This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Symantecav parser sha dummy variable query

sureshKsureshK
Beginner
Beginner

‎2018-08-05 11:20 AM

Hello Guys,

 

I have already deployed Symantecav parser in my decoder, But however hash file(SHA 256,SHA 1 ,MD5) are not yet parsed in pre-defined parser.

 

In symantecav parser I could see that sha256,sha1& MD5 are mapped as dummy variable, May I Know why sha files mapped as dummy variable.

 

If I have write a parser mapping manually ,it will affect my efficiency or else cpu utilization of decoder.

 

Kindly help suggest me on the same.

 

Thanks&Regards,

Suresh K

0 Likes
5 REPLIES 5

AnkushBaveja
Contributor
Contributor

‎2018-08-06 09:38 AM

Based on the sample logs i had, i can see that hash values are parsed in "checksum" meta. 

 

Can you share the sample log by exporting from GUI and we can check this further?

 

Regards

Ankush

0 Likes

sureshKsureshK
Beginner
Beginner
In response to AnkushBaveja

‎2018-08-06 11:16 AM

Hello Ankush,

 

Yes your right, Md5 hash meta key alone already parsed under checksum, what about sha 1& sha 256 hashes?

My question was in pre-defined Symantecav parser why sha1,sha256& MD5 hashes were mapped under dummy variable. Kindly explain on this query

 

I cant able to share the logs -> Highly confidential.

 

Thanks,

Suresh K

0 Likes

AnkushBaveja
Contributor
Contributor

‎2018-08-06 12:59 PM

The log sample I tested had SHA-1 hash value and I see that is parsing correctly in "checksum” meta, so you may want to check if you are using the latest parser or not.

If you are using latest parser and still have issues, then your logs might be a different format from the one I am testing..

Since you are not able to share the logs here, so I would suggest to open a case with support for parser update or use the Log Parser Tool to add support for the same.

LPT is a easy to use tool. Here are some video links to LPT which I have found useful:

Sadly I don't have any sample log which has SHA-256 hash to test, however the most important thing at this point ( and there a few more about storage and indexing) to note is that -:

Since SHA-256 hash is 256 characters long and any single meta can only store maximum 255 characters, so adding SHA-256 hash into a single meta key (like checksum) will truncate after 255 chars. And if you usecase/rule/logic/alert is somewhat like matching SHA-256 hash with an external threat intel, then without the last character it might not be very useful.

Preview file
53 KB
0 Likes

EricPartington
Employee
Employee

‎2018-08-06 08:49 PM

you can customize your parser with the following by modifying just the event that you need to modify from the OOTB parser

Log Parser Customization 

 

An example is here

 

https://community.rsa.com/community/products/netwitness/blog/2018/04/03/how-to-log-parser-custom-logbinder?sr=search&searchId=af99ea94-3a6d-4556-b240-d7a2a90e5934&searchIndex=3 

 

which event id are these messages coming from so we can take a look at the matching parser event from the RSA GitHub site and see where you think the dummy variable is coming into play.

 

GitHub - netwitness/nw-logparsers: Netwitness Log Parsers 

0 Likes

sureshKsureshK
Beginner
Beginner
In response to AnkushBaveja

‎2018-08-07 01:27 AM

Hello Ankush,

 

checksum meta key dedicatedly mapped for "ir.md5" met kay then how did you map the both md5 and sha1 in single meta key as checksum.

 

Kindly help me on the same.

 

Thanks,

Suresh K

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.