These scripts are used to allow the analysts to add and remove metadata
keys with threat information that require additional monitoring. The 3
examples are for IP addresses, hostname and domain name (Wildcard). The
scripts are configured with the fol...
Rui Ataide posted a useful Python script to query a Broker or
Concentrator metadata from the command line (nwsdk_csv.py latest version
2016). In order to make it easier to use this Python script, I wrote a
shell script to use as a simple interface th...
I needed to know how far back I can search my packets, logs and metadata
and I created a shell script (netwitness_stats.sh) that runs on the SA
Broker every 30 minutes that provides meta and packets statistics for a
Concentrator, Decoder and LogDecod...
RSA used to provide a feed for Autonomous System Number (ASN) which is
no longer available for download. I created a Perl script that convert
the Maxmind CSV file into something usable by a decoder. The Perl script
creates the ASN CSV file needed to ...
When a parser is updated (3 this week - DNS, HTTP and Mail), could
support published/blog what was changed/updated in the parser to help us
understand what kind of impact (i.e. new meta) or improvement (i.e.
better memory management) it will have on ...
If you want to use the ASN other than Maxmind, I have updated the Perl
script and XML to use a different list site for my ASN list # Download
IPv4 file from: https://iptoasn.com# wget
https://iptoasn.com/data/ip2asn-v4.tsv.gz# gunzip ip2asn-v4.tsv.gz...
Renato, I do a similar daily report but for the select I used did for
Decoder. The report will display the amount of data based on what it has
(bytes, MB, GB...) I'm not sure it is possible to display a report
without the meta type.
We had such an issue in the past and how we ran our test was to send a
ping regularly (once per minute) to one of our IP that would be seen by
the tap and then checked NW to see how many packets we got over an hour
(expect to see 60 pings). The other...
Brian, If you get a "blank page" when accessing CMS, you will need to
add "download" in the URL after resources to be able to download the
parser.
https://cms.netwitness.com/live/resources/download/f17b11ea-7a6c-4d34-bb32-f2fea7f6669c
#CMS #Download
