This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

SMTP/TLS decryption debugging

DionStempfley
Occasional Contributor
Occasional Contributor

‎2021-06-21 09:19 AM

I'm fully expecting that I have made a super simple error here, but I'm not getting the results I expected when setting up SMTP/TLS decryption.  We are running Netwitness 11.6.  I uploaded the private keys for our mail servers and set the /decoders/parsers/config/parsers.options to include smtpsPorts, But I don't see the tls.premaster meta or any of the other meta that I expected.  I'm not seeing any useful information on debugging my setup to determine what is going on.  Can anyone provide some insight?

I setup everything according to the document https://community.rsa.com/t5/rsa-netwitness-platform-online/decrypt-incoming-packets/ta-p/592185.  

My parsers.options for the decoder is set to:

Entropy="log2=true",HTTP="decompress=81",HTTP2="headers=true",HTTPS="smtpsPorts=25 cert.sha1=true cert.sha256=true ja3=true ja3s=true"

Any insight would be appreciated,

/Dion

 

Dion Stempfley
Cybersecurity Analyst
Institute for Defense Analyses
0 Likes
2 REPLIES 2

JoshRandall
Valued Contributor Valued Contributor
Valued Contributor

‎2021-06-21 01:23 PM

My initial reaction is that your parsers.options syntax is not correct and that each argument needs to be space-delimited instead of comma-delimited:

Entropy="log2=true" HTTP="decompress=81" HTTP2="headers=true" HTTPS="smtpsPorts=25 cert.sha1=true cert.sha256=true ja3=true ja3s=true"

But if that's been working for you in the past, then some additional things to check...

  1. when you uploaded your private keys, what was the response from the Decoder?
  2. is your SMTPS cipher suite in the table of supported/decryptable ciphers?
  3. did you reload parsers after modifying the parsers.options?

Also - this article might be a bit easier/better to use as a guide. It's screenshots are not broken.

https://community.rsa.com/t5/rsa-netwitness-platform-online/decoder-decrypt-incoming-packets/ta-p/572035 


Mr. Mongo
0 Likes

DionStempfley
Occasional Contributor
Occasional Contributor
In response to JoshRandall

‎2021-06-21 04:57 PM

Thanks for the reply.  I don't doubt that the format of the command is wrong.  I added the commas in the HTTPS section sans any real examples to work from, I guessed. Unfortunately with or without the commas and even a hybrid fashion with no commas in the HTTPS command but commas separating the other directives I don't get any response other than ok.  Loading the keys, I didn't get an error either.

I guess my frustration is how friendly Netwitness is at not yelling at me to tell me something isn't right. I'll keep digging.

/D

Dion Stempfley
Cybersecurity Analyst
Institute for Defense Analyses
0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.