This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Searching for a specific packet size

Go to solution
Anonymous
Not applicable

‎2014-02-05 12:59 PM

Is there a way to search for a specific packet size in Netwitness?

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Anonymous
Not applicable
In response to Anonymous

‎2014-02-05 04:45 PM

Example Packet Decoder Application Rule

Rule Name ::  Low Packet Count

Rule Syntax :: packets count l-2

 

Note :: the above syntax is a lower case el "L" NOT number one.

 

I recommend viewing all the metadata created from a typical session you are targeting.  You may find you can leverage the following;

  • payload
  • streams
  • packets
  • lifetime
  • size

 

For Example ::

Rule Name :: EXE_Under_10K

Rule Syntax :: size = l-10000 && filetype = 'windows executable','x86 pe','x64 pe'

View solution in original post

0 Likes
7 REPLIES 7

Go to solution
Anonymous
Not applicable

‎2014-02-05 03:09 PM

NetWitness is session based not packet based.  You can create application rules based on session size or packet count but not packet size

0 Likes

Go to solution
Anonymous
Not applicable
In response to Anonymous

‎2014-02-05 04:09 PM


Thanks for the information.  Ok so what is the syntax for packet count is is just packet.count=... or is there some other syntax?

 

Phil

0 Likes

Go to solution
Anonymous
Not applicable
In response to Anonymous

‎2014-02-05 04:45 PM

Example Packet Decoder Application Rule

Rule Name ::  Low Packet Count

Rule Syntax :: packets count l-2

 

Note :: the above syntax is a lower case el "L" NOT number one.

 

I recommend viewing all the metadata created from a typical session you are targeting.  You may find you can leverage the following;

  • payload
  • streams
  • packets
  • lifetime
  • size

 

For Example ::

Rule Name :: EXE_Under_10K

Rule Syntax :: size = l-10000 && filetype = 'windows executable','x86 pe','x64 pe'

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2014-02-10 07:07 PM

With the latest versions of NetWitness, you can write a Lua parser that can scan the session's packets for a specific size, then create whatever meta you want.  Lua parsers have a great deal more capability than our now deprecated Flex parser system.  As a matter of fact, you can do some pretty sophisticated analysis with Lua parsers, including packet timing analysis.

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner

‎2014-02-11 04:09 PM

You can also search for payload size.  What threat are you interested in?  Might be more than one way to skin a cat.

0 Likes

Go to solution
Anonymous
Not applicable
In response to RSAAdmin

‎2014-02-20 02:10 PM

I am trying to find a session size of 666 bytes or a packet count of 9.  Any thoughts?

0 Likes

Go to solution
huanzhou1
Beginner
Beginner
In response to Anonymous

‎2014-04-07 04:57 AM

You can create a apple rule on decoder:

size=666 && packets=9 then alert on alert.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.