Eric Partington

Top Level Domain (TLD) Lua Parser for Logs

Blog Post created by Eric Partington Employee on Apr 16, 2018

The TLD parser has been updated to now deploy on Log Decoders.  

 

The parser looks for the following keys from log devices to parse out the same information as packets:

  • Alias.host
  • Host.src
  • Host.dst
  • Domain.dst
  • Domain.src
  • FQDN

 

Which writes out information into:

* alert.id - mapped to risk meta
* analysis.service - hostname characteristics
* cctld - (nonstandard) (optional) country-code top level domain, e.g., www.amazon.co.uk -> co.uk
* sld - (nonstandard) (optional) second level domain, e.g. www.amazon.co.uk -> amazon
* tld - top level domain, e.g. www.amazon.com -> com

 

When searching for Lua and Log in the RSA Live deployment screen you will see the following:

 

And linked dependancies:

 

So this is a really simple method of getting nwll.lua deployed to a log decoder if your custom parser requires that library (PaloAlto URL.raw parser for instance).

Outcomes