply build a feed with those IPs, and then match on any login events from those IPs. Also, look at the possibility of other unique session elements that might be of use in detecting the activity that you're looking for in the sessions related to these campaigns.

 

These are fairly generic insights, so if there's any data that you could share we may be able to provide more specific answers.

 

//Ray

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2012-11-30 08:37 AM

Ray, Thanks for your response. I for sure will take your suggestions. Here is a little excerpt of information I am looking for in the mail header. I am sure the IP's that I am looking for will change all the time. To start testing I took a session PCAP off production and loaded it on my local version of NW. I created a REGEX to look for the IP and came up with nothing. I can also create a feed for these IP's but I need to find them 1st Any other thoughts. Thanks for your help

 

 

30nZFZRO7vlJ82UqBOlaWR4bZAymwNu9wCRBMRUDoI1BIYywRxb6glKQ4kFo

SzCYh5g02ac42uqO5V4jONSQTWl.MSfmdpTAS5x5gWRWWsIJFzSoyOyjqWfc

uwyV3NNZscF8sl2xc10L09c0Mp8yOZEW6q4Qd8WFzfVDJY7pjzaaZ3nlzKsP

jjce8MtZFEPuSVtUL3hKsQ3opz9QvrGV4VYLlhPPTuJg9vOZ6zdE1GSTlqWj

UX35Fq2zv6R1vie3X1YUl6iU89LnB_01kv0hRbF1w8wdbxJNeHCSKRBHX2.p

pV7DBj4dH_Px2TQ--

X-Yahoo-SMTP: us59L6iswBAy1xt88nITHIhR3mgr_tcLKA--

Received: from tcwa ([USER]@X.X.X.197 with login)

by smtp191.mail.sg3.yahoo.com with SMTP; 28 Nov 2012 17:31:19 -0800 PST

Message-ID: <DAE2C10057D7A3E7892E200FED62FEA3@tcwa>

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2012-12-07 11:05 AM

br0g,

What you are looking to do is to create a parser to pull and create this meta for you.  The original IP address is what you are trying to get, which will be a variable. 

 

A parser to addrtess this will match first on the "X-Yahoo-SMTP:" as a token to begin its work.  Next it should look for the Received: at the beginning of a line and then capture the IP in question as the variable token you are looking for.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.