NetWitness Community

Thank you very much Mr. Partington!

Does this make sense?

My understanding is that the payload one will show me a single DNS packet that has larger than 75 bytes. And the first should look at any sessions that are over 100kb and match DNS service type.

The bytes.ratio recommendation above shows the syntax which is very helpful, but I'm a little confused where these meta keys come from:

size

payload

bytes.ratio

Is this created via Lua parsers? Which one? Custom?

I bet I need to get at a low-level and create my own Lua parsers at some point but would rather NOT do that yet. Looking for quick wins with this product for content output for my IR team.

bytes.ratio is a custom meta key from an internal content back (used that as an example of the upper and lower bounds syntax) which is filled by a custom parser.

You might also want to use this apprule as well to catch tcp 53 and large session (in case something is using that port but is not actually dns traffic)

name=large_session_dns_port rule="tcp.dstport = 53 && size=100000-u

If you haven't already set directionality application rules I would investigate that as well so you can add direction to these alerts ( dns_large session and outbound traffic direction).

Yep I do have custom directional rules in place.

Thanks for the tip for tcp.dstport, I also have another app rule in place for service = '53' && tcp.dstport != '53'

Thanks again Eric for all your help!

If you take a look at the details for the dns_verbose_lua parse in RSA Live there are other details that might be useful to you and your IR team.  These were recently added to most but not all parsers.

risk.warning

* anomalous or non-dns session on dns port