NetWitness Community

AlexeyFedorov · ‎2016-03-16

Hello,

Somobody has solution how I can transformate data from user.agent metakey (Log and Packet) to some like Device, OS, Application via Feed or LUA Parser? I found some FlexParser in RSA Live, but it is not I want. I found some site like Complete List of iOS User-Agent Strings | Enterprise iOS with DB of iPhone/iPad/IPod, but data is old and I can't create suitable Feed.

I found interesting progect GitHub - piwik/device-detector: The Universal Device Detection library will parse any User Agent and detect the browser,… and his web version Device Detector Demo

It is what I want, but how transformate it in LUA Parser or Feed?

DavidWaugh1 · ‎2016-03-17

Okay I have a working solution.

- I created a PHP Page page on a Webserver based on the DeviceDetector project (Install the DeviceDetector project on your own PhP enabled webserver then use copy the file hello.php to the same directory where DeviceDetector.php resides)

- I created a shellscript that sits on my PhP Enabled webserver that queries my broker for UserAgents on Service 80 and then creates a feed based on the values returned.

-Edit the line in the UserAgentInfo.sh to replace user 'admin:netwitness' 'http://192.168.123.249:50103' with an account and broker that is able to get values. I used admin netwitness because I was a bit lazy and because this is just a test system!

The script creates a file called /var/www/html/useragentfeed.csv that can then be read by Security Analytics as a feed. Note in the feed definition file make sure that the callback key you are using is case-insensitive. The attached DeviceDetector.xml file contains a feed definition example.

The solution could be tweaked for your own environment but as a proof of concept I'm happy with it 😃

Here is a Demo of the hello.php webpage. It basically takes the useragent in the Query and then outputs the findings.

The final output will be the Feed file which I have attached.

I added the following meta keys to my concentrators to use the feed:

View solution in original post

DavidWaugh1 · ‎2016-03-16

Hi Alex, I'll take a look. First thoughts are a "Right Click Menu Item" to link to the site which would be quite simple.

Getting it as a feed looks to be more tricky as there is not just an file that you can download.

AlexeyFedorov · ‎2016-03-16

I agree with you, for investigation process is simple way, but many customers (top managers) want to have those data on reports and dashboards. From MS IIS user agent strings looks like Apple-iPad2C2/1304.15 or Microsoft+Office/15.0+(Windows+NT+6.1;+Microsoft+Outlook+15.0.4787;+Pro).

If Feed can be use to contains data it is will be simple...

DavidWaugh1 · ‎2016-03-16

Okay for a Right Click Menu Action. This will work on Client Meta Key.

Go to Administration ->System -> Context Menu Actions and Click on + to create a New Context Menu action with the following.

{

"displayName": "DeviceDetector",

"cssClasses": [

"client"

],

"description": "",

"type": "UAP.common.contextmenu.actions.URLContextAction",

"version": "1",

"modules": [

"investigation"

],

"local": "false",

"groupName": "externalLookupGroup",

"urlFormat": "http://devicedetector.net//index.php?ua={0}",

"disabled": "",

"id": "DeviceDetectorSearch",

"moduleClasses": [

"UAP.investigation.navigate.view.NavigationPanel",

"UAP.investigation.events.view.EventGrid"

],

"openInNewTab": "true",

"order": "21"

}

Now when you have a client that you wish to investigate - right click

DavidWaugh1 · ‎2016-03-16

For the feed I'll need to dig a bit deeper....

AlexeyFedorov · ‎2016-03-16

I made a little be changes (add user-agent metakey and remove extra "/" in url):

{

"displayName": "DeviceDetector",

"cssClasses": [

"client",

"user-agent"

],

"description": "",

"type": "UAP.common.contextmenu.actions.URLContextAction",

"version": "1",

"modules": [

"investigation"

],

"local": "false",

"groupName": "externalLookupGroup",

"urlFormat": "http://devicedetector.net/index.php?ua={0}",

"disabled": "",

"id": "DeviceDetectorSearch",

"moduleClasses": [

"UAP.investigation.navigate.view.NavigationPanel",

"UAP.investigation.events.view.EventGrid"

],

"openInNewTab": "true",

"order": "21"

}

AlexeyFedorov · ‎2016-03-16

I thinks it should be a parser. Look at How DeviceDetector works (About ). They use YML files with regex (GitHub). Maybe you can connect this to your LUA parser...

DavidWaugh1 · ‎2016-03-16

I'm afraid my knowledge of PHP is not that great.

AlexeyFedorov · ‎2016-03-16

Maybe you can try write you own parser who will parse string like (from metakey client and user.agent):

Mozilla/5.0 (Linux; Android 4.4.2; Nexus 5 Build/KOT49H) AppleWebKit/537.36 (KHTML,

like Gecko) Chrome/32.0.1700.99 Mobile Safari/537.36

And write Android 4.4.2 is metakey OS, Chrome/32.0.1700.99 in metakey browser and Nexux 5 in some else metakey?

But string can have different, for example:

Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36

Microsoft+Office/15.0+(Windows+NT+6.1;+Microsoft+Outlook+15.0.4787;+Pro)

Apple-iPad2C2/1304.15

DavidWaugh1 · ‎2016-03-16

Have been having a think about this. I think the best way to do this would be to

- Export All User Agents from Security Analytics

- Send each UserAgent to the devicedetector website

-Get the results back and put into a CSV file to use as a feed.

NetWitness Community

User Agent to Device/OS/Application