Packet Parsers Packet Parsers
This topic discusses and describes the packet (Lua) parsers available in RSA NetWitness Platform. If you need a parser that does not already exist, you can Request a Parser.
Note: More information on each of these parsers is available in Live. Navigate to Live search, and select RSA Lua Parser in the Resource Types field. From the results, select any parser and click to display all the information for the parser.
ContextContext
Packet parsers identify the application layer protocol of sessions seen by the Decoder, and extract meta data from the packet payloads of the session.
Every packet parser is able to extract meta from every session. For example, a webmail session will be parsed by both an HTTP parser which identifies the session as HTTP and extracts meta from HTTP headers, and by a MAIL parser which extracts email-related meta from message headers. Further, if the session were to contain an executable file, its presence would be detected by a windows executable parser.
Packet parsers in RSA NetWitness may be broadly classified as:
- System or Native parsers: These are compiled into the Decoder base code. Updates are delivered along with updates to RSA NetWitness. Many system parsers have Lua equivalents. In these cases, generally, the native parser may perform faster, while the Lua parser may extract more meta.
- Lua parsers: these are written in the Lua programming language, and delivered via Live. Customers can write their own custom Lua parsers.
- Flex parsers: these were written in a proprietary scripting language, Flex, and delivered via Live. These are now discontinued, and no longer delivered in Live. Every existing Flex parser has a better Lua equivalent, and all customers using NetWitness should not be using Flex parsers.
Note: Meta key names can be up to 16 characters long, and can contain only letters or the '.' (period) character. Keys specified that do not meet these requirements may be modified in order to conform.
Transaction HandlingTransaction Handling
Beginning with 11.0, administrators can configure a Decoder to subdivide incoming sessions into smaller transaction sessions when using Lua parsers designed to create transactions. The feature allows analysts to perform analytics on the split sessions in downstream services such as Investigate.
The following screen (from ADMIN > Services > Decoder > View > Config) shows two instances of the transaction parameter (trans).
Packet Parsers in NetWitnessPacket Parsers in NetWitness
The following table describes the Lua parsers delivered with RSA NetWitness Platform.
Display Name | File Name | Description | Medium | Tags |
---|---|---|---|---|
apt_artifacts | apt_artifacts | Detects possible apt WMI and windows registry manipulation. DEPENDENCIES Parsers * FeedParser Feeds * investigation CONFLICTS Parsers * IR_2_aptArtifacts KEYS * ioc - indicators of compromise HUNTING VALUES ioc * apt possible invokemimikatz * apt possible prefetch deletion * apt possible registry deletion * apt possible wmic cleareventlog |
packet | |
Avamar | avamar | Identifies Avamar Backup and Recovery, TCP port 28001. Performs identification only. No meta is extracted or registered. Only Avamar sessions utilizing port 28001 are supported. DEPENDENCIES Parsers * NETWORK CONFLICTS None KEYS * service - '28001' HUNTING VALUES None |
packet | |
BGP_lua | bgp | Identifies BGP Routing Protocol. Performs identification only; no meta is extracted. DEPENDENCIES Parsers * NETWORK CONFLICTS Parsers * bgp KEYS * service - '179' HUNTING VALUES None |
packet | |
bittorrent_lua | bittorrent | Identifies the bittorrent protocol and registers the name of the file being downloaded. DEPENDENCIES Parsers * NETWORK CONFLICTS Parsers * BITTORRENT * bittorrent * bittorrent-id * fingerprint_bittorrent KEYS * filename - name of file transferred * service - '6881' HUNTING VALUES None |
packet | |
Canon_BJNP | canon_bjnp | Identifies Canon printer discover protocol BJNP. Performs identification only. No meta is extracted or registered. DEPENDENCIES Parsers * NETWORK CONFLICTS None KEYS * service - '8162' HUNTING VALUES None |
packet | |
cerber | cerber | Detects potential Cerber ransomware beaconing. DEPENDENCIES Parsers * FeedParser * NETWORK Feeds * investigation CONFLICTS None KEYS * ioc - indicators of compromise * query - cerber campaign id HUNTING VALUES ioc * cerber beacon |
packet | |
china_chopper | china_chopper | Detects cleartext China Chopper sessions. DEPENDENCIES Parsers * FeedParser * nwll Feeds * investigation CONFLICTS Parsers * IR_2_China_Chopper KEYS * ioc - indicators of compromise HUNTING VALUES ioc * china chopper |
packet | |
creditcard_detection_lua | creditcard_detection | Attempts to detect possible credit card numbers and validate with Luhn's Algorithm. Intended as a replacement for the credit card detection in search.ini IMPORTANT: If performance degradation occurs, disable this parser and use the entry in search.ini instead. Do not enable if decoder performance is a concern. This parser replaces the credit card entry in search.ini - if this parser is enabled then the entry in search.ini should be disabled. This parser will be more accurate than search.ini, at a cost of decreased performance. There *will* be false positives - possibly many of them. There are a lot of numbers out there that have the correct number of digits and will even pass Luhn's Algorithm - there is a 10% chance of any given random number passing a luhn's check, and trying to account for every possibility of what isn't expected around a card number risks being too rigid and not finding things that *are* card numbers. As a compromise to increase performance, numbers detected must be congruent. In other words, delineators are not supported. For example "123456789" will be detected, but "123 456 789" or "123-456- 789" will not. Only ASCII/UTF-8 encoded numeric characters are supported (e.g., 0x30 = "0", 0x31 = "1", 0x32 = "2", ...) Other encodings such as other unicode character sets may not be detected. DEPENDENCIES Parsers * FeedParser Feeds * investigation CONFLICTS Parsers * creditcard_detection KEYS * alert.id - mapped to risk meta * cc.number - (nonstandard) possible credit card number RISK VALUES info * possible american express credit card * possible diners club or carte blanche credit card * possible discover credit card * possible jcb credit card * possible maestro credit card * possible mastercard credit card * possible visa credit card HUNTING VALUES None |
packet | |
CustomTCP | CustomTCP | Detects CustomTCP beaconing activity. Registers C2 domain and victim hostname as alias.host meta. DEPENDENCIES Parsers * FeedParser * NETWORK Feeds * investigation CONFLICTS None KEYS * alias.host - c2 domain, victim hostname * ioc - indicators of compromise HUNTING VALUES ioc * CustomTCP shell |
packet | |
db2_lua | db2 | Extracts queries from DB2 database protocol sessions. Extracts query only. Instances etc are not extracted. Not all DB2 sessions may be identified. DEPENDENCIES Parsers * NETWORK CONFLICTS Parsers * db2 KEYS * query - db2 database query * service - '3700' HUNTING VALUES None |
packet | |
DCERPC | dcerpc | Extracts action and authentication from Microsoft's DCERPC protocol. DEPENDENCIES Parsers * FeedParser * NETWORK * nwll Feeds * investigation CONFLICTS Parsers * dce-rpc KEYS * action - dcerpc message type, operation, wmi command * ad.computer.dst - authentication hostname * ad.computer.src - authenticated hostname * ad.domain.dst - authentication domain * ad.domain.src - authenticated domain * ad.username.dst - authentication username * ad.username.src - authenticated username * alert.id - mapped to risk meta * boc - behaviors of compromise * crypto - kerberos crypto type * error - dcerpc error messages * filename - endpoint UUID name * ioc - indicators of compromise * query - wmi parameters * service - '135' RISK VALUES info * wmi command * wmi remote query HUNTING VALUES ioc * remote scheduled task * remote service control * wmi command * wmi level 1 login * wmi remote query boc * add user to domain group * change remote service config * clear remote event log * create remote registry key * create remote service * create remote task * enumerate domain group * enumerate domain users * enumerate remote resources * enumerate remote sessions * get remote time * remote wmi activity * set remote registry key * shut down remote system * start remote service |
packet | {"ioc":"remote scheduled task", "execution":"scheduled task", "persistence":"scheduled task", "privilege escalation":"scheduled task", "lateral movement":"component object model and distributed com"}, {"ioc":"remote service control", "lateral movement":"component object model and distributed com"}, {"ioc":"wmi command", "execution":"windows management instrumentation"}, {"ioc":"wmi level 1 login", "execution":"windows management instrumentation"}, {"ioc":"wmi remote query", "execution":"windows management instrumentation"}, {"boc":"add user to domain group", "persistence":"create account"}, {"boc":"change remote service config", "execution":"service execution"}, {"boc":"clear remote event log", "execution":"service execution"}, {"boc":"create remote registry key", "defense evasion":"modify registry"}, {"boc":"create remote service", "persistence":"new service"}, {"boc":"create remote task", "execution":"scheduled task"}, {"boc":"enumerate domain group", "discovery":"account discovery"}, {"boc":"enumerate domain users", "discovery":"account discovery"}, {"boc":"enumerate remote resources", "discovery":"network share discovery"}, {"boc":"enumerate remote sessions", "discovery":"account discovery"}, {"boc":"get remote time", "discovery":"system time discovery"}, {"boc":"remote wmi activity", "execution":"windows management instrumentation"}, {"boc":"set remote registry key", "defense evasion":"modify registry"}, {"boc":"shut down remote system", "defense evasion":"indicator removal on host"}, {"boc":"start remote service", "execution":"service execution"} |
Derusbi_Server_Handshake | derusbi_server | Detects Derusbi server handshake. DEPENDENCIES Parsers * FeedParser Feeds * investigation CONFLICTS Parsers * Derusbi_Variant_Beacon KEYS * alert.id - mapped to risk meta RISK VALUES warning * derusbi server handshake HUNTING VALUES ioc * derusbi server handshake |
packet | |
DHCP_lua | dhcp | Identifies DHCP (BOOTP) and DHCPv6, extracts hosts and addresses. DEPENDENCIES Parsers * NETWORK CONFLICTS Parsers * DHCP KEYS * alert.id - mapped to risk meta * alias.host - client hostname, client fqdn * alias.ip - client ipv4, server ipv4 * alias.ipv6 - client ipv6, server ipv6 * alias.mac - client identifier, client hardware * extension - filename extension of bootfile * filename - bootfile * service - '67' HUNTING VALUES None |
packet | |
DNP3_lua | dnp3 | DNP3 Distributed Network Protocol (SCADA). Only DNP3 sessions on port 20000 will be parsed. DEPENDENCIES Parsers * NETWORK CONFLICTS Parsers * dnp3 KEYS * action - dnp3 function * device.host - client identifier, server identifier * error - dnp3 errors * service - '20000' HUNTING VALUES None |
packet | |
DNS_verbose_lua | dns_verbose | Identifies DNS sessions. Registers query and response records including record type. Registers protocol error messages. Alerts for dns anamolies. DNS sessions on ports other than 53 will not be parsed. Sessions other than DNS on port 53 will result in an alert being registered for the session. DEPENDENCIES Parsers * FeedParser * NETWORK * nwll Feeds * investigation CONFLICTS Parsers * DNS * dns_verbose KEYS * alias.host - hostnames of requests / answers * alias.ip - ipv4 addresses of requests / answers * alias.ipv6 - ipv6 addresses of requests / answers * analysis.service - dns characteristics of interest * dns.querytype - type of record in the dns query * dns.responsetype - type of record dns response * dns.resptext - contents of dns txt records * email - soa name * error - dns errors * ioc - indicators of compromise * service - '53' HUNTING VALUES analysis.service * anomalous dns message * anomalous or non-dns session on dns port * dns base36 txt record * dns base64 txt record * dns experimental record type * dns extremely large number of answers * dns extremely low auth ttl * dns extremely low ttl * dns invalid a record * dns invalid aaaa record * dns invalid edns version * dns invalid error code * dns invalid option code * dns invalid query type * dns large answer * dns large number of additional records * dns large number of answers * dns large number of authority records * dns large number of queries * dns long query * dns low ttl * dns obscure record type * dns obsolete record type * dns query contains answer records * dns query contains authority records * dns query for uncommon record class * dns reserved record type * dns single request response * dns unnasigned record type * dns unsolicited response records * dns z reserved present * hostname looks like ip address * large session dns port * large session dns service * loopback resolution of non-local name * outbound dns * suspicious traffic port 53 ioc * dns with executable * dns with file |
packet | |
DNS_verbose_lua Options | DNS_verbose_lua_options | Optional parameters to alter the behavior of the DNS_verbose_lua parser. | packet | event analysis, operations, protocol analysis |
dr_watson_lua | basic_dr_watson | Detects Dr Watson crash report and registers name of crashed process. DEPENDENCIES Parsers * FeedParser Feeds * investigation CONFLICTS Parsers * dr_watson KEYS * alert.id - mapped to risk meta * filename - name of crashed process RISK VALUES info * dr watson crash report HUNTING VALUES ioc * dr watson crash report |
packet | |
duqu_lua | duqu | Detects binaries that may be related to the duqu threat. This parser indicates that a file exhibits some characteristics in common with Duqu-related binaries and thus may warrant further analysis. It does not claim that any file so indicated is, as a matter of fact, related to Duqu. DEPENDENCIES Parsers * FeedParser Feeds * investigation CONFLICTS Parsers * duqu KEYS * alert.id - mapped to risk meta RISK VALUES suspicious * potential binary from duqu group HUNTING VALUES ioc * potential binary from duqu group |
packet | |
DynDNS | dyndns | Detects dynamic DNS hosts and servers. DEPENDENCIES Parsers * FeedParser * NETWORK Feeds * investigation CONFLICTS Parsers * IR_DynDNS * IR_dyndns-http KEYS * alert.id - mapped to risk meta * analysis.service - 'dynamic dns http', 'dynamic dns query', 'dynamic dns server', 'dynamic dns host', 'tunnel service' * ioc - indicators of compromise RISK VALUES info * dynamic dns host * dynamic dns server HUNTING VALUES analysis.service * dynamic dns host * dynamic dns http * dynamic dns query * dynamic dns server * tunnel service ioc * dns exfiltration site * possible successful burpsuite scan |
packet | |
eicar | eicar | Detects the EICAR test string. DEPENDENCIES Feeds * investigation CONFLICTS None KEYS * analysis.session - session characteristics of interest HUNTING VALUES analysis.session * eicar test string |
packet | |
ein_detection_lua | ein | Attempts to detect Employer Identification Numbers. Intended as a replacement for the EIN detection in search.ini This parser utilizes many short tokens. Do not enable if decoder performance is a concern. In order to avoid redundancy, the EIN search in search.ini should be disabled if this parser is to be used. EIN numbers are expected to be formatted as: 2-digit prefix, followed by a hyphen, followed by 7 digits e.g., 12-3456789 EIN numbers not in this format will not be detected. DEPENDENCIES Parsers * FeedParser Feeds * investigation CONFLICTS Parsers * ein_detection KEYS * alert.id - mapped to risk meta * ein.number - (nonstandard) detected ein numbers RISK VALUES info * employer identification number HUNTING VALUES eoc * employer identification number |
packet | {"eoc":"employer identification number", "collection":""} |
electricfish | electricfish | Identifies possible Electricfish tunneling sessions. DEPENDENCIES Feeds * investigation CONFLICTS None KEYS * ioc - indicators of compromise HUNTING VALUES ioc * electricfish authentication |
packet | |
ethernet_oui | ethernet_oui | Determines the manufacturer of eth.src, eth.dst, and alias.mac addresses. Reserved OUI's such as those used for broadcast or multicast will not result in vendor meta. If the decoder is placed between layer 3 gateways (i.e., routers), the meta for source and destination MAC will be the same for every session. In such cases, this parser should not be used. DEPENDENCIES Parsers * NETWORK CONFLICTS Parsers * MAC_Vendor KEYS * eth.dst.vendor - (nonstandard) manufacturer of destination ethernet controller * eth.src.vendor - (nonstandard) manufacturer of source ethernet controller HUNTING VALUES None |
packet, log | |
Evilgrab | evilgrab | Detects possible Evilgrab APT malware activity. DEPENDENCIES Parsers * FeedParser Feeds * investigation CONFLICTS None KEYS * alert.id - mapped to risk meta RISK VALUES suspicious * possible evilgrab traffic HUNTING VALUES ioc * possible evilgrab traffic |
packet | |
exif | exif | Extract longitude and latitude coordinates from exif data embedded in JPEG files. DEPENDENCIES None CONFLICTS None KEYS * latdec.src - latitudinal coordinate from exif data * longdec.src - longitudinal coordinate from exif data HUNTING VALUES None |
packet | |
file_category | file_category | Classifies file types in categories of Reconnaissance Tool, Windows Process, Scripting Engine or Office Application for NetWitness Endpoint. DEPENDENCIES None CONFLICTS None KEYS * file.cat - Category of file * file.cat.dst - Category of destination file * file.cat.src - Category of source file HUNTING VALUES None |
endpoint | |
fingerprint_7zip | fingerprint_7zip | Detects 7zip archive files. Filename is extracted only if all of the following are true: a) there is a single file in the archive b) there is no directory structure c) filename field is not encrypted in the archive headers d) archive file is not encrypted or otherwise encoded (eg, base64) DEPENDENCIES None CONFLICTS None KEYS * filename - filename within archive * filetype - '7zip' HUNTING VALUES None |
packet | |
fingerprint_access_db_lua | fingerprint_access_db | Identifies Microsoft Access database files. DEPENDENCIES None CONFLICTS Parsers * fingerprint_access_db KEYS * filetype - 'access db' HUNTING VALUES None |
packet | |
fingerprint_apple_dmg_lua | fingerprint_apple_dmg | Detects Mac OS X Disk Copy Disk Image files. DEPENDENCIES None CONFLICTS Parsers * fingerprint_apple_dmg KEYS * filetype - 'apple dmg' HUNTING VALUES None |
packet | |
fingerprint_apple_ios_lua | fingerprint_apple_ios_app | Detects Apple IOS App files. DEPENDENCIES Parsers * nwll CONFLICTS Parsers * fingerprint_apple_ios KEYS * extension - filename extension (if applicable) * filename - filename of ios app * filetype - 'apple ios app' HUNTING VALUES None |
packet | |
fingerprint_apple_iwork_lua | fingerprint_apple_iwork | Detects Apple iWork files (Pages, Numbers and Keynote). DEPENDENCIES Parsers * fingerprint_zip CONFLICTS None KEYS * filetype - 'apple iwork keynote', 'apple iwork numbers', 'apple iwork pages' HUNTING VALUES None |
packet | |
fingerprint_appleExec_lua | fingerprint_apple_exec | Detects MAC OSX executable binary files. DEPENDENCIES None CONFLICTS Parsers * fingerprint_apple_exec KEYS * filetype - 'apple executable (pef)', 'apple executable (mach-o)' HUNTING VALUES None |
packet | |
fingerprint_bmp | fingerprint_bmp | Detects BMP format image files. Will not detect base64 encoded BMP files, such as MIME attachments. DEPENDENCIES Parsers * FeedParser Feeds * investigation CONFLICTS None KEYS * alert.id - mapped to risk meta * filetype - 'bmp' RISK VALUES info * uncommon bmp format HUNTING VALUES analysis.file * uncommon bmp format |
packet | |
fingerprint_cab | fingerprint_cab | Identifies cabinet files (cab). DEPENDENCIES None CONFLICTS Parsers * fingerprint_cab_files KEYS * filetype - 'cab' HUNTING VALUES None |
packet | |
fingerprint_cad_lua | fingerprint_cad | Detects Autodesk Autocad DWG, DXF, and DWF files. Supports detection of base64-encoded files (e.g. email attachment). Meta for "filetype" will only be registered once per session, irrespective of whether further CAD files are present in the session. Supports the following DWG and DXF file format versions: AC1024 AutoCAD 2010/2011/2012 AC1021 AutoCAD 2007/2008/2009 AC1018 AutoCAD 2004/2005/2006 AC1015 AutoCAD 2000/2000i/2002 AC1014 Release 14 AC1012 Release 13 AC1009 Release 11/12 AC1006 Release 10 AC1004 Release 9 AC1003 Version 2.60 AC1002 Version 2.50 AC1001 Version 2.22 AC2.22 Version 2.22 AC2.21 Version 2.21 AC2.10 Version 2.10 AC1.50 Version 2.05 AC1.40 Version 1.40 AC1.2 Version 1.2 MC0.0 Version 1.0 CAD files created by non-Autodesk software may not detected. CAD files converted into non-CAD formats (PDF, JPG, PNG, etc) will not be detected as CAD files. DEPENDENCIES None CONFLICTS Parsers * fingerprint_cad KEYS * filetype - 'autocad' HUNTING VALUES None |
packet | |
fingerprint_certificate | fingerprint_certificate | Detects files containing x509 certificates (typically .crt) and extracts serial number, certificate authority, and subject. For the first certificate in a chain, or only certificate: ON (Organizational Name) from the Issuer section is registered as ssl.ca. If the ON is missing, then the CN (Common Name) is used for ssl.ca instead. ON from the Subject section is registred as ssl.subject. If the ON is missing, then the CN is used for ssl.subject instead. CN from the Subject section is registered as alias.host, alias.ip or alias.ipv6 as appropriate - even if it was also registered as ssl.subject. For remaining certificates in a chain: The ON from the issuer section, or the CN if the ON is missing, is registered as ssl.ca. If the option Register All Common is enabled, then the CN from both issuer and subject sections are registered as ssl.common, even if duplicating any of the above conditions. DEPENDENCIES Parsers * nwll Feeds * investigation CONFLICTS None KEYS * alert.id - mapped to risk meta * alias.host - common name from subject section of the first certificate in a chain, or subject alternate name, if host * alias.ip - common name from subject section of the first certificate in a chain, or subject alternate name, if IPv4 * alias.ipv6 - common name from subject section of the first certificate in a chain, or subject alternate name, if IPv6 * analysis.file - file characteristics of interest * analysis.service - protocol characteristics of interest * email - subject alternate name if email address * filetype - x509 certificate * ioc - indicators of compromise * ssl.ca - organizational name from issuer section of certificate * ssl.common - (optional) (nonstandard) common name from certificate * ssl.serial - serial number of certificate * ssl.subject - organizational name from subject section of certificate RISK VALUES suspicious * SSL certificate chain incomplete * SSL certificate missing Issuer Organizational Name * SSL certificate missing Subject Organizational Name * SSL certificate self-signed HUNTING VALUES analysis.service * SSL certificate chain incomplete * SSL certificate missing Issuer Organizational Name * SSL certificate missing Subject Organizational Name * SSL certificate no issuer * SSL certificate no subject * SSL certificate self-signed * certificate anomalous expiration date * certificate anomalous issued date * certificate domain validation * certificate expired * certificate expired within last week * certificate extended validation * certificate individual validation * certificate issued within last day * certificate issued within last month * certificate issued within last week * certificate long expiration * certificate organization validation analysis.file * certificate file invalid ioc * possible CVE-2020-0601 curveball attempt |
packet | {"ioc":"possible CVE-2020-0601 curveball attempt", "defense evasion":"code signing"} |
fingerprint_certificate Options | fingerprint_certificate_options | Optional parameters to alter the behavior of the fingerprint_certificate parser. | packet | event analysis, operations, protocol analysis |
fingerprint_chm_lua | fingerprint_chm | Identifies Microsoft Compiled Help files, and detects potentially suspicious elements within. DEPENDENCIES Parsers * FeedParser Feeds * investigation CONFLICTS Parsers * fingerprint_chm * malware_chm KEYS * alert.id - mapped to risk meta * filetype - 'chm' RISK VALUES suspicious * suspicious chm warning * chm contains exe HUNTING VALUES analysis.file * suspicious chm ioc * chm contains exe |
packet | |
fingerprint_deb | fingerprint_deb | Detects Debian package files. DEPENDENCIES None CONFLICTS None KEYS * filetype - deb HUNTING VALUES None |
packet | |
fingerprint_elf | fingerprint_elf | Detect elf executable files. DEPENDENCIES None CONFLICTS None KEYS * filetype - elf executable HUNTING VALUES None |
packet | |
fingerprint_flash | fingerprint_flash | Detects Adobe Flash (swf) files. Detects Flash embedded within a pdf. DEPENDENCIES Parsers * FeedParser Feeds * investigation CONFLICTS Parsers * Fingerprint Encrypted SWF * base64_swf * fingerprint_swf KEYS * alert.id - mapped to risk meta * filetype - 'swf' RISK VALUES suspicious * potential embedded swf in pdf HUNTING VALUES analysis.file * potential embedded swf in pdf |
packet | |
fingerprint_font | fingerprint_font | Identifies font files: embedded opentype (eot), web open format (woff), opentype (otf), and truetype (ttf). OTF with TTF outlines may be identified as TTF. DEPENDENCIES None CONFLICTS None KEYS * filetype - 'eot font', 'otf font', 'svg font', 'ttf font, 'woff font' HUNTING VALUES None |
packet | |
fingerprint_gif_lua | fingerprint_gif | Identifies GIF files. Detects malformed GIF elements. DEPENDENCIES Parsers * FeedParser Feeds * investigation CONFLICTS Parsers * fingerprint_gif KEYS * alert.id - mapped to risk meta * filetype - 'gif' RISK VALUES info * malformed gif header HUNTING VALUES analysis.file * malformed gif header |
packet | |
fingerprint_gzip | fingerprint_gzip | Detects files which have been compressed using the gzip family of compression programs (gzip, bzip, etc). Will not detect a gzip file in an HTTP stream which utilizes gzip content-encoding. DEPENDENCIES None CONFLICTS None KEYS * filetype - 'gzip compressed' HUNTING VALUES None |
packet | |
fingerprint_java | fingerprint_java | Detects Java JAR and CLASS files. DEPENDENCIES Feeds * investigation CONFLICTS Parsers * fingerprint_jar * fingerprint_java_class KEYS * analysis.file - file characteristics * filetype - 'java class', 'java jar' HUNTING VALUES analysis.file * one two filename java class * small java class * small java jar |
packet | |
fingerprint_javascript_lua | fingerprint_javascript | Detect javascript, and suspicious javascript actions and anomolies. DEPENDENCIES Parsers * FeedParser Feeds * investigation CONFLICTS Parsers * fingerprint_javascript * javascript_packers * javascript_shellcode * javascript_suspicious KEYS * alert.id - mapped to risk meta * filetype - 'javascript' RISK VALUES info * js arguments callee * js browser probe * js eval * js eval escape * js eval no docwrite * js os browser detection * js string fromcharcode suspicious * javascript doc * javascript edwards packer * javascript nerot packer * javascript obfuscation * js extrememly long charcode decode * js inside textarea * js shellcode evasion * js sprayheap * js var replace chars * js var suspicious name warning * js noop shellcode HUNTING VALUES None |
packet | |
fingerprint_job | fingerprint_job | Identifies windows job task scheduling files. Note that "action", "directory", and "username" meta are relevant to the job, not the transport of the job file. E.g., username is the account with which the job will be run - it is not the user submitting the job file. DEPENDENCIES None CONFLICTS None KEYS * action - command, parameters, and trigger of job * directory - working directory for job * filetype - 'windows job file' * username - account with which the job is to be run HUNTING VALUES None |
packet | |
fingerprint_jpg_lua | fingerprint_jpg | Detects JPEG image files. DEPENDENCIES None CONFLICTS Parsers * fingerprint_jpg KEYS * filetype - 'jpg' HUNTING VALUES None |
packet | |
fingerprint_lnk_lua | fingerprint_lnk | Identifies lnk files and detects possible exploit characteristics. Detects if an icon resource points to a DLL. Note that there are other possible methods to exploit a .lnk file. DEPENDENCIES Parsers * FeedParser Feeds * investigation CONFLICTS Parsers * exploit_lnk_file * fingerprint_lnk KEYS * alert.id - mapped to risk meta * filetype - 'lnk' RISK VALUES suspicious * exploit lnk file HUNTING VALUES ioc * exploit lnk file |
packet | |
fingerprint_minidump | fingerprint_minidump | Detect Windows Minidump files. DEPENDENCIES Feeds * investigation CONFLICTS None KEYS * filetype - 'minidump' * ioc - indicators of compromise HUNTING VALUES ioc * lsass minidump |
packet | {"ioc":"lsass minidump", "lateral movement":"credential dumping"} |
fingerprint_msi_lua | fingerprint_msi | Identifies Microsoft OLE / Compound Document Format Windows Installer files. DEPENDENCIES None CONFLICTS Parsers * fingerprint_msi KEYS * filetype - 'windows installer msi' HUNTING VALUES None |
packet | |
fingerprint_mssql_lua | fingerprint_mssql | Detects Microsoft SQL Server databse files. DEPENDENCIES None CONFLICTS Parsers * fingerprint_mssql KEYS * filetype - 'mssql' HUNTING VALUES None |
packet | |
fingerprint_nanozip | fingerprint_nanozip | Detects nanozip archive files. Only the first filename within the archive may be extracted. DEPENDENCIES None CONFLICTS None KEYS * directory - path of file within the archive * filename - name of file within the archive * filetype - 'nanozip' HUNTING VALUES None |
packet | |
fingerprint_ntds_dit | fingerprint_ntds_dit | Detect Active Directory Database ntds.dit files. DEPENDENCIES None CONFLICTS None KEYS * filetype - 'ntds_dit' HUNTING VALUES None |
packet | |
fingerprint_office_lua | fingerprint_office | Identifies Microsoft Office 95-2007 Word, Excel, and Powerpoint documents. A file saved from Office 2007+ but in 95-2003 format may register both filetype meta. If the fingerprint_zip parser is also enabled, an Office 2007+ file will also be detected as being a zip file. This is because an Office 2007+ is in reality zipped XML. A base64 encoded Microsoft Installer file (.msi) may be detected as a base64 encoded Office 2003 file. DEPENDENCIES None CONFLICTS Parsers * encoded_file_fingerprinting * fingerprint_office95-2003 * fingerprint_office_2007 KEYS * filetype - 'office 95-2003 word document', 'office 95-2003 excel document', 'office 95-2003 powerpoint document', 'office 95-2003 document', 'office 2007 document' HUNTING VALUES None |
packet | |
fingerprint_pdf_lua | fingerprint_pdf | Identifies PDF files and detects risky characteristics. DEPENDENCIES Parsers * FeedParser Feeds * investigation CONFLICTS Parsers * encoded_file_fingerprinting * fingerprint_pdf * malware_pdf KEYS * alert.id - mapped to risk meta * alias.host - host portion of urls found in pdf (if name) * alias.ip - host portion of urls found in pdf (if IPv4) * alias.ipv6 - host portion of urls found in pdf (if IPv6) * analysis.file - file characteristics * directory - directory portion of urls found in pdf * extension - extension portion of filename of urls found in pdf * filename - filename portion of urls found in pdf * filetype - 'pdf' * query - querystring portion of urls found in pdf * version - pdf format version RISK VALUES info * pdf deflating embedded file * pdf single page * pdf stream ascii85 encoded * pdf stream ccittfax encoded * pdf stream crypt encoded * pdf stream hex encoded * pdf stream lwz encoded * pdf stream runlength encoded * pdf with additional actions * pdf with launch action * pdf with names * pdf with open action * pdf with xfa suspicious * pdf with javascript warning * pdf creates and launches vbs * pdf inconsistent xref size * pdf launches exe * pdf with javascript hidden in xfa * pdf with nested filters * pdf with obfuscated objects HUNTING VALUES analysis.file * pdf deflating embedded file * pdf inconsistent xref size * pdf single page * pdf stream ascii85 encoded * pdf stream ccittfax encoded * pdf stream crypt encoded * pdf stream hex encoded * pdf stream lwz encoded * pdf stream runlength encoded * pdf with additional actions * pdf with launch action * pdf with names * pdf with nested filters * pdf with obfuscated objects * pdf with open action * pdf with url * pdf with xfa ioc * pdf creates and launches vbs * pdf launches exe * pdf with javascript * pdf with javascript hidden in xfa |
packet | {"ioc":"pdf creates and launches vbs", "initial access":"spearphishing attachment", "execution":"user execution", "defense evasion":"scripting", "execution":"scripting"}, {"ioc":"pdf launches exe", "initial access":"spearphishing attachment", "execution":"user execution", "defense evasion":"scripting", "execution":"scripting"}, {"ioc":"pdf with javascript", "initial access":"spearphishing attachment", "execution":"user execution", "defense evasion":"scripting", "execution":"scripting"}, {"ioc":"pdf with javascript hidden in xfa", "initial access":"spearphishing attachment", "execution":"user execution", "defense evasion":"scripting", "execution":"scripting"} |
fingerprint_pff | fingerprint_pff | Detects Microsoft Outlook Personal File Folder objects such as pab, pst, and ost. Does not differentiate between types of pff files. DEPENDENCIES None CONFLICTS None KEYS * filetype - 'pff' HUNTING VALUES None |
packet | |
fingerprint_pkcs12_lua | fingerprint_pkcs12 | Detects PKCS #12 format private key files. Peforms detection only. No meta is extracted from the contents of the pkcs12 file. DEPENDENCIES None CONFLICTS Parsers * fingerprint_pkcs12 KEYS * filetype - 'private encryption key pkcs12' HUNTING VALUES None |
packet | |
fingerprint_png_lua | fingerprint_png | Detects PNG image files. DEPENDENCIES None CONFLICTS Parsers * fingerprint_png KEYS * filetype - 'png' HUNTING VALUES None |
packet | |
Fingerprint_Private_Key | fingerprint_key | Detects SSH and PGP private key files. DEPENDENCIES None CONFLICTS Parsers * fingerprint_private_encryption_keys KEYS * filetype - 'private encryption key', 'private pgp encryption key', 'putty public private key pair' HUNTING VALUES None |
packet | |
fingerprint_rar_lua | fingerprint_rar | Detects RAR archive files. Registers names of files within archive files if available. A rar may be password protected or encrypted. An encrypted rar is always password protected - in which case, only the "encrypted" alert is registered. Filenames extracted are names of the files within the archive, not the name of the archive itself. Filenames can be extracted from a passord protected rar, but not an encrypted rar. For a base64-encoded rar, only "encrypted" is detected, not "password protected". No filenames are extracted. DEPENDENCIES Parsers * FeedParser * nwll Feeds * investigation CONFLICTS Parsers * encoded_file_fingerprinting * fingerprint_rar KEYS * alert.id - mapped to risk meta * directory - directory of file within archive * extension - extension of file within archive * filename - name of file within archive * filetype - 'rar' RISK VALUES suspicious * rar file encrypted * rar file password protected HUNTING VALUES analysis.file * rar file encrypted * rar file password protected |
packet | |
fingerprint_rtf_lua | fingerprint_rtf | Detects RTF files. DEPENDENCIES Feeds * investigation CONFLICTS Parsers * encoded_file_fingerprinting * fingerprint_rtf KEYS * analysis.file - 'suspicious rtf' * filetype - 'rtf' HUNTING VALUES analysis.file * rtf invalid magic number * suspicious rtf |
packet | |
fingerprint_unix_script_lua | fingerprint_unix_script | Identifies shell, perl, ruby, and python scripts. DEPENDENCIES None CONFLICTS Parsers * fingerprint_unix_script KEYS * filetype - 'unix shell script', 'perl script', 'python script', 'ruby script' HUNTING VALUES None |
packet | |
fingerprint_vmdk | fingerprint_vmdk | Detects VMWare VMDK files. DEPENDENCIES None CONFLICTS None KEYS * filetype - 'vmdk' HUNTING VALUES None |
packet | |
fingerprint_webm | fingerprint_webm | Detects webm and matroska video files. DEPENDENCIES None CONFLICTS None KEYS * filetype - 'webm', 'matroska' HUNTING VALUES None |
packet | |
fingerprint_windows_registry | fingerprint_windows_registry | Detect Windows Registry Hive files. DEPENDENCIES None CONFLICTS None KEYS * filetype - windows registry HUNTING VALUES None |
packet | |
fingerprint_zip | fingerprint_zip | Detects PK format zip files, and extracts the names of files contained in the archive. Parses PK-format zip archive files only. PK format is used by WinZip and Windows XP+. Other formats such as gzip and 7zip are parsed by other parsers. Filenames are the names of the files contained within the zip file, not the name of the zip file itself (the name of the zip file itself is not in the zip file). DEPENDENCIES Parsers * FeedParser * nwll Feeds * investigation CONFLICTS Parsers * encoded_file_fingerprinting * pkware KEYS * alert.id - mapped to risk meta * analysis.file - file characteristics * directory - directory of file within archive * extension - extension of file within archive * filename - name of file within archive * filetype - 'zip' * ioc - indicators of compromise RISK VALUES info * zip file language encoded suspicious * zip file encrypted * zip file obfuscated HUNTING VALUES analysis.file * zip file encrypted * zip file language encoded * zip file obfuscated * zipped chm * zipped hta * zipped wsf ioc * spora ransomware |
packet | {"ioc":"spora ransomware", "defense evasion":"process injection", "discovery":"system network configuration discovery", "exfiltration":"data compressed", "impact":"data encrypted for impact"} |
FIX_lua | fix | Identifies the Financial Information Exchange Protocol. DEPENDENCIES Parsers * NETWORK CONFLICTS Parsers * FIX KEYS * service - '8082' HUNTING VALUES None |
packet | |
Form_Data_lua | formdata | Extracts submitted values from HTTP POST actions. Supports: - application/x-www-form-urlencoded - application/json - multipart/form-data For urlencoded and json, each chunk of name:value pairs is registered as a single "query" meta. Values are not de-urlencoded - this makes "eyeballing" them more difficult, but makes writing app rules and feeds easier and more accurate. For multipart/form-data, only name is registered since the value usually consists of chunks of binary data such as images, files, etc. Only application/x-form-urlencoded will be examined for possible base64 values, since multipart/form-data is routinely encoded with base64. DEPENDENCIES Parsers * FeedParser Feeds * investigation CONFLICTS Parsers * Form_Data_Elements KEYS * analysis.service - service characteristics * password - password credentials in urlencoded formdata * query - HTTP POST form data * username - username credentials in urlencoded formdata HUNTING VALUES analysis.service * http post missing content-length * http post missing content-type * possible base64 http form data |
packet | |
FTP_lua | ftp | File Transfer Protocol (FTP) RFC 959. Parses only FTP command sessions. FTP data sessions are not identified or parsed. Registers the actual FTP command, e.g. "STOR" (unlike the native parser "FTP" which registers action meta "put" for uploads). Filename is prepended to link meta for active transfers but not passive. DEPENDENCIES Parsers * NETWORK * nwll CONFLICTS Parsers * FTP KEYS * action - FTP command * directory - target directory of FTP command * extension - extension of filename * filename - target filename of FTP command * link - query parameters for identification of corresponding data session * password - password credential provided to server * service - '21' * username - user credential provided to server HUNTING VALUES None |
packet | |
GeoIP2 Database Files | geoip2_database_files | MaxMind's GeoIP product lets you discover information about a specific IP address such as domain, organization, country, city, ISP and latitude and longitude. RSA NetWitness Platform 11.2 and higher has a system parser called GeoIP2 that uses the MaxMind databases and it is enabled by default. Updates to these databases are published on RSA Live weekly and it's recommended you subscribe to these database files in order to deploy timely updates. The meta keys for country, domain and organization are enabled by default. See the CONFIGURATION section to enable or disable the meta output by the parser. REFERENCES See MaxMind's description of the databases here: https://dev.maxmind.com/geoip/geoip2/downloadable/ VERSIONS SUPPORTED RSA NetWitness Platform 11.2+ CONFIGURATION To enable or disable meta keys generated by the GeoIP2 system parser, go to the UI > Admin > Services > Deocder (or Log Decoder) > Parsers Configuration > GeoIP2 GENERATED METADATA city.dst city.src country.dst country.src domain.dst domain.src isp latdec.dst latdec.src longdec.dst longdec.src org.dst org.src DEPENDENCIES GeoIP2 System Parser |
log, packet | event analysis, flow analysis, operations |
ghost | ghost | Detects likely Ghost Rat and Zegost beacon sessions. DEPENDENCIES Parsers * FeedParser Feeds * investigation CONFLICTS Parsers * ghost_protocol KEYS * alert.id - mapped to risk meta * ioc - indicators of compromise RISK VALUES suspicious * ghost-protocol-variant warning * ghost-protocol-00000 * ghost-protocol-00000000 * ghost-protocol-7hero * ghost-protocol-ABCDE * ghost-protocol-Adobe * ghost-protocol-Assas * ghost-protocol-B1X6Z * ghost-protocol-BEiLa * ghost-protocol-BeiJi * ghost-protocol-Black * ghost-protocol-Blues * ghost-protocol-ByShe * ghost-protocol-CCTV0 * ghost-protocol-CHINA * ghost-protocol-ChEnA * ghost-protocol-DNSYU * ghost-protocol-DrAgOn * ghost-protocol-EXXMM * ghost-protocol-Eyes1 * ghost-protocol-Eyes2 * ghost-protocol-FKJP3 * ghost-protocol-FLYNN * ghost-protocol-FWAPR * ghost-protocol-FWKJG * ghost-protocol-GM110 * ghost-protocol-GOLDt * ghost-protocol-GWRAT * ghost-protocol-Gh0st * ghost-protocol-Gi0st * ghost-protocol-HEART * ghost-protocol-HTTP/ * ghost-protocol-HTTPS * ghost-protocol-HXWAN * ghost-protocol-Heart * ghost-protocol-Hello * ghost-protocol-Hyxhj * ghost-protocol-IM007 * ghost-protocol-ITore * ghost-protocol-KOBBX * ghost-protocol-KrisR * ghost-protocol-LUCKK * ghost-protocol-LURK0 * ghost-protocol-LYRAT * ghost-protocol-Level * ghost-protocol-LkxCq * ghost-protocol-Lover * ghost-protocol-Lyyyy * ghost-protocol-MYFYB * ghost-protocol-MoZhe * ghost-protocol-MyRat * ghost-protocol-NIGHT * ghost-protocol-Naver * ghost-protocol-NoNul * ghost-protocol-OXXMM * ghost-protocol-Origi * ghost-protocol-PCRat * ghost-protocol-QQ_124971919 * ghost-protocol-QWPOT * ghost-protocol-Shado * ghost-protocol-Snown * ghost-protocol-SocKt * ghost-protocol-Spidern * ghost-protocol-Super * ghost-protocol-Sw@rd * ghost-protocol-Tyjhu * ghost-protocol-URATU * ghost-protocol-VGTLS * ghost-protocol-W0LFKO * ghost-protocol-Wangz * ghost-protocol-Wh0vt * ghost-protocol-Winds * ghost-protocol-World * ghost-protocol-X6M9K * ghost-protocol-X6RAT * ghost-protocol-XDAPR * ghost-protocol-Xiaoq * ghost-protocol-Xjjhj * ghost-protocol-YANGZ * ghost-protocol-YinLe * ghost-protocol-ag0ft * ghost-protocol-apach * ghost-protocol-attac * ghost-protocol-cb1st * ghost-protocol-chevr * ghost-protocol-cyl22 * ghost-protocol-https * ghost-protocol-httpx * ghost-protocol-kaGni * ghost-protocol-light * ghost-protocol-lvxYT * ghost-protocol-v2010 * ghost-protocol-wcker * ghost-protocol-whmhl * ghost-protocol-wings * ghost-protocol-xhjyk * ghost-protocol-xqwf7 HUNTING VALUES ioc * ghost protocol * zegost |
packet | {"ioc":"zegost", "command and control":"standard cryptographic protocol", "command and control":"commonly used port", "collection":"input capture", "collection":"screen capture", "execution":"command-line interface", "defense evasion":"dll side-loading"} |
glass_rat | glass_rat | Detects the network communication used by the GlassRAT Trojan identified by RSA Research. Additional details can be found here: https://blogs.rsa.com/peering-into-glassrat/ DEPENDENCIES Parsers * FeedParser Feeds * investigation CONFLICTS None KEYS * alert.id - mapped to risk meta RISK VALUES suspicious * glass rat c2 handshake beacon * glass rat c2 handshake connection HUNTING VALUES None |
packet | |
gnutella_lua | gnutella | Identifies the Gnutella file sharing protocol. DEPENDENCIES Parsers * NETWORK CONFLICTS Parsers * GNUTELLA KEYS * action - gnutella command: 'connect', 'get' * service - '6346' HUNTING VALUES None |
packet | |
hl7 | hl7 | Identify HL7 traffic. Performs identification only. No meta is extracted. DEPENDENCIES Parsers * NETWORK CONFLICTS None KEYS * service - '6046' HUNTING VALUES None |
packet | |
HTML_threat | HTML_threat | Detects common HTML threat techniques such as hidden frames and embedded objects. DEPENDENCIES Parsers * FeedParser * HTTP_lua * NETWORK * nwll Feeds * investigation CONFLICTS Parsers * HTML_Threat_Analysis * exploit_web_pages KEYS * alert.id - mapped to risk meta * alias.host - host from external or hidden iframe referece if hostname * alias.ip - host from external or hidden iframe referece if IPv4 * alias.ipv6 - host from external or hidden iframe referece if IPv6 * directory - directory from external or hidden iframe reference * eoc - service analysis * extension - extension from external or hidden iframe reference * filename - filename from external or hidden iframe reference RISK VALUES info * embedded html applet * embedded html applet with params * embedded html codebase * embedded html object * iframe src cgi * iframe src htm * iframe src html suspicious * iframe embedded js * iframe hidden values * iframe inside hidden div * iframe src php * pdf inside hidden div warning * iframe src pdf HUNTING VALUES eoc * html form external submission * html hidden div * html hidden post * html hidden span * html iframe external reference |
packet | {"eoc":"html form external submission", "initial access":"drive-by compromise"}, {"eoc":"html hidden div", "initial access":"drive-by compromise"}, {"eoc":"html hidden post", "initial access":"drive-by compromise"}, {"eoc":"html hidden span", "initial access":"drive-by compromise"}, {"eoc":"html iframe external reference", "initial access":"drive-by compromise"} |
htran_lua | htran | Identifies the error message generated by the htran redirection tool. DEPENDENCIES Parsers * FeedParser Feeds * investigation CONFLICTS Parsers * htran KEYS * alert.id - mapped to risk meta RISK VALUES suspicious * htran redirector HUNTING VALUES None |
packet | |
HTTP_lua | http | Extracts values from HTTP protocol request and response headers. Parses ICAP (HTTP) requests. If the parser detects that it is seeing an ICAP session, then only the ICAP's request stream is parsed, which represents the original HTTP request or response prior to any modification that may performed by the ICAP server. Performs HTTP header anomaly detection. Does not attempt to detect risky HTML elements such as hidden iframes (that functionality is performed by the parser 'HTML_threat'). DEPENDENCIES Parsers * FeedParser * NETWORK * nwll Feeds * investigation CONFLICTS Parsers * Browser-Detect * HTTP * ICAP_HTTP * NTLMSSP * NTLMSSP_lua * OS-Detect * crafted_http_header * http-flex * http_connect * http_error_codes * http_error_codes * http_header * querystring-elements * servers * user-agent * xfwdfor KEYS * action - request method ('get', 'post', et al) * ad.computer.src - host credential from 'NTLMSSP' authorization * ad.domain.src - domain credential from 'NTLMSSP' authorization * ad.username.src - user credential from 'NTLMSSP' authorization * alert.id - HTTP header anomalies * alias.host - request 'HOST:' header * alias.ip - request 'HOST:' header if IPv4 * alias.ipv6 - request 'HOST:' header if IPv6 * analysis.service - (optional) advanced http analysis characteristics * attachment - filename submitted in a POST request * client - request 'USER-AGENT:' header * content - 'CONTENT-TYPE' header * directory - request directory * email - proxy client if email address * error - response status code if not '2xx' * extension - request filename extension * filename - request filename * http.request - (nonstandard) (optional) request header type * http.response - (nonstandard) (optional) response header type * ioc - (optional) indicators of compromise from advanced analysis * language - languages from lanauge headers * orig_ip - IP address of proxy client * password - password credential from 'Basic' authorization * query - request querystring * referer - request 'REFERER:' header * req.uniq - (nonstandard) (optional) request header value * resp.uniq - (nonstandard) (optional) response header value * result - (optional) HTTP response status message * result.code - (optional) HTTP response status code * server - response 'SERVER:' header * service - '80' * url - (nonstandard) (optional) full request URL * username - user credential from 'Basic' authorization RISK VALUES info * http content-md5 overflow * http contentdisposition with filename * http direct to ip request * http1.0 high header count * http1.0 low header count * http1.0 server location redirect * http1.0 ssdp * http1.0 uncommon keepalive header * http1.0 unsupported cache header * http1.0 unsupported connection header * http1.0 unsupported cookie header * http1.0 unsupported etag header * http1.0 unsupported host header * http1.0 unsupported max-forwards header * http1.0 unsupported md5 header * http1.0 unsupported options method * http1.0 unsupported proxyauth header * http1.0 unsupported proxyauthenticate header * http1.0 unsupported range header * http1.0 unsupported server reply * http1.0 unsupported te header * http1.0 unsupported transferencoding header * http1.0 unsupported upgrade header * http1.0 unsupported vary header * http1.0 unsupported warning header * http1.0 webdav * http1.0 without referer header * http1.0 without server header * http1.0 without user-agent * http1.1 high header count * http1.1 low header count * http1.1 server location redirect * http1.1 ssdp * http1.1 uncommon te header * http1.1 uncommon upgrade header * http1.1 webdav * http1.1 without accept header * http1.1 without connection header * http1.1 without host header * http1.1 without referer header * http1.1 without server header * http1.1 without user-agent header suspicious * http invalid transfer encoding warning * http large byte range HUNTING VALUES analysis.service * Microsoft BITS * Microsoft RPC over HTTP * Microsoft SCCM * Qualys Scan * chunked encoding with content length * content-disposition filename contains null character * direct to ip one char php * host header contains port * http 1.0 unsupported cache header * http 1.0 unsupported cookie header * http 1.0 unsupported etag header * http 1.0 unsupported host header * http 1.0 unsupported max-forwards header * http 1.0 unsupported md5 header * http 1.0 unsupported options method * http 1.0 unsupported proxyauth header * http 1.0 unsupported proxyauthenticate header * http 1.0 unsupported range header * http 1.0 unsupported te header * http 1.0 unsupported transferencoding header * http 1.0 unsupported upgrade header * http 1.0 unsupported vary header * http 1.0 unsupported warning header * http 200 response no data * http connect * http content header string concatenation * http content-md5 overflow * http contentdisposition with filename * http direct to ip request * http explicit proxy request * http four headers * http four or less headers * http get no post * http get no post with content-length * http high header count * http host header is an integer * http invalid allow methods * http invalid cookie * http invalid transfer encoding * http java * http large byte range * http long query * http long user-agent * http max length user-agent * http mid length user-agent * http misspelled cookie * http misspelled referer * http misspelled user-agent * http netbox server * http no accept header * http no connection header * http no host header * http no referer * http no server header * http no user-agent * http nonstandard mozilla * http not good mozilla * http possible exploitkit * http post and get * http post no get * http post no get low header count not flash * http post no get missing content-length * http post no get no referer * http post no get no referer directtoip * http post no get short filename suspicious extension * http post no get short user-agent * http query with base64 * http request path host header mismatch * http request querystring contains ip address * http response filename * http response filename attachment * http response filename bin * http response filename exe * http response filename inline * http response status ends with space * http server location redirect * http short user-agent * http short user-agent ie * http single request * http single response * http six or less headers * http ssdp * http suspicious 4 headers * http suspicious 6 headers * http suspicious connect * http suspicious no cookie * http suspicious user-agent * http three headers * http two headers * http uncommon origin schema * http webdav * http webshell * http webshell error * http webshell no error * http wget direct to ip * http with base64 * http with binary * watchlist file extension * watchlist file fingerprint * websocket ioc * Crimeware Black Hole Exploit Kit * Crimeware Zeus * Crimeware Zeus Knownbad * Known Bad File Name * Known Bad UA CertUtil * Known Bad UA CredentialLeak * Known Bad UA IE6Beta * Known Bad UA UPSPhishing * Trojan/Napolor * Xtreme RAT * apache struts CVE-2017-12611 attempt * apache struts exploit attempt * apt ActiveMonk UA * apt Deep Panda C2 * apt Foxy RAT * apt Lurid RAT * apt MiniASP * apt NFlog Rat * apt NetTraveler RAT * apt PNG Rat * apt PhotoASP RAT * apt Sykipot Rat * apt WebC2 CS * apt ZipToken UA Post * emissary malware * http tunnel rat * java exe * java pdf * malware sinkhole * possible malware user-agent * possible redkit |
packet | {"ioc":"possible malware user-agent", "command and control":"standard application layer protocol", "exfiltration":"exfiltration over command and control channel", "initial access":""} |
HTTP_lua Options | HTTP_lua_options | Optional parameters to alter the behavior of the HTTP_lua parser. | packet | event analysis, operations, protocol analysis |
HTTP_SQL_Injection | http_sql_injection | Detect possible injection of SQL commands in HTTP requests. The goal of this parser is to indicate the possibility that an HTTP request contains SQL statements. It is not the goal of this parser to make a definitive determination that any specific HTTP request does as a matter of fact contain SQL statements. Nor does it extrapolate the functionality of any such SQL statements, nor make any claims as to their purpose (legitimate or nefarious). Thus, the parser simply indicates that further analysis may be warranted. DEPENDENCIES Parsers * FeedParser * Form_Data_lua * HTTP_lua Feeds * investigation CONFLICTS Parsers * http_sql_injection KEYS * alert.id - mapped to risk meta * ioc - indicators of compromise RISK VALUES suspicious * possible sql injection HUNTING VALUES ioc * possible sql injection |
packet | {"ioc":"possible sql injection", "initial access":"exploit public-facing application"} |
ICMP | icmp | Provides types and codes from ICMP packets. DEPENDENCIES Parsers * NETWORK Feeds * investigation CONFLICTS Parsers * IR_1_ICMP KEYS * action - icmp type meaning * analysis.session - other icmp characteristics * error - icmp code meaning * icmp.code - raw icmp code * icmp.type - raw icmp type HUNTING VALUES analysis.session * large icmp request frame * large icmp response frame * reserved icmp type |
packet | |
IDN_homograph | idn_homograph | Detects punycode-encoded internationalized domain names which use non-Latin Unicode code points whose glyphs resemble those of Latin Unicode code points. Registers the decoded homograph as analysis.service meta. DEPENDENCIES Parsers * FeedParser Feeds * investigation CONFLICTS None KEYS * analysis.service - host as which the homograph is masquerading * ioc - indicators of compromise HUNTING VALUES ioc * homograph detected |
packet | |
IMAP_lua | imap | Identifies IMAP, registers commands, errors, usernames, and passwords. DEPENDENCIES Parsers * NETWORK CONFLICTS Parsers * IMAP * IMAP-flex KEYS * action - IMAP command issued * error - IMAP error * password - password credential provided to server * service - '143' * username - user credential provided to server HUNTING VALUES None |
packet | |
IRC_verbose_lua | irc_verbose | Expanded IRC parsing. DEPENDENCIES Parsers * NETWORK * nwll CONFLICTS Parsers * IRC * irc-expanded KEYS * action - IRC command * alias.host - target host of IRC command, if name * alias.ip - target host of IRC command, if IPv4 * alias.ipv6 - target host of IRC command, if IPv6 * group - target channel of IRC command * message - message sent or received * password - password credential provided to server * service - '6667' * subject - text of topic command * username - username credential provided to server HUNTING VALUES None |
packet | |
ISAKMP | isakmp | Identifies ISAKMP. For IKE type 132 (fragment) payloads, an alert is registered if the length field is less than 8, which indicates an attempt to exploit Cisco ASA Buffer Overflow CVE-2016-1287. ISAKMP sessions on ports other than UDP 500 or 4500 will not be parsed. DEPENDENCIES Parsers * FeedParser * NETWORK Feeds * investigation CONFLICTS None KEYS * alert.id - mapped to risk meta * service - '500' RISK VALUES warning * isakmp buffer overflow HUNTING VALUES None |
packet | |
iSCSI | iscsi | Identifies SCSI-over-IP. Performs identification only. No meta is extracted. DEPENDENCIES Parsers * NETWORK CONFLICTS Parsers * iscsi KEYS * service - '3260' HUNTING VALUES None |
packet | |
JSON-RPC | JSON-RPC | Identifies JSON-RPC 2.0 streams. Will not identify JSON-RPC 1.0 streams. May not identify JSON-RPC over transports such as HTTP. DEPENDENCIES Parsers * NETWORK Feeds * investigation CONFLICTS None KEYS * client - user agent * ioc - indicators of compromise * service - 49152 HUNTING VALUES ioc * monero mining |
packet | |
kakaotalk | kakaotalk | Identify KakaoTalk Mobile Application Traffic DEPENDENCIES Parsers * NETWORK CONFLICTS None KEYS * client - 'KakaoTalk Mobile App' * service - '12214' HUNTING VALUES None |
packet | |
Kerberos | kerberos | Extracts meta from the Kerberos network protocol. Does not parse Kerberos authentication as utilized by other protocols. DEPENDENCIES Parsers * NETWORK * nwll CONFLICTS None KEYS * action - Kerberos commands * ad.computer.dst - host to which user is attempting authentication * ad.computer.src - client source host * ad.domain.dst - domain to which user is attempting authentication * ad.domain.src - client source domain * ad.username.dst - user as which actions are performed * ad.username.src - client user * crypto - Kerberos cryptography suite used for session * error - Kerberos errors * service - '88' HUNTING VALUES None |
packet | |
LDAP | ldap | Lightweight Directory Access Protocol, and extensions. Only LDAP sessions on port 389 or port 686 will be parsed by default. The list of ports for which to parse LDAP sessions may be modified with the "LDAP Ports" option. Only LDAP requests are parsed by default. Some vendor-specific LDAP extensions such as Active Directory are not parsed. However, values from unparsed operations will be registered if the option "Register All Values" is enabled. Note that enabling this option is not advised. DEPENDENCIES Parsers * NETWORK * nwll CONFLICTS None KEYS * action - LDAP protocol operation * error - LDAP error response messages sent by a server to a client * ldap - (optional) (nonstandard) uninterpreted LDAP values * ldap.query - (nonstandard) search criteria from an LDAP search * ldap.response - (nonstandard) results from an LDAP search * password - if simple authentication, password used to authenticate to the LDAP server * service - '389' * username - name used to authenticate to the LDAP server HUNTING VALUES None |
packet | |
LDAP Options | LDAP_options | Optional parameters to alter the behavior of the LDAP parser. | packet | operations, event analysis, protocol analysis, identity, authentication |
Lync | lync | Identifies Microsoft Lync (formerly Microsoft Office Communicator, Windows Messenger). Performs identification only. No meta is extracted or registered. Only encrypted / TLS Lync sessions on port 5061 are supported. DEPENDENCIES Parsers * NETWORK CONFLICTS None KEYS * service - '5061' HUNTING VALUES None |
packet | |
MAIL_lua | Extracts values from email messages such as email addresses, subject, and client. Parsing of an Internet Message Format message (RFC 5322) is independent of the transport of the message (SMTP, POP, IMAP, LMTP, etc.). Think of the relationship as that between HTML and HTTP - this parses the equivalent of HTML, not HTTP. Meta "content" of an attachment is the literal value of the Content-Type: header, which is easily forged. Do not consider content meta as any more authoritative than you would a filename extension. DEPENDENCIES Parsers * FeedParser * nwll Feeds * investigation CONFLICTS Parsers * MAIL-flex * email-ip KEYS * action - mail action performed: 'sendfrom, 'sendto', 'attach' * alias.host - hostname values from x-originating-ip headers, received headers, and (optional) email addresses * alias.ip - ipv4 values from x-originating-ip headers, received headers, and (optional) email addresses * alias.ipv6 - ipv6 values from x-originating-ip headers, received headers, and (optional) email addresses * analysis.service - characteristics of email messages * attachment - filenames of email attachments * client - values from x-mailer: headers * content - 'mail', value of Content-Type headers within messages * email - email address found within messages * email.dst - (optional) message recipients * email.src - (optional) message originators * extension - extension from filenames of email attachments * fullname - comment portion of addresses, typically a name * fullname.dst - (optional) comment portion of recipient addresses * fullname.src - (optional) comment portion of sender addresses * ioc - indicators of compromise * subject - values from subject: headers HUNTING VALUES analysis.service * base64 email attachment * email address domain is an IP * email missing recipients * email recipients cc/bcc only * express x-mailer * inbound email * received header IP mismatch * received header hostname mismatch * smtp forged sender * subject phish * uncommon mail source ioc * Elderwood XMailer Artifact |
packet | ||
MAIL_lua Options | MAIL_lua_options | Optional parameters to alter the behavior of the MAIL_lua parser. | packet | event analysis, operations, protocol analysis |
Mitozhan | mitozhan | Detects Mitozhan malware command and control. See the RSA paper "Terracotta VPN" DEPENDENCIES Parsers * FeedParser Feeds * investigation CONFLICTS None KEYS * alert.id - mapped to risk meta RISK VALUES warning * mitozhan connection string HUNTING VALUES None |
packet | |
modbus | modbus | Identifies MODBUS TCP/IP, extracts commands, errors, and device identifications. DEPENDENCIES Parsers * NETWORK CONFLICTS Parsers * modbus-w_port KEYS * action - MODBUS protocol function * device.type - device identification * error - MODBUS error responses * service - '502' HUNTING VALUES None |
packet | |
MSU_rat | MSU_rat | Detects MSU RAT activity. Detects direct-to-IP version. Does not detect HTTP version. DEPENDENCIES Parsers * FeedParser Feeds * investigation CONFLICTS None KEYS * alert.id - mapped to risk meta * crypto - XOR key * ioc - ir alerts RISK VALUES warning * MSU RAT activity HUNTING VALUES ioc * apt MSU RAT |
packet | |
NetBIOS_lua | NetBIOS | NetBIOS over TCP/IP: NBNS, NBDS, NBSS. DEPENDENCIES Parsers * NETWORK CONFLICTS Parsers * NETBIOS KEYS * action - opcode value from NBNS * alias.host - server host if name * alias.ip - server host if IPv4 * alias.ipv6 - server host if IPv6 * service - '137' (NBNS), '138' (NBDS), '139' (NBSS) HUNTING VALUES None |
packet | |
NFS_lua | nfs | Identifies and parses RPC-related protocols NFS, MOUNT, and PORTMAP. It is critical to the proper parsing of NFS that both sides of the session be seen by the decoder. Although PORTMAP and MOUNT occur in a session other than the NFS request/response session, they will also be identified as NFS. Values for "action" and "error" directly reflect the name of the procedure, operation, or error from the relevant RFC. No attempt at interpretation has been made. Support for NFSv4 is limited. It will be identified, and most actions and error codes should be extracted. DEPENDENCIES Parsers * NETWORK * nwll CONFLICTS Parsers * NFS * nfs-flex * sunrpc KEYS * action - NFS command * alias.host - target host of NFS command if name * alias.ip - target host of NFS command if IPv4 * alias.ipv6 - target host of NFS command if IPv6 * directory - target directory of NFS command * error - NFS errors * extension - filename extension * filename - target file of NFS command * service - '2049' HUNTING VALUES None |
packet | |
NTLMSSP_lua | ntlmssp | Extracts Active Directory user information from NTLM HTTP headers from proxy authorization. This parser is not needed if using HTTP_lua. Enabling this parser in addition to HTTP_lua will result in duplicate meta. DEPENDENCIES None CONFLICTS Parsers * HTTP_lua * NTLMSSP KEYS * ad.computer.src - host credential provided to server * ad.domain.src - domain credential provided to server * ad.username.src - user credential provided to server HUNTING VALUES None |
packet | |
ntp_lua | ntp | Identifies Network Time Protocol. Performs identification only. No meta is extracted. DEPENDENCIES Parsers * NETWORK CONFLICTS Parsers * NTP KEYS * service - '123' HUNTING VALUES None |
packet | |
nwll | nwll | Commonly used parser functions in lua. This file itself is not a parser. DEPENDENCIES None CONFLICTS None KEYS None |
packet | |
OCSP_lua | ocsp | Extracts certificate information and status from OCSP messages. In case of a revoked status, risk.suspicious "revoked certificate" will be registered. Registers the serial number from OCSP request and response messages. DEPENDENCIES Parsers * FeedParser Feeds * investigation CONFLICTS Parsers * OCSP KEYS * alert.id - mapped to risk meta * ssl.serial - (nonstandard) serial number of the target certificate RISK VALUES suspicious * revoked certificate HUNTING VALUES None |
packet | |
Oracle_T3 | oracle_t3 | Identifies the Oracle T3 protocol. Performs identification only, not meta is extracted. DEPENDENCIES Parsers * NETWORK CONFLICTS None KEYS * service - '7001' (Oracle_T3) HUNTING VALUES None |
packet | |
Packers | packers | Detects specific packer used to pack executables. By itself the use of any particular packer is not necessarily suspicious. These alerts are most useful when used in conjunction with other alerts and information. DEPENDENCIES Parsers * FeedParser Feeds * investigation CONFLICTS Parsers * malware_packers_anskyapolybox1 * malware_packers_anskyapolybox3 * malware_packers_antireverse * malware_packers_armadillo1 * malware_packers_armadillo2 * malware_packers_armadillo3 * malware_packers_armadillo4 * malware_packers_aspack1 * malware_packers_aspack2 * malware_packers_aspack3 * malware_packers_aspack4 * malware_packers_aspack5 * malware_packers_asprotect * malware_packers_cryptx1 * malware_packers_cryptx2 * malware_packers_cryptx3 * malware_packers_dotfx * malware_packers_enigma1 * malware_packers_enigma2 * malware_packers_enigma3 * malware_packers_exestealth * malware_packers_expressor * malware_packers_fsg * malware_packers_hmimys * malware_packers_hying * malware_packers_lamecryp * malware_packers_mew * malware_packers_morphine * malware_packers_morphine2 * malware_packers_morphna1 * malware_packers_morphna2 * malware_packers_mpack * malware_packers_mzcrypt * malware_packers_nspack * malware_packers_nspack2 * malware_packers_packman * malware_packers_pearmor * malware_packers_pecompact * malware_packers_pecompact2 * malware_packers_pelock * malware_packers_poherna1 * malware_packers_poherna3 * malware_packers_poherna4 * malware_packers_upack * malware_packers_upx * malware_packers_windir KEYS * alert.id - mapped to risk meta RISK VALUES info * packer upx suspicious * packer anskyapolybox * packer antireverse * packer armadillo * packer aspack * packer asprotect * packer cryptx * packer dotfx * packer enigma * packer exestealth * packer expressor * packer fsg * packer hmimys * packer hying * packer lamecryp * packer mew * packer morphine * packer morphna * packer mpack * packer mzcrypt * packer nspack * packer packman * packer pearmor * packer pecompact * packer pelock * packer poherna * packer upack * packer windir HUNTING VALUES None |
packet | |
phishing_lua | phishing | Extracts the host from each URL within an email. Extracts the host from a URN only if it is the target of an href. Alerts if the displayed text of a href is a URL in which the domain doesn't match the href target domain (optional, enabled by default). For example an alert will be registered for either of, <a href="http://www.badguys.com">http://www.goodguys.com</a> <a href="http://www.badguys.com"> <img src="http://www.goodguys.com"/> </a> While an alert will not be registered for, <a href="http://foo.example.com">http://bar.example.com</a> Registers the entire URL / URN (optional, disabled by default). Only messages which contain an href are examined. By default only the first 16KB of each message is examined. The depth may optionally be increased (or decreased) at the risk of decreased performance. The hosts from URLs/URNs found within an email will be registered as appropriate (alias.host, alias.ip, or alias.ipv6) so that they may be matched against feeds. Optionally they may instead be registered to a specified key. Proofpoint URL Defense: Values are extracted from the encoded URL. For example, urldefense.proofpoint.com/v2/url?u=3Dhttp-3A__example.com_ will result in meta alias.host: example.com The proofpoint host itself is whitelisted from consistency checks, but the host from the encoded url is still used for consistency checking. DEPENDENCIES Parsers * FeedParser * MAIL_lua * nwll Feeds * investigation CONFLICTS Parsers * email_url_host * phishing KEYS * alert.id - mapped to risk meta * alias.host - hostnames from urls found within email messages * alias.ip - ipv4 addresses from urls found within email messages * alias.ipv6 - ipv6 addresses from urls found within email messages * analysis.service - service characteristics * directory - (optional) directories from urls found within email messages * extension - (optional) extensions from urls found within email messages * filename - (optional) filenames from urls found within email messages * query - (optional) querystrings from urls found within email messages * url - (optional) urls found within email messages RISK VALUES warning * href host doesn't match displayed host HUNTING VALUES analysis.service * href host doesn't match displayed host |
packet | |
phishing_lua Options | phishing_lua_options | Optional parameters to alter the behavior of the phishing_lua parser. | packet | threat, attack phase, action on objectives |
plugx | plugx | Detect PlugX malware. DEPENDENCIES Parsers * FeedParser Feeds * investigation CONFLICTS Parsers * IR_2_APT_PlugX KEYS * ioc - indicators of compromise HUNTING VALUES ioc * apt PlugX * apt PlugX possible |
packet | |
Poison_Ivy | poison_ivy | Detects Poison Ivy RAT activity. DEPENDENCIES Parsers * FeedParser Feeds * investigation CONFLICTS None KEYS * alert.id - mapped to risk meta * ioc - indicators of compromise * password - detected Poison Ivy password RISK VALUES warning * poison ivy rat activity HUNTING VALUES ioc * possible poison ivy beacon * possible poison ivy handshake |
packet | |
POP3_lua | pop | Post Office Protocol version 3. DEPENDENCIES Parsers * NETWORK CONFLICTS Parsers * POP3 KEYS * action - POP command * ad.computer.src - host credential if NTLMSSP * ad.domain.src - domain credential if NTLMSSP * ad.username.src - user credential if NTLMSSP * error - POP error * password - password credential provided to server * service - '110' * username - username credential provided to server HUNTING VALUES None |
packet | |
Proxy_Block_Page | proxy_block | Parses proxy denied exception pages. Registers the url that was requested and the reason for denial. Blue Coat and Palo Alto are currently supported. Extraction of 'username' is supported for Palo Alto only, not Blue Coat. Customized exception pages may not be detected and parsed. DEPENDENCIES Parsers * FeedParser Feeds * investigation CONFLICTS None KEYS * alert.id - mapped to risk meta * alias.host - target host of page request if name * alias.ip - target host of page request if IPv4 * alias.ipv6 - target host of page request if IPv6 * directory - target directory of page request * extension - filename extension of page request * filename - target file of page request * query - querystring parameters of page request * site.cat - categorization of site as reported by proxy * url - (optional) (nonstandard) full url of page request * username - user credential provided to proxy RISK VALUES info * proxy denied HUNTING VALUES None |
packet | |
pvid | pvid | Detect PGV_PVID malware activity. DEPENDENCIES Parsers * FeedParser * HTTP_lua Feeds * investigation CONFLICTS None KEYS * ioc - indicators of compromise HUNTING VALUES ioc * potential PGV_PVID malware activity |
packet | |
pwdump | pwdump | Detects output from Windows password dumping tools such as pwdump. DEPENDENCIES Parsers * FeedParser Feeds * investigation CONFLICTS Parsers * encoded_hash KEYS * alert.id - mapped to risk meta * crypto - xor key used to encode file RISK VALUES warning * base64 encoded pwdump output * plaintext pwdump output * xor encoded pwdump output HUNTING VALUES None |
packet | |
QQ_lua | Identifies QQ (OICQ protocol) sessions. Extracts number QQ user id, and login/logout events. Individual QQ messages are encrypted; message content is not available. DEPENDENCIES Parsers * NETWORK CONFLICTS Parsers KEYS * action - QQ command * service - '8000' * username - user credential provided to server HUNTING VALUES None |
packet | ||
QUIC | QUIC | Identifies QUIC sessions. DEPENDENCIES Parsers * NETWORK * nwll Feeds * investigation CONFLICTS None KEYS * alias.host - sni from hello if hostname * alias.ip - sni from hello if IPv4 * alias.ipv6 - sni from hello if IPv6 * analysis.service - 'quic' * client - client string from hello * service - '443' HUNTING VALUES analysis.service * quic |
packet | |
radius | radius | Remote Authentication Dial In User Service. RADIUS sessions utilizing TCP or UDP ports 1645, 1646, 1812, or 1813 will be identified. RADIUS sessions utilizing other ports will not. Meta will be registered for attribute types 1, 2, 8, and 31. Attribute type 31 ("Calling Station ID") historically is to be a phone number. In modern practice it is rarely a phone number, rather often being a MAC address or some other identifier. However, it is nonetheless registered as index key "phone". Vendor-specific attributes (sub values of attribute type 26) are not extracted nor registered. DEPENDENCIES Parsers * NETWORK CONFLICTS None KEYS * action - packet type for requests and non-rejection responses * alias.ip - attribute type 8, 'Framed IP Address' * error - packet type for rejection responses * password - attribute type 2, 'Password' * phone - attribute type 31, 'Calling Station ID' * service - '1812' for RADIUS, '1813' for RADIUS-ACCOUNTING * username - attribute type 1, 'User Name' HUNTING VALUES None |
packet | |
RDP_lua | rdp | Identifies the Microsoft Remote Desktop Protocol. RDP is encrypted by default - in which case identification only is performed and no other meta is extracted. If not encrypted characteristics such as hostname, username, keyboard type and layout, speed, and screen resolution will be extracted if available. DEPENDENCIES Parsers * NETWORK Feeds * investigation CONFLICTS Parsers * RDP KEYS * alias.host - client name * analysis.service - RDP characteristics of interest * ioc - indicators of compromise * language - keyboard type and layout * service - '3389' * username - username HUNTING VALUES analysis.service * RDP connection speed * screen resolution ioc * possible CVE-2019-0708 exploit attempt |
packet | {"ioc":"possible CVE-2019-0708 exploit attempt", "lateral movement":"exploitation of remote services"} |
rekaf | rekaf | Detects a variant of rekaf and derives the xor key (crypto) and name of infected host. DEPENDENCIES Parsers * FeedParser Feeds * investigation CONFLICTS None KEYS * alias.host - name of infected host * crypto - xor key * ioc - indicators of compromise HUNTING VALUES ioc * rekaf beacon |
packet | {"ioc":"rekaf beacon", "command and control":"standard application layer protocol", "collection":"data from local system", "exfiltration":"exfiltration over command and control channel"} |
ripng_lua | ripng | Identifies the RIP routing protocol. RIPv1, RIPv2, and RIPng are supported. Performs identification only - no meta is registered. DEPENDENCIES Parsers * NETWORK CONFLICTS Parsers * RIP * ripng KEYS * service - '520' HUNTING VALUES None |
packet | |
rlogin | rlogin | Identifies Remote Login protocol. Performs identification only, no other meta is registered. DEPENDENCIES Parsers * NETWORK CONFLICTS None KEYS * service - '513' HUNTING VALUES None |
packet | |
rsync | rsync | Identifies the RSYNC network protocol. Performs identification only. No meta is extracted. DEPENDENCIES Parsers * NETWORK CONFLICTS None KEYS * service - '873' HUNTING VALUES None |
packet | |
rtmp_lua | rtmp | Real Time Messaging Protocol. Identifies RTMP (port 1935) and RTMPT (RTMP over HTTP). For RTMPT, if the session has been identified as HTTP then content meta "RTMPT" is registered, but service "80" is unmodified. If the session has not been identified as HTTP then service "1935" will be set for the session. Will not identify RTMPS or RTMPE. DEPENDENCIES Parsers * NETWORK * nwll CONFLICTS Parsers * RTMP KEYS * alias.host - target host of RTMP url if name * alias.ip - target host of RTMP url if IPv4 * alias.ipv6 - target host of RTMP url if IPv6 * content - 'RTMPT' for RTMPT over HTTP * directory - target directory of RTMP url * extension - filename extension of RTMP url * filename - target file of RTMP url * query - querystring parameters of RTMP url * service - '1935' HUNTING VALUES None |
packet | |
RTSP | rtsp | Identifies Real Time Streaming Protocol. Extracts RTSP request method and host, path and file from request URI. DEPENDENCIES Parsers * NETWORK * nwll CONFLICTS None KEYS * action - RTSP request method * alias.host - uri host, if hostname * alias.ip - uri host, if IPv4 * alias.ipv6 - uri host, if IPv6 * directory - uri path * extension - uri filename extension * filename - uri filename * query - uri querystring * service - '554' HUNTING VALUES None |
packet | |
SCCP_lua | sccp | Cisco Skinny Client Control Protocol. Only Skinny sessions utilizing tcp port 2000 will be identified and parsed. DEPENDENCIES Parsers * NETWORK CONFLICTS Parsers * SCCP KEYS * fullname - calling and called party names * phone - calling and called party numbers * service - '2000' HUNTING VALUES None |
packet | |
screenconnect | screenconnect | Identifies screenconnect network traffic. DEPENDENCIES Parsers * NETWORK * nwll CONFLICTS None KEYS * alias.host - connection destination host if hostname * alias.ip - connection destination host if IPv4 * alias.ipv6 - connection destination host if IPv6 * service - '7310' HUNTING VALUES None |
packet | |
Search_Engines | search_engines | Extracts search terms from search engine queries. Search terms cannot be extracted from SSL encrypted search engine queries without some method of SSL decryption. Supports Bing and Google. DEPENDENCIES Parsers * HTTP_lua * nwll CONFLICTS Parsers * SearchEngines * search_query KEYS * search.text - (nonstandard) search terms HUNTING VALUES None |
packet | |
sekur | sekur | Sekur binary protocol handshake. DEPENDENCIES Parsers * NETWORK CONFLICTS None KEYS * ioc - indicators of compromise HUNTING VALUES ioc * sekur handshake |
packet | {"ioc":"sekur handshake", "command and control":""} |
session_analysis | session_analysis | Analyzes session characteristics such as bytes transmitted vs bytes received, TCP flags seen, etc. DEPENDENCIES Parsers * FeedParser * NETWORK * traffic_flow Feeds * investigation CONFLICTS Parsers * tcp-flags Feeds * TCP Flags Seen KEYS * analysis.session - session characteristics * boc - behavior of compromise * ioc - indicator of compromise * payload.req - number of payload bytes in the request stream * payload.res - number of payload bytes in the response stream * tcp.flags.desc - (optional) tcp flags seen anywhere in the session * tcpflags - (optional) tcp flags seen anywhere in the session HUNTING VALUES analysis.session * binary handshake * binary indicator * data push * first carve * first carve not dns * first carve not top 20 dst * high transmitted outbound * host no response * host not listening * icmp large session * icmp tunnel * inbound traffic * long connection * medium transmitted outbound * outbound syslog * potential beacon * ratio high transmitted * ratio low transmitted * ratio medium transmitted * request no payload * response no payload * session size 0-5k * session size 10-50k * session size 100-250k * session size 5-10k * session size 50-100k * single sided tcp * single sided udp * suspicious other * suspicious other bad org * tcp flags all * tcp flags null * watchlist port * zero payload ioc * Possible Poison Ivy * possible zeroaccess p2p botnet boc * suspicious tcp beaconing |
packet | {"boc":"suspicious tcp beaconing", "command and control":"standard non-application layer protocol", "exfiltration":""} |
shadyrat_lua | shadyrat | Identifies potential artifacts related to shadyrat command and control traffic. DEPENDENCIES Parsers * FeedParser Feeds * investigation CONFLICTS Parsers * shadyrat KEYS * alert.id - mapped to risk meta RISK VALUES suspicious * shadyrat encoded command HUNTING VALUES None |
packet | |
Signed_Executable | sigexe | Identifies signed executables, and examines the certificate chain. DEPENDENCIES Parsers * fingerprint_certificate * nwll CONFLICTS None KEYS * filetype - 'signed executable' HUNTING VALUES None |
packet | |
SIP_lua | sip | Session Initiation Protocol (SIP). DEPENDENCIES Parsers * NETWORK * nwll CONFLICTS Parsers * SIP KEYS * alias.host - target host if name * alias.ip - target host if IPv4 * alias.ipv6 - target host if IPv6 * content - value of Content-Type header * email - sender and recipient addresses * email.dst - (optional) (nonstandard) recipient address * email.src - (optional) (nonstandard) sender address * error - value SIP error response * fullname - sender and recipient names * service - '5060' * username - address from SIP request HUNTING VALUES None |
packet | |
SMB_lua | smb | Parses the Microsoft SMB/CIFS protocol. It is absolutely vital to proper parsing of SMB that both sides of the conversation be seen. If the response stream is not seen then filenames and commands will still be registered, but no relationship between them can be inferred. If the request stream is not seen then commands and errors will be registered, but no filenames (filenames generally appear only in the request stream). Action meta is generally the SMB command issued by the client - not an interpreted "meaning" of the command. For example, "create" is used to open a file even if the file already exists. Thus action meta "create" is registered rather than "open" - the existential status of the file is not in the session, so no inference can be made. As another example, "Tree Connect" is used to map/mount a network drive - action meta "tree connect" is registered rather than "mount". Likewise, error meta is the direct value of the status code from the CIFS documentation, rather than an interpretation of what the error might mean. For example, status code 0x0000010C will register error meta "notify enum dir". If there are network anamolies such as retransmissions and dropped packets, then the accuracy of the order in which meta is registered can't be guaranteed. All available actions, filenames, errors, etc. will always be registered nonetheless, but not necessarily in the proper order. There will be redundant meta - probably lots of it. This is so that the relationship between actions and files can easily be seen. For example: action: create file: hello.txt action: read file: hello.txt action: create file: world.txt action: read file: world.txt In the above example - action meta "create" is registered twice, as is action meta "read". File meta "hello.txt" is registered twice, as is file meta "world.txt". However, it is easy to see that "hello.txt" was opened and read, then "world.txt" was opened and read. The exception is UserID, which will only be registered if it changes in the session. If the UID of a request is the same as the UID of the previous request, it will not be registered. Optionally, if registering redundant meta is problematic (such as many sessions reaching Max Meta) the option "Register Redundant Meta" may be disabled - which case meta that has been registered once in a session will not be registered again (see OPTIONS). DEPENDENCIES Parsers * FeedParser * NETWORK * nwll Feeds * investigation CONFLICTS Parsers * SMB * smb-flex * smb-id KEYS * action - SMB or DCERPC operation * ad.computer.dst - target host of authentication * ad.computer.src - source host of authenticated user * ad.domain.dst - target domain of authentication * ad.domain.src - source domain of authenticated user * ad.username.dst - authenticated as user * ad.username.src - authenticated user * alias.host - target host of operation if hostname * alias.ip - target host of operation if IPv4 * alias.ipv6 - target host of operation if IPv6 * analysis.service - SMB characteristics of interest * boc - behaviors of compromise * crypto - Kerberos crypto type used for authentication * directory - path directory * eoc - enablers of compromise * error - error response from server * extension - filename extension * filename - target of file operation * ioc - indicators of compromise * password - password from Tree Connect operation * service - '139' HUNTING VALUES analysis.service * Invalid SMB command * SMB session on non-SMB port * named pipe * smb at command ioc * SMBGhost exploit attempt * psexec remote execution boc * add user to domain group * change remote service config * clear remote event log * create remote registry key * create remote service * create remote task * enumerate domain group * enumerate domain users * enumerate remote resources * enumerate remote sessions * get remote time * remote scheduled task * remote service control * remote wmi activity * set remote registry key * shut down remote system * start remote service * wmi level 1 login eoc * SMB v1 Request * SMB v1 Response |
packet | {"ioc":"SMBGhost exploit attempt", "initial access":"exploit public-facing application"}, {"ioc":"psexec remote execution", "execution":"service execution", "lateral movement":"windows admin shares", "privilege escalation":""}, {"boc":"add user to domain group", "persistence":"create account"}, {"boc":"change remote service config", "execution":"service execution"}, {"boc":"clear remote event log", "execution":"service execution"}, {"boc":"create remote registry key", "defense evasion":"modify registry"}, {"boc":"create remote service", "persistence":"new service"}, {"boc":"create remote task", "execution":"scheduled task"}, {"boc":"enumerate domain group", "discovery":"account discovery"}, {"boc":"enumerate domain users", "discovery":"account discovery"}, {"boc":"enumerate remote resources", "discovery":"network share discovery"}, {"boc":"enumerate remote sessions", "discovery":"account discovery"}, {"boc":"get remote time", "discovery":"system time discovery"}, {"boc":"remote scheduled task", "execution":"scheduled task", "persistence":"scheduled task", "privilege escalation":"scheduled task", "lateral movement":"component object model and distributed com"}, {"boc":"remote service control", "lateral movement":"component object model and distributed com"}, {"boc":"remote wmi activity", "execution":"windows management instrumentation"}, {"boc":"set remote registry key", "defense evasion":"modify registry"}, {"boc":"shut down remote system", "defense evasion":"indicator removal on host"}, {"boc":"start remote service", "execution":"service execution"}, {"boc":"wmi level 1 login", "execution":"windows management instrumentation"}, {"eoc":"SMB v1 Request", "lateral movement":"exploitation of remote services"}, {"eoc":"SMB v1 Response", "lateral movement":"exploitation of remote services"} |
SMTP_lua | smtp | Parses the SMTP protocol (RFC 5321). Does not parse the contents of email messages themselves. Email messages are parsed by any of MAIL, MAIL_lua, or MAIL-flex. Many MTAs put all sorts of badly formatted strings in greeting banners. This will most likely manifest as alias.host meta that isn't a hostname. DEPENDENCIES Parsers * FeedParser * NETWORK * nwll Feeds * investigation CONFLICTS Parsers * SMTP KEYS * action - SMTP command * alert.id - mapped to risk meta * alias.host - host from client or server greeting banner (if hostname) * alias.ip - host from client or server greeting banner (if IPv4 address) * alias.ipv6 - host from client or server greeting banner (if IPv6 address) * email - address from MAIL FROM and RCPT TO request * email.dst - address from RCPT TO, VRFY, and EXPN requests (optional) * email.src - address from MAIL FROM request (optional) * error - error code from SMTP responses * service - '25' RISK VALUES suspicious * smtp reverse path is null HUNTING VALUES None |
packet | |
SMTP_lua Options | SMTP_lua_options | Optional parameters to alter the behavior of the SMTP_lua parser. | packet | operations, event analysis, protocol analysis |
SNMP_lua | snmp | Parses SNMP versions 1, 2c, 2p, 2u, and 3. However, SNMP versions 2p and 2u will not generate meta beyond identification. SNMP v3 if encrypted will be identified but may not generate further meta. For "get" requests, OID is registered. For "set" requests, OID and value are registered. For SNMP responses and traps, neither OID nor value are registered in order to avoid the registration of overwhelming amounts of meta. If both options to register OIDs are disabled, then error meta will also not be registered. DEPENDENCIES Parsers * NETWORK * nwll CONFLICTS None KEYS * action - SNMP PDU Operation type * error - PDU error status if non-zero * password - SNMP community string * service - '161' * snmp.oid - (nonstandard) SNMP Object Identifier * snmp.value - (nonstandard) value from SNMP set requests HUNTING VALUES None |
packet | |
socks_lua | socks | Identifies Socks protocol version 4 and 5. Service Type will be the tunnelled session, not SOCKS. Only if there is no identifiable tunnelled service type will Service Type be SOCKS. Meta for ip.dst is the Socks server, not the tunnelled destination. Tunnelled destination is registered as alias.host, alias.ip, or alias.ipv6 as appropriate. For example, if a client is using a socks5 server at 1.2.3.4 to reach an HTTP server at www.example.com: ip.dst: 1.2.3.4 service: HTTP alias.host: www.example.com DEPENDENCIES Parsers * NETWORK CONFLICTS Parsers * socks KEYS * action - SOCKS request: 'connect', 'bind', 'udp associate' * alias.host - target host of SOCKS request, if name * alias.ip - target host of SOCKS request, if IPv4 * alias.ipv6 - target host of SOCKS request, if IPv6 * password - password credential provided to SOCKS server * service - '1080' * username - user credential provided to SOCKS server HUNTING VALUES None |
packet | |
SoulSeek_lua | soulseek | Identifies the SoulSeek file sharing protocol. Performs identification only, no meta is extracted. DEPENDENCIES Parsers * NETWORK CONFLICTS Parsers * SoulSeek KEYS * service - '2240' HUNTING VALUES None |
packet | |
spectrum_lua | spectrum | Determines which sessions are sent to Malware Analysis, based upon file types seen in the session, and total session size. DEPENDENCIES Parsers * fingerprint_office_lua * fingerprint_pdf_lua * fingerprint_rar_lua * fingerprint_rtf_lua * fingerprint_zip * windows_executable CONFLICTS Parsers * spectrum * spectrum11 KEYS * content - 'spectrum.analyze' HUNTING VALUES None |
packet | |
SSH_lua | ssh | Identifies SSH protocol. Registers client and server, and crypto used. This parser does NOT perform any decryption of SSH sessions, nor does it register any meta from within the encrypted portion of SSH sessions. For protocol version 1 crypto meta is not registered. DEPENDENCIES Parsers * FeedParser * NETWORK Feeds * investigation CONFLICTS Parsers * SSH KEYS * alert.id - mapped to risk meta * analysis.service - service characteristics * client - SSH client software name * crypto - cryptography suite used for encryption of the session * server - SSH server software name * service - '22' * version - client and server protocol version RISK VALUES info * ssh protocol version 1 HUNTING VALUES analysis.service * ssh protocol version 1 |
packet | |
struts_exploit | struts_exploit | Detects attempts to exploit Apache Struts vulnerabilities. DEPENDENCIES Feeds None CONFLICTS None KEYS * action - injected command * ioc - indicators of compromise HUNTING VALUES ioc * apache struts CVE-2017-9805 attempt |
packet | |
supercmd | supercmd | Detects SuperCMD Trojan beaconing. DEPENDENCIES Parsers * FeedParser Feeds * investigation CONFLICTS None KEYS * alias.host - hostname of compromised host * alias.ip - address of compromised host * alias.mac - MAC address of compromised host * ioc - indicators of compromise HUNTING VALUES ioc * supercmd trojan beacon |
packet | {"ioc":"supercmd trojan beacon", "command and control":"data obfuscation", "exfiltration":"exfiltration over command and control channel", "execution":""} |
TDS_lua | tds | Identifies Microsoft SQL Server 'Tabular Data Stream' protocol. Registers client actions and sql queries. Only TDS sessions on port 1433 will be identified and parsed. Only SQL queries and actions are registered - results are not. No values are extracted from encrypted (SSL) messages. DEPENDENCIES Parsers * NETWORK CONFLICTS Parsers * TDS KEYS * action - SQL command: 'bulk write', 'login', 'rpc request', or batch command performed * service - '1433' * sql - SQL query performed HUNTING VALUES None |
packet | |
teamviewer | teamviewer | Identifies teamviewer sessions. Performs identification only. No meta is extracted. DEPENDENCIES Parsers * NETWORK CONFLICTS None KEYS * service - '5938' HUNTING VALUES None |
packet | |
teredo | teredo | Identifies teredo tunneled sessions. Performs identification only. No meta is extracted. DEPENDENCIES Parsers * NETWORK Feeds * investigation CONFLICTS None KEYS * analysis.session - teredo tunnel HUNTING VALUES analysis.session * teredo tunnel |
packet | |
TFTP_lua | tftp | Identifies Trivial File Transfer Protocol, extracts names of files transfered. Identifies TFTP command sessions. Does not identify data sessions. Only command sessions utilizing TCP destination port 69 will be parsed. DEPENDENCIES Parsers * NETWORK * nwll CONFLICTS Parsers * TFTP KEYS * action - 'read', 'write' * directory - target directory of TFTP command * extension - filename extension of target filename * filename - target filename of TFTP command * service - '69' HUNTING VALUES None |
packet | |
TLD_lua | tld | Extracts the top level domain and second level domain portions from hostnames. This parser operates on meta alias.host as registered by other parsers, as well as (optionally) domain.src and domain.dst as registered by GeoIP. If an alias.host value is an IP address, a risk.informational alert is registered, and the value registered with the appropriate key (e.g., "1.2.3.4" -> alias.ip). If a hostname is invalid, an alert is registered. Hostnames which begin with "*." are not considered invalid, since these are often used as "common name" for SSL certificates. Specifically, Meta for "tld" will be the last tag (portion from the last "." to the end). Meta for "sld" will be the 2nd-to-last tag (portion between the next-to-last "." to the last ".") EXCEPTION: If the last tag is a ccTLD (e.g., "uk"), then: If the FQDN consists of at least 4 tags, such as "www.amazon.co.uk": meta for "cctld" will be the last tag meta for "tld" will be the combined 2nd-to-last and last tag meta for "sld" will be the 3rd-to-last tag Otherwise ("www.amazon.de"): meta for "cctld" will be the last tag meta for "tld" will also be the last tag meta for "sld" will be the 2nd-to-last tag Examples: www.amazon.com sld: amazon tld: com www.amazon.co.uk sld: amazon tld: co.uk cctld: uk www.amazon.de sld: amazon tld: de cctld: de In each case, meta for sld is "amazon". NOTE: Policy differences among registries regarding third level domains are not taken into account - the only record of which is the "Public Suffix List". To incorporate the Public Suffix List would expect the analyst to be familiar with all individual registry policies, whereas the rules above are consistent and easily applied to queries. DEPENDENCIES Parsers * FeedParser Feeds * investigation CONFLICTS Parsers * TLD KEYS * analysis.service - hostname characteristics * cctld - country-code top level domain, e.g., www.amazon.co.uk -> co.uk * sld - second level domain, e.g. www.amazon.co.uk -> amazon * tld - top level domain, e.g. www.amazon.com -> com HUNTING VALUES analysis.service * hostname consecutive consonants * hostname invalid * suspiciously named domain * tld not com net org |
packet, log | |
TLD_lua Parser Options | TLD_lua_options | Options file for the TLD_lua parser. | packet, log | operations, event analysis, protocol analysis |
TLS_lua | tls | Identifies SSL 2.0 and 3.0, TLS 1.0, 1.1, 1.2, and 1.3. Version is extracted from both the client and server hello, which may lead to differing version meta for the same session. SSL 2.0 is detected from the server handshake. If the response stream of an SSL 2.0 session is not seen or the server does not offer a certificate, then the session will not be identified. If the server responds with SSL 3.0 or TLS, the session will be identified as SSL, and an alert for SSL 2.0 will not be registered. DEPENDENCIES Parsers * FeedParser * NETWORK * fingerprint_certificate * nwll Feeds * investigation CONFLICTS Parsers * TLS-flex * TLS_id * TLSv1 KEYS * alias.host - service name indicator, if hostname * alias.ip - service name indicator, if ipv4 * alias.ipv6 - service name indicator, if ipv6 * analysis.service - TLS/SSL characteristics of interest * boc - behaviors of compromise * eoc - enablers of compromise * error - Alert message description * ioc - indicators of compromise * service - '443' * version - 'SSL 2.0', 'SSL 3.0', 'TLS 1.0', 'TLS 1.1', 'TLS 1.2', 'TLS 1.3' HUNTING VALUES analysis.service * SSL 2.0 * SSL 3.0 * sni localhost * ssl sni doesn't match http host ioc * heartbleed data leak boc * SSL client suspicious ciphersuites eoc * SSL server suspicious ciphersuite * openssl vulnerable to heartbleed |
packet | {"eoc":"openssl vulnerable to heartbleed", "defense evasion":"", "exfiltration":""} |
TLS_lua Options | TLS_lua_options | Optional parameters to alter the behavior of the TLS_lua parser. | packet | event analysis, operations, protocol analysis |
TN3270E_lua | tn3270e | Identifies IBM TN3270E sessions. Performs identification only. No other meta is extracted. DEPENDENCIES Parsers * NETWORK CONFLICTS Parsers * tn3270e KEYS * service - '3270' HUNTING VALUES None |
packet | |
Traffic Flow Options | traffic_flow_options | Optionally download this parser with the traffic_flow LUA parser. Configure internal subnets as described within the full product documentation for this parser. | log, packet | event analysis, operations, protocol analysis |
traffic_flow | traffic_flow | Provides subnet names for internal networks, and directionality of the session (inbound, outbound, lateral). Addresses will be matched against the defined list of subnets. An address not matched by any defined subnet will be named "other". Meta for netname will be the name of the subnet followed by one of: "src" - ip.src, ipv6.src "dst" - ip.dst, ipv6.dst "misc" - alias.ip, alias.ipv6, ip.orig, ipv6.orig (legacy) orig_ip, ip.addr, ipv6.addr Direction is determined from the subnet names for src and dst: outbound - initiated by a matched host to an unmatched host inbound - initiated by an unmatched host to a matched host lateral - initiated by a matched host to a matched host Additional netname meta will be registered for IPv4 broadcast addresses. DEPENDENCIES Parsers * GeoIP2 * NETWORK Feeds * investigation CONFLICTS None KEYS * analysis.session - session characteristics * direction - 'inbound', 'outbound', or 'lateral' * netname - name of source and destination subnet HUNTING VALUES analysis.session * not top 20 dst * watchlist dst |
packet, log | |
udm_transition | udm_transition | For Decoder version 11.4+ only. Copies values from legacy keys into UDM keys. See "Key Usage" for specifics. The value in the legacy key remains - it is not removed or replaced. The same value will be registered into the UDM key as new meta. This enables seemless transition of downstream content (feeds, apprules, reports, ESA) by rewriting it to target UDM keys. This is not intended to be a general purpose "meta copy" mechanism. DEPENDENCIES Parsers * nwll CONFLICTS None KEYS * alias.ip - values from ip.addr * alias.ipv6 - values from ipv6.addr * alias.mac - values from eth.host * category - values from site.cat * cert.ca - values from ssl.ca * cert.checksum - values from ssl.checksum * cert.common - values from ssl.common * cert.subject - values from ssl.subject * domain.dst - values from ddomain, and ad.domain.dst * domain.src - values from sdomain, and ad.domain.src * duration.time - values from process.time * host.dst - values from ad.computer.dst * host.orig - values from orig_ip if hostname * host.src - values from ad.computer.src * ip.orig - values from orig_ip if IPv4 * ip.proto - values from ipv6.proto * ip.trans.dst - values from dtransaddr * ip.trans.src - values from stransaddr * ipv6.orig - values from orig_ip if IPv6 * permissions - values from privilege * port.dst - values from ip.dstport, tcp.dstport, and udp.dstport * port.src - values from ip.srcport, tcp.srcport, and udp.srcport * port.trans.dst - values from dtransport * port.trans.src - values from stransport * process.id - values from child.pid * process.id.src - values from parent.id * user - values from username * user.dst - values from ad.username.dst * user.src - values from ad.username.src * version - values from ssl.ver.src, and ssl.ver.dst HUNTING VALUES None |
packet, log | |
vCard_lua | vcard_lua | Extracts fullname and email values from vCard, xCard, jCard, and hCard formats. The following versions are supported: vCard 2.1, 3.0, and 4.0 xCard 1.0 jCard 4.0 hCard 1.0 DEPENDENCIES None CONFLICTS Parsers * VCARD KEYS * email - value from 'email' field * fullname - value from 'fn' field HUNTING VALUES None |
packet | |
VNC | vnc | Identifies the Remote Framebuffer protocol used by VNC and its derivatives. DEPENDENCIES Parsers * NETWORK Feeds * investigation CONFLICTS Parsers * vnc-rfb KEYS * action - 'login' * error - 'login failure' * service - '5900' RISK VALUES info * no authentication required HUNTING VALUES None |
packet | |
windows_command_shell_lua | windows_command_shell | Identifies Microsoft Windows command shell sessions. Identifies command shell sessions only. No meta (such as commands executed) is registered. DEPENDENCIES Parsers * FeedParser Feeds * investigation CONFLICTS Parsers * SHELL * windows_command_shells KEYS * alert.id - mapped to risk meta * analysis.service - service characteristics * client - 'MS Command Shell' * ioc - indicators of compromise RISK VALUES suspicious * windows cli admin commands warning * windows command shell HUNTING VALUES analysis.service * windows cli admin commands * windows command shell * windows powershell ioc * possible base64 windows shell |
packet | {"ioc":"possible base64 windows shell", "execution":"command-line interface", "command and control":"data encoding", "defense evasion":"obfuscated files or information"} |
windows_executable | windows_executable | Identifies windows executables, and analyzes them for anomolies and other suspicious characteristics. There may be non-nefarious reasons for many of these alerts. Alerts indicate that the executable in question may warrant further scrutiny. Alerts should not be interpreted as a definitive determination that an executable is malicious. DEPENDENCIES Parsers * FeedParser Feeds * investigation CONFLICTS Parsers * CMS_windows_executable * advanced_windows_executable * encoded_file_fingerprinting KEYS * alert.id - mapped to risk meta * analysis.file - characteristics of the executable * filetype - 'windows executable', 'x86 pe', 'windows dll', 'x64pe' RISK VALUES info * exe abnormal e_cblp * exe abnormal e_cp * exe abnormal e_cparhdr * exe abnormal e_crlc * exe abnormal e_cs * exe abnormal e_csum * exe abnormal e_ip * exe abnormal e_maxalloc * exe abnormal e_minalloc * exe abnormal e_oemid * exe abnormal e_oeminfo * exe abnormal e_ovno * exe abnormal e_res1_1 * exe abnormal e_res1_2 * exe abnormal e_res1_3 * exe abnormal e_res1_4 * exe abnormal e_res2_1 * exe abnormal e_res2_2 * exe abnormal e_res2_3 * exe abnormal e_res2_4 * exe abnormal e_sp * exe abnormal e_ss * exe abnormal number of symbols * exe dos loader missing * exe one dos header anomaly * exe timestamp zero * exe two dos header anomalies * exe two sections suspicious * exe abnormal file alignment * exe abnormal loader flags * exe abnormal major os ver * exe abnormal minor os ver * exe abnormal rva sizes * exe abnormal section alignment * exe abnormal size of section headers * exe abnormal subsystem ver * exe dos loader missing * exe four dos header anomalies * exe pe offset extremely high * exe three dos header anomalies * exe timestamp before 1999 * exe timestamp close to zero * exe timestamp in the future warning * exe linker both version zero * exe linker major ver too high * exe linker minor ver too high * exe linker version zero * exe many dos header anomalies * exe missing magic number * exe nt header inside dosheader HUNTING VALUES analysis.file * exe extension but not exe filetype * exe filetype * exe recently compiled * exe under 10k * exe under 5k * exe under 75k |
packet | |
WireGuard | wireguard | Identified WireGuard VPN sessions. Performs identification only. No meta is extracted. DEPENDENCIES Parsers * NETWORK CONFLICTS None KEYS * service - '51820' (WireGuard) HUNTING VALUES None |
packet | |
X11_lua | x11 | Identifies the X11 protocol (RFC 1013). Performs identification only. No meta is extracted. DEPENDENCIES Parsers * NETWORK CONFLICTS Parsers * x11_flex KEYS * service - '6000' HUNTING VALUES None |
packet | |
xor_executable_lua | xor_executable | Detects executables that have been xor or hex encoded. Registers ioc if an xor- or hex- encoded executable is detected. For xor-encoded, registers the xor value used for the encoding. 1-byte xor keys are supported. Multi-byte or rotating xor keys are not detected. DEPENDENCIES Parsers * FeedParser Feeds * investigation CONFLICTS Parsers * xor_executable KEYS * alert.id - mapped to risk meta * crypto - xor key used for encoding * filetype - 'windows executable' * ioc - indicators of compromise RISK VALUES warning * hex encoded executable * xor encoded executable HUNTING VALUES ioc * hex encoded executable * xor encoded executable |
packet | {"ioc":"xor encoded executable", "defense evasion":"obfuscated files or information", "execution":""} |
zabbix | zabbix | Identifies zabbix sessions. Performs identification only. No meta is extracted. DEPENDENCIES Parsers * NETWORK CONFLICTS None KEYS * service - '10051' HUNTING VALUES None |
packet |
Discontinued Packet ParsersDiscontinued Packet Parsers
The following table lists the Lua parsers that have been removed from the system.
Name | Description | Notes |
---|---|---|
AIM_lua |
OSCAR protocol used by AIM (AOL Instant Messenger) and ICQ, and AIM-express web client. |
As of December 15, 2017, AOL Instant Messenger products and services have been shut down and no longer work. |
BITS |
Identifies Microsoft BITS Protocol. |
BITS was added to HTTP_lua, making the standalone BITS parser redundant. BITS parsing in HTTP_lua is also much more complete than it was in the standalone parser. |