This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Transitioning to Lua Parsers

Go to solution
Anonymous
Not applicable

‎2013-11-12 06:01 PM

Is there any matrix of the new lua parsers and the old parser(s) they replace?  Some of them are obvious, others less so.  Anybody have experience switching over?

0 Likes
20 REPLIES 20

Go to solution
RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2013-11-20 10:18 AM

Correct, if you have HTTP_lua enabled you shouldn't need NTLMSSP_lua as well.

 

- Bill

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner

‎2013-11-25 04:13 PM

Great information! Is there an easy way to remove the old flex parsers, or is it a manual/scripted process?

0 Likes

Go to solution
Anonymous
Not applicable

‎2013-12-09 02:09 PM

In regards to the packers lua parser, you indicate it replaces the existing packers parser.  Does this include all of the malware_packers_X parsers and javascript_packers?

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2013-12-10 10:05 AM

> Great information! Is there an easy way to remove the old flex parsers, or is

> it a manual/scripted process?

 

Its a manual process for now unfortunately.

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2013-12-10 10:11 AM

> In regards to the packers lua parser, you indicate it replaces the existing

> packers parser.  Does this include all of the malware_packers_X parsers

> and javascript_packers?

 

The 'packers' flex parser file actually contains all of the individual malware_packers_X  parsers.  The 'packers' lua parser replaces all of them.

 

The 'javascript' flex parser file contains 'javascript_suspicious', 'javascript_packers', and 'javascript_shellcode' parsers.  The 'fingerprint_javascript_lua' parser replaces all of them.

0 Likes

Go to solution
huanzhou1
Beginner
Beginner
In response to RSAAdmin

‎2013-12-19 08:56 AM

will it become a KB link?

0 Likes

Go to solution
Anonymous
Not applicable
In response to RSAAdmin

‎2014-01-16 06:08 PM

Any word on the availability of some of these parsers unencrypted, for demonstration purposes?  It would be useful for custom parser creation.

0 Likes

Go to solution
huanzhou1
Beginner
Beginner
In response to Anonymous

‎2014-05-22 12:41 AM

Is there any update to table? we're trying to apply the LUA parser but don't know which one to apply.

1. Can LUA parser and Flex parser be applied at same time?

2. Some Flex parsers don't have replacement LUA parser, like OS and browser parser, when will it be available?

Thank you.

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to huanzhou1

‎2014-07-22 05:57 PM

Sorry for the late reply.

 

1.  Yes, they can be enabled at the same time.  But if a flex and a lua parser that parses the same thing are both enabled, then the decoder will be doing more work and registering duplicate meta.

 

2.  Those two parsers really just tried to match bits of user-agent headers and make inferences based on that.  Instead HTTP_lua simply registers the entire user-agent header.

0 Likes

Go to solution
huanzhou1
Beginner
Beginner
In response to RSAAdmin

‎2014-07-23 11:14 AM

if like this, can the system auto detect if both flex and lua pasers enabled for the same thing, it will disable one of them?

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.