This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Threat Descriptions

Anonymous
Not applicable

‎2014-09-19 10:28 AM

Are there any documents or information somewhere on the Threat Descriptions?  The one in question, is showing up as "94.75.193.48:6667"  This is one that is generated by Security Analytics.  I have not sure what I should be looking for.  Any information would be greatly appreciated.

5 REPLIES 5

Anonymous
Not applicable

‎2014-09-22 02:38 PM

i asked our product manager but he needed more info.  Do you have a screen shot?  That might help clarify what's going on.

0 Likes

Anonymous
Not applicable

‎2014-09-23 08:28 AM

Yeah the threat.desc you are going to need to look at threat.category.  I believe the one above is a shadowserver ip. 

0 Likes

Anonymous
Not applicable
In response to Anonymous

‎2014-09-23 10:43 AM

So here's a screen shot of what we are seeing.  Let me know if you are looking for additional/different information.  Is there any document that has the information about these threats that gives more detail as to what to look for?

threat.JPG.jpg

0 Likes

Anonymous
Not applicable
In response to Anonymous

‎2014-09-23 10:50 AM

The threat.source links to a live feed that has been deployed on your decoder or concentrator. 

0 Likes

RSAAdmin
Beginner
Beginner

‎2014-09-23 11:35 AM

Deciphering the trigger for meta generated based off of repackaged community feeds is (IMO) one of the key headaches of working with NW/SA.

 

About the only useful hint I have found is that threat.src may contain an indicator on what the trigger was based on the name of the threat.src meta value - if threat.src ends with -domain (as in your example), it was triggered off of a host or domain name, -file triggered on a file name, -ip triggered on an IP address.  Unfortunately this still doesn't tell you which value in a session, if there are multiples, were the actual trigger, it just gets you in the neighborhood.

 

Now as to why the threat.desc meta gives an IP and port when it actually triggered on a domain name ... that likely had some meaning to whoever put that entry in the feed at some time in the past, but that meaning is likely lost to the sands of time.

© 2022 RSA Security LLC or its affiliates. All rights reserved.