This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

User Agent to Device/OS/Application

Go to solution
AlexeyFedorov
Frequent Contributor
Frequent Contributor

‎2016-03-16 05:05 AM

Hello,

 

Somobody has solution how I can transformate data from user.agent metakey (Log and Packet) to some like Device, OS, Application via Feed or LUA Parser? I found some FlexParser in RSA Live, but it is not I want. I found some site like Complete List of iOS User-Agent Strings | Enterprise iOS with DB of iPhone/iPad/IPod, but data is old and I can't create suitable Feed.

I found interesting progect GitHub - piwik/device-detector: The Universal Device Detection library will parse any User Agent and detect the browser,… and his web version Device Detector Demo

It is what I want, but how transformate it in LUA Parser or Feed?

36 REPLIES 36

Go to solution
AlexeyFedorov
Frequent Contributor
Frequent Contributor
In response to DavidWaugh1

‎2016-03-17 01:03 PM

The parser works greak! Thanks you so much!

I delete nw.logInfo strings... and change envisionName="useragent" to envisionName="user_agent" in the new table-map-custom.xml string.

0 Likes

Go to solution
AlexeyFedorov
Frequent Contributor
Frequent Contributor
In response to DavidWaugh1

‎2016-03-17 01:11 PM

Hello David,

 

PHP installed on the RSA Security Analytics by default? You solution is great, but if need additional Virtual Machine or Physical Server with PHP Web Server it can be problem. For example for me it is not applicable at this time. Solution should works on the current instance.

0 Likes

Go to solution
DavidWaugh1
Employee
Employee
In response to AlexeyFedorov

‎2016-03-17 01:21 PM

Okay I'll try and figure out how to run the php from the command line....

0 Likes

Go to solution
DavidWaugh1
Employee
Employee

‎2016-03-17 02:08 PM

Success - here is a version that does not need a Webserver but you do need a server with PHP on it. This would need to be different from an Security Analytics Server as none of them have PHP installed on them and it is not available within our repository.

 

There is the wrapper script (./UserAgentInfoScript.sh) and the php script (script.php) it calls.

 

To run just run ./UserAgentInfoScript.sh (after changing the line to point to your broker)

 

I've attached a sample feed too and XML file to load the feed.

DeviceDetector.xml.zip
script.php.zip
useragentfeed.csv.zip
2 KB

Go to solution
AlexeyFedorov
Frequent Contributor
Frequent Contributor
In response to DavidWaugh1

‎2016-03-18 03:48 AM

I will try install PHP on SA Server. I not have any other VM for this.

How I can filter out some user agent strings from sdk queue? For example I have many string like:

 

*bajbaaaagwbaaaabaaqpty3q9x9agtjzrlamh1dpu2jq5hnaaawjaiaajaa=

 

I would like filter out any user agent string if they not begin from [A-Za-Z] or [0-9].

Your sdk queue receive unique user agent string from which time slot? How often I should start this shell script via cron?

0 Likes

Go to solution
DavidWaugh1
Employee
Employee
In response to AlexeyFedorov

‎2016-03-18 05:23 AM

Hello

 

The command

http://192.168.123.249:50103/sdk?msg=values&fieldName=client&size=20000

 

gets all the values that are in the current index slice, so depending on how often your slices roll over will depend on how often your need to query. Hourly should be more than enough.

 

I would check how the values of

 

"bajbaaaagwbaaaabaaqpty3q9x9agtjzrlamh1dpu2jq5hnaaawjaiaajaa=" are getting into your user agent meta key, and then improve parser to drop these. If you cant clean up the parser and they are valid then you could amend the LUA parser to not write them. These sorts of strings are a hazard to Security Analytics as you can quickly end up exhausting all the value available in the particular meta key that is being written to.

 

I need to make a few changes to my script. Currently I just delete the old feed and then reprocess all the user agent strings again. What I will do is keep adding to the feed if no strings are received.

0 Likes

Go to solution
AlexeyFedorov
Frequent Contributor
Frequent Contributor

‎2016-03-18 05:32 AM

Now I faced with issue to start PHP scrip.

I install PHP 5.3.3 to SA Server from CentOS Base repo, but can't run script. I receive this error:

PHP Warning:  require_once(vendor/autoload.php): failed to open stream: No such file or directory in /opt/device-detector-master/script.php on line 2

PHP Fatal error:  require_once(): Failed opening required 'vendor/autoload.php' (include_path='.:/usr/share/pear:/usr/share/php') in /opt/device-detector-master/script.php on line 2

0 Likes

Go to solution
DavidWaugh1
Employee
Employee
In response to AlexeyFedorov

‎2016-03-18 06:08 AM

I would make sure that you follow the steps for the install of devicedetector and just check you can get that running first. Note I cant really support putting PHP on an SA Appliance....

0 Likes

Go to solution
AlexeyFedorov
Frequent Contributor
Frequent Contributor
In response to DavidWaugh1

‎2016-03-18 06:20 AM

Maybe we can use Device Detector Demo ​how external PHP server? I can't install PHP (need version >= 5.3.6 to DeviceDecoder) on the SA server. In CentOS-Base repo only 5.3.3.

0 Likes

Go to solution
AlexeyFedorov
Frequent Contributor
Frequent Contributor
In response to AlexeyFedorov

‎2016-03-18 07:23 AM

I found solution how to install and update PHP and DeviceDetector on SA Server:

 

1. Install PHP on the SA Server (yum install php php-dom --enablerepo=base).

2. Install the EPEL repository configuration package (yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm)

3. Install the Remi repository configuration package (yum install http://rpms.remirepo.net/enterprise/remi-release-6.rpm)

4. Update php by command "yum --enablerepo=remi update php-\*"

5. Copy device-detector-master folder to /opt folder on the SA Server

6. Copy UserAgentInfoScript.sh to /opt/device-detector-maser folder

7. chmod +x UserAgentInfoScript.sh

8. Copy script.php to /opt/device-detector-maser folder

9. chmod +x script.php

10. Go to /opt/device-detector-maser folder on the SA Server and run "curl -sS https://getcomposer.org/installer | php"

11. Install Composer "php composer.phar install".

12. Disable or remove 3th party repo from /etc/yum.repos.d.

 

How I can merge OS name and OS version in one filed? I done this:

 

$UsefulInfo =(is_array($clientInfo) and is_array($osInfo)) and

      (array_key_exists("name",$clientInfo) or

  array_key_exists("version",$clientInfo) or

  array_key_exists("name",$osInfo) or

  array_key_exists("version",$osInfo) or

  $brand or $model);

 

{

  echo $argv[1];

  echo "^";

  if(array_key_exists("name",$clientInfo)) {echo $clientInfo["name"];}

  echo " ";

  if(array_key_exists("version",$clientInfo)) {echo $clientInfo["version"];}

  echo "^";

  if(array_key_exists("name",$osInfo)) {echo $osInfo["name"];}

  echo " ";

  if(array_key_exists("version",$osInfo)) {echo $osInfo["version"];}

  echo "^";

  echo $brand;

  echo "^";

  echo $model;

  echo "\r\n";

}

 

But if version exist - all ok, if version dosn't exist - I have extra space (not good). And I have warnigs in console (after modification your script.php) like:

 

PHP Warning:  array_key_exists() expects parameter 2 to be array, null given in /opt/device-detector-master/script.php on line 49

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.