With the recent news about ScreenConnect used in data breaches, I had
the opportunity to examine some of the network traffic. This was traffic
that was originally in OTHER, but as you know, that just means it's an
opportunity to learn about some new ...
I've come across ICMP tunneling only a handful of times, but this was
the first time I had seen it used as part of a VPN client. The VPN
client was SoftEther VPN and, in addition to SSL VPN, it can also
perform ICMP and DNS tunneling. During a recent...
There are many reasons I enjoy working with the RSA Netwitness Platform,
but it’s when our customers turn their attention to threat hunting that
really makes things exciting. In one case, there was a need where they
could take new threat intelligence...
Often times, RSA NetWitness Packet decoders are configured to monitor
not only ingress and egress traffic, but also receive internal LAN
traffic as well. On a recent engagement, we identified a significant
amount of traffic going to TCP port 9997. It...
I was recently working with Eric Partington who asked if we could get
the Autonomous System Numbers from a recent update to GEOIP. I believe
at one point this was a feed, but had been deprecated. After a little
bit of research, I learned that an upda...
I was also thinking of that DNS Tunneling article as well. I think a
feed and a report could work, though it might be slightly behind
depending on the feed update interval.
Is this a new or recently rebuilt/refreshed packet decoder? I saw
something similar recently where some stats where not displayed
initially as there was only one nwpdb file. Since there was only one
file, there was nothing else to compare against. No...
Just to be clear, it is possible to use Lua in this instance, however,
it would be best to use the options referenced above. If we were just to
operate on meta, then we could certainly do meta callbacks and perform
the operations we need (typically s...
Let's take this offline and email me directly. Once we work through
this, we can post the solution.
christopher.ahearn@rsa.com Chris Sent
from my mobile device
I think you just need to change some of the variable names in your
function. Furthermore, I don't think you need the tokens or functions
for sessionBegin or sessionEnd. The one that we really need is
copymeta.myMeta. The function variables then just ...
