I am trying to user curl to pull data from our concentrator. it doesn't
seem to want to work with curl. I am also not sure if i have the proper
syntax. It works fine by manually going to the site at
http://x.x.x.x:50105/sdk/packets the query i am try...
Nothing quite fits parsing out the sha2 value in our malware alert we
receive. I see ioc is a meta value but it looks like its based on ip's
and domains from a list.
I downloaded the logs from RSA netwitness, used esi tool to attempt to
create parsers for the logs, then uploaded them following the proper
directions. They refuse to get parsed properly. The security
intelligence logs and the amp alert/ retrospectiv...
this works but it ignores what I am looking for as far as the event
desc. It only concentrates on the time structure and gives me all logs
between that time frame.
The only message i added a tag for is security intelligence. This one
required multiple headers in order to grab them all. So basically as it
send the syslog message to NW it adds the word SecurityIntelligence so I
know what to look for. Snort sigs w...
A quick tip for creating these. Make sure your user profile is setup to
export the log files as logs and not CSV. This will help when it comes
to creating the parsers with ESI. Also if you are sending syslog
messages for security intelligence events ...
