With all the recent blogs from Christopher Ahearn about creating custom lua parsers, some folks who try their hand at it may find themselves wondering how to easily and efficiently deploy their new, custom parsers across their RSA NetWitness environment.
Manually browsing to each Decoder's Config/Parsers tab to upload there will quickly become frustrating in larger or distributed environments with more than one Decoder.
Manually uploading to a single Decoder and then using the Config/Files tab's Push option would help eliminate the need to upload to every single Decoder, but you would still need to reload each Decoder's parsers. While this could, of course, be scripted, I believe there is a simpler, easier, and more efficient option available.
Not coincidentally, that option is the title of this blog. We can leverage the Live module within the NetWitness UI to deploy custom parsers across entire environments and automatically reload each Decoder's parsers in the process. To do this, we will need to create a custom resource bundle that mimics an OOTB Live resource.
First, lets take a look at one of the newer lua parsers from Live to see how it's being packaged. We'll select one parser and then choose Package --> Create to generate a resource bundle.
In this ZIP's top-level directory, we see a LUAPARSER folder and a resourceBundleInfo.xml file.
Navigating down through the LUAPARSER folder, we eventually come to another ZIP file:
This teamviewer.zip contains an encrypted lua parser and a token to allow NetWitness Decoders to decrypt it (FYI - you do not need to encrypt your custom lua parsers).
The main takeaway from this is that when we create our custom resource bundle, we now know to create a directory structure like in the above screenshot, and that our custom lua parser will need to be packaged into a ZIP file at the bottom of this directory tree.
Next, lets take a look at the resourceBundleInfo.xml file in the top-level directory of the resource bundle. This XML is the key to getting Live to properly identify and deploy our custom lua parser.
Everything that we really need to know about this XML is in the <resourceInfo> section.
A common or friendly name for our parser:
The name of the ZIP file at the bottom of the directory tree:
The full path of this ZIP file:
The version number (which can really be anything you want, as long as it's reflected accurately in the filePath):
The resourceType line is the name of the top-level folder in the resource bundle (you shouldn't need to change this):
The typeTitle (which you also shouldn't change):
And lastly the uuid, which is how Live and the NetWitness platform identify Live resources:
Modifying everything in this file should be pretty straightforward - you'll simply want to modify each line to reflect your parser's information. And for the uuid, we can simply create our own - but don't worry, it doesn't need to be anywhere near as long or complex as a Live resource uuid.
Now that we know what the structure of the resource bundle should look like, and what information the XML needs to contain, we can go ahead and create our own custom resource bundle.
Here's what a completed custom resource bundle looks like, using one of Chris Ahearn's parsers as an example: What's on your wire: Detect Linux ELF files:
With the custom bundle packaged and ready to go, we can go into Live, select Package --> Deploy, browse to our bundle, and simply step through the process, deploying to as many or as few of our Decoders as we want:
For confirmation, we can broswe to any of our Decoders at Admin --> Services and see our custom parser deployed and enabled in the Config/General tab:
Lastly, for those who might have multiple custom resources they want to deploy at once in a single resource bundle, it's just a matter of adjusting the resourceBundleInfo.xml file to reflect each resource's name, version, path, and making sure each uuid is unique within the resource bundle, e.g.: uuid1, uuid2, uuid3, etc:
You can find a resource bundle template attached to this blog.
Happy customizing, everybody!