Eric Partington

NetWitness 11.0 - HTTP_lua options

Blog Post created by Eric Partington Employee on Jan 8, 2018

Highlighting some of the new features available in NW11 (NetWitness 11.0).

HTTP Lua Parser Options 

 

Http_lua options file was introduced a while ago to provide a means to customize some of the lua parser functions using an options file to set the required status.  This functionality has been used to enable some advanced features on the http_lua parser in NW11.0+

 

Some of the new features to be aware of:

  • registerURL
  • splitQuery
  • useOrigIP
  • refererPath
  • userAgent
  • respReason
  • decompress
  • advanced

The most interesting are the decompress and refererPath options.  Some are set on/true by default, others are not. 

 

Notes:

You should not subscribe to the Options files as updates from RSA will wipe out your changes in that file.

You should deploy only from RSA Live (not subscribe and deploy)

 

Check periodically for new updates to the Options Files and deploy new ones when ready and have reviewed any changes

NW11 > Configure > RSA Live > Search for options files > Click Description > Download > Open *.zip > review content

Outcomes