This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Platform Product Advisories
Read and subscribe to the latest announcements and advisories relating to the NetWitness Platform.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Threat Detection Content Update - October 2017

Summary:

Several changes have been made to the Threat Detection Content in Live. For Added detection you need to add/subscribe to the content via Live, for retired content you'll need to manually remove those, and for additional changes no action is required if you are subscribed to content.
  

Additions

Detection
  • Optionsbleed Detection - This functionality was added to HTTP_lua. You'll see 'http invalid allow methods' in the Service Analysis (analysis.service) meta-key. The meta value appears when the 'Allow' and 'Access-Control-Allow-Methods' headers contain characters other than letters, commas, asterisks, and spaces. 
Hunting
  • Data Exfiltration - Two different App Rules were added to live that can help show suspicious outbound connections based on size. One rule will flag sessions that are between 500MB and 1GB, and the other will flag sessions that are greater than 1GB. They work by leveraging the 'session.split' and direction meta to find sessions with a large amount of outbound transferred data.mike1.PNG
  • JSON RPC (Stratum) protocol - A new protocol (service) was added in addition to how that service is used for cryptomining. The protocol will show up as service '49152', and the mining notification will appear in 'Indicators of Compromise' (ioc). Investigation_with_service.png
  • HTTP Decompression - For customers on 11.0+ HTTP_lua has an update that allows you to specific what kinds of HTTP payloads to decompress. By decompressing the payload (request/response) it makes the data available to other parsers on the system. For mRore information on how to leverage this feature please see our documentation on Link.
  

Changes

Detection
  • Rig Exploit Kit ESA Rule - Updated to include 'HTML hidden elements' meta in the 'Enablers of Compromise' (eoc) meta key.
Hunting
  • XOR parser - It now registers 'filetype' directly in addition to 'alert.id'. This shouldn't have any impact on any other content in the NetWitness Suite.
 

Retired

We strive to provide timely and accurate detection of threats as well as traits that can help analysts hunt through network and log data. Occasionally this means retiring content that provides little-to-no value.
  • DNS lookups from the same source ESA Rule - This rule is being retired in favor of other research that is being conducted, as well as it being prone to being noisy. Stay tuned for some enhanced DNS Tunneling content.

 

Other bug fixes and changes

  • SSL Blacklist feed - Now available in the following bundles in Live: Start Pack Packets, Known Threats, and Hunting Pack.
  • Traffic flow - Meta is now registered for IP addresses in the 'alias.ip', and 'orig_ip' meta keys.
  • LDAP parser - Bug fixed around uninitialized global variables.
  • NFS parser - Bug fixed around uninitialized global variables.
  • nwll.lua - Various bug fixes

 

For additional documentation, downloads, and more, visit the RSA NetWitness Suite page on RSA Link.

 

EOPS Policy:

RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.

0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2017-11-01 02:59 PM
Updated by:
Employee

Related Content

© 2022 RSA Security LLC or its affiliates. All rights reserved.