Somobody has solution how I can transformate data from user.agent metakey (Log and Packet) to some like Device, OS, Application via Feed or LUA Parser? I found some FlexParser in RSA Live, but it is not I want. I found some site like Complete List of iOS User-Agent Strings | Enterprise iOS with DB of iPhone/iPad/IPod, but data is old and I can't create suitable Feed.
This is not dedup work of DeviceDetector project. I copy-past from their format to format application rule. Now I have finished move OS (oss.yml file from project) to Application Rule and attach result of my work. I ran into a problem with version number and not correct detect Windows NT and GNU/Linux OS. I can't put version number into rule name for some rules. I aslo can't stop filtered Windows NT if user agent string contains both Windows X and Windows NT values.
Maybe you devide you work and will go by modules? On the first stage move oss.yml to LUA parser (conver or include) and then go to browsers and etc.? It will be very cool, you can make many very good LUA parsers situable for any customers. At this time in RSA Live not present this content.
I also need LUA parser that can replace "+" to space on the user.agent metakey for correct work with user agent string from MS IIS.
- I created a PHP Page page on a Webserver based on the DeviceDetector project (Install the DeviceDetector project on your own PhP enabled webserver then use copy the file hello.php to the same directory where DeviceDetector.php resides)
- I created a shellscript that sits on my PhP Enabled webserver that queries my broker for UserAgents on Service 80 and then creates a feed based on the values returned.
-Edit the line in the UserAgentInfo.sh to replace user 'admin:netwitness' 'http://192.168.123.249:50103' with an account and broker that is able to get values. I used admin netwitness because I was a bit lazy and because this is just a test system!
The script creates a file called /var/www/html/useragentfeed.csv that can then be read by Security Analytics as a feed. Note in the feed definition file make sure that the callback key you are using is case-insensitive. The attached DeviceDetector.xml file contains a feed definition example.
The solution could be tweaked for your own environment but as a proof of concept I'm happy with it 😃
Here is a Demo of the hello.php webpage. It basically takes the useragent in the Query and then outputs the findings.
The final output will be the Feed file which I have attached.
I added the following meta keys to my concentrators to use the feed:
Can I ask you about LUA Parser what will replace all "+" to " " (space) on metakey? From MS IIS user agent string come like "Mozilla/5.0+(Windows+NT+6.2;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/47.0.2526.106+Safari/537.36". I need transformate it to "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36" for correct determinate.
And second question. I found yaml to CSV online converter YAML To CSV Converter . If put to this convertor file oss.yml and convert it - you get result like:
First field - regex, Second Filed - OS name, Third field - OS version
Can you wrap this array to LUA perser and merge (options) second and third fields? This parser will very simple support in future if you can check regex from first filed to metakey and write result (merged second and third fileds) to another metakey(s), for example OS (version). What do you think about it? This structura can be unique for some other parsers.