Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > Author: mike.daly

RSA NetWitness Platform

4 Posts authored by: mike.daly

This document provides information and guidance for those occasions when an organization's policy dictates the addition or modification of software on a NetWitness Appliance.

Investigator comes with little known built in functionality called Custom Actions that allow an Analysis to query their favorite third party website and check for malicious content or potentially harmful malware. The document attached is a step by step example on how to quickly enable this functionality and contains many real world examples on the last few pages.

Recovering a file that was sent via FTP is unique to a file sent over other Ports or Protocols e.g. SMTP/25, SSH/22, HTTP/80 etc, because FTP sends the file over higher ports that create a new and unique Session ID.

Port 21/tcp FTP Command Session

Port 20/tcp FTP Data Session

In the attached document we follow a session between two hosts that use multiple ports and session ID's to recover the PDF document that was transmitted.

Creating Feeds

Posted by mike.daly Sep 11, 2012

Suppose you want to create an alert that shows all traffic from or to any external IP address as well as any communication attempts with an external IP. The attached document shows how easily this can be configured.

Filter Blog

By date: By tag: