Packet Parsers

Document created by RSA Information Design and Development on May 25, 2016Last modified by RSA Information Design and Development on Aug 16, 2018
Version 163Show Document
  • View in full screen mode
 

This topic discusses and describes the packet (Lua) parsers available in RSA NetWitness Platform. If you need a parser that does not already exist, you can Request a Parser.

Note: More information on each of these parsers is available in Live. Navigate to Live search, and select RSA Lua Parser in the Resource Types field. From the results, select any parser and click to display all the information for the parser.

Context

Packet parsers identify the application layer protocol of sessions seen by the Decoder, and extract meta data from the packet payloads of the session.

Every packet parser is able to extract meta from every session. For example, a webmail session will be parsed by both an HTTP parser which identifies the session as HTTP and extracts meta from HTTP headers, and by a MAIL parser which extracts email-related meta from message headers. Further, if the session were to contain an executable file, its presence would be detected by a windows executable parser.

Packet parsers in RSA Security Analytics may be broadly classified as:

  • System or Native parsers: These are compiled into the Decoder base code. Updates are delivered along with updates to Security Analytics. Many system parsers have lua equivalents. In these cases, generally, the native parser may perform faster, while the lua parser may extract more meta.
  • Lua parsers: these are written in the lua programming language, and delivered via Live. Customers can write their own custom lua parsers.
  • Flex parsers: these were written in a proprietary scripting language, Flex, and delivered via Live. These are now considered Legacy content: every existing Flex parser has a better lua equivalent, and all customers using Security Analytics version 10.2 or later should not be using Flex parsers.

Packet Parsers in NetWitness

The following table describes the Lua parsers delivered with RSA NetWitness Platform.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               
Display NameFile NameDescriptionMediumTags
apt_artifactsapt_artifactsDetects possible apt WMI and windows registry manipulation.


DEPENDENCIES
Parsers
* FeedParser
Feeds
* investigation

CONFLICTS
Parsers
* IR_2_aptArtifacts

KEYS
* ioc - indicators of compromise

RISK VALUES
None

HUNTING VALUES

ioc
* apt possible invokemimikatz
* apt possible prefetch deletion
* apt possible registry deletion
* apt possible wmic cleareventlog
packetthreat, attack phase, command and control, malware, remote access trojans
AvamaravamarIdentifies Avamar Backup and Recovery, TCP port 28001.

Performs identification only. No meta is extracted or registered.

Only Avamar sessions utilizing port 28001 are supported.


DEPENDENCIES
Parsers
* NETWORK

CONFLICTS
None

KEYS
* service - '28001'

RISK VALUES
None

HUNTING VALUES
None
packetoperations, event analysis, protocol analysis
BGP_luabgpIdentifies BGP Routing Protocol. Performs identification only; no
meta is extracted.


DEPENDENCIES
Parsers
* NETWORK

CONFLICTS
Parsers
* bgp

KEYS
* service - '179'

RISK VALUES
None

HUNTING VALUES
None
packetfeatured, operations, event analysis, protocol analysis
bittorrent_luabittorrentIdentifies the bittorrent protocol and registers the name of the file
being downloaded.


DEPENDENCIES
Parsers
* NETWORK

CONFLICTS
Parsers
* BITTORRENT
* bittorrent
* bittorrent-id
* fingerprint_bittorrent

KEYS
* filename - name of file transferred
* service - '6881'

RISK VALUES
None

HUNTING VALUES
None
packetoperations, event analysis, protocol analysis
Canon_BJNPcanon_bjnpIdentifies Canon printer discover protocol BJNP.

Performs identification only. No meta is extracted or registered.


DEPENDENCIES
Parsers
* NETWORK

CONFLICTS
None

KEYS
* service - '8162'

RISK VALUES
None

HUNTING VALUES
None
packetoperations, event analysis, protocol analysis
cerbercerberDetects potential Cerber ransomware beaconing.


DEPENDENCIES
Parsers
* FeedParser
* NETWORK
Feeds
* investigation

CONFLICTS
None

KEYS
* ioc - indicators of compromise
* query - cerber campaign id

RISK VALUES
None

HUNTING VALUES

ioc
* cerber beacon
packetthreat, attack phase, command and control, malware
china_chopperchina_chopperDetects cleartext China Chopper sessions.


DEPENDENCIES
Parsers
* FeedParser
* nwll
Feeds
* investigation

CONFLICTS
Parsers
* IR_2_China_Chopper

KEYS
* ioc - indicators of compromise

HUNTING VALUES

ioc
* china chopper
packetthreat, attack phase, command and control, malware, remote access trojans
creditcard_detection_luacreditcard_detectionAttempts to detect possible credit card numbers and validate with
Luhn's Algorithm. Intended as a replacement for the credit card
detection in search.ini

IMPORTANT:

If performance degradation occurs, disable this parser and use
the entry in search.ini instead.

Do not enable if decoder performance is a concern.

This parser replaces the credit card entry in search.ini - if this
parser is enabled then the entry in search.ini should be disabled.

This parser will be more accurate than search.ini, at a cost of
decreased performance.

There *will* be false positives - possibly many of them. There are a
lot of numbers out there that have the correct number of digits and
will even pass Luhn's Algorithm - there is a 10% chance of any given
random number passing a luhn's check, and trying to account for every
possibility of what isn't expected around a card number risks being
too rigid and not finding things that *are* card numbers.

As a compromise to increase performance, numbers detected must be
congruent. In other words, delineators are not supported. For
example "123456789" will be detected, but "123 456 789" or "123-456-
789" will not.

Only ASCII/UTF-8 encoded numeric characters are supported (e.g., 0x30
= "0", 0x31 = "1", 0x32 = "2", ...) Other encodings such as other
unicode character sets may not be detected.


DEPENDENCIES
Parsers
* FeedParser
Feeds
* investigation

CONFLICTS
Parsers
* creditcard_detection

KEYS
* alert.id - mapped to risk meta
* cc.number - (nonstandard) possible credit card number

RISK VALUES

info
* possible american express credit card
* possible diners club or carte blanche credit card
* possible discover credit card
* possible jcb credit card
* possible maestro credit card
* possible mastercard credit card
* possible visa credit card

HUNTING VALUES
None
packetassurance, compliance, audit
CustomTCPCustomTCPDetects CustomTCP beaconing activity.

Registers C2 domain and victim hostname as alias.host meta.


DEPENDENCIES
Parsers
* FeedParser
* NETWORK
Feeds
* investigation

CONFLICTS
None

KEYS
* alias.host - c2 domain, victim hostname
* ioc - indicators of compromise

RISK VALUES
None

HUNTING VALUES

ioc
* CustomTCP shell
packetthreat, attack phase, command and control, malware, remote access trojans
db2_luadb2Extracts queries from DB2 database protocol sessions.

Extracts query only. Instances etc are not extracted.

Not all DB2 sessions may be identified.


DEPENDENCIES
Parsers
* NETWORK

CONFLICTS
Parsers
* db2

KEYS
* query - db2 database query
* service - '3700'

RISK VALUES
None

HUNTING VALUES
None
packetoperations, event analysis, protocol analysis
DCERPCdcerpcExtracts action and Kerberos authentication from Microsoft's DCERPC
protocol.


DEPENDENCIES
Parsers
* FeedParser
* NETWORK
* nwll
Feeds
* investigation

CONFLICTS
Parsers
* dce-rpc

KEYS
* action - dcerpc message type, operation, wmi command
* ad.computer.dst - target hostname
* ad.computer.src - kerberos hostname
* ad.domain.dst - target domain
* ad.domain.src - kerberos domain
* ad.username.dst - target username
* ad.username.src - kerberos username
* alert.id - mapped to risk meta
* crypto - kerberos crypto type
* error - kerberos error
* query - wmi parameters
* service - '135'

RISK VALUES

info
* remote scheduled task
* remote service control
* wmi command
* wmi level 1 login
* wmi remote query

HUNTING VALUES
None
packetfeatured, operations, event analysis, protocol analysis
Derusbi_Server_Handshakederusbi_serverDetects Derusbi server handshake.


DEPENDENCIES
Parsers
* FeedParser
Feeds
* investigation

CONFLICTS
Parsers
* Derusbi_Variant_Beacon

KEYS
* alert.id - mapped to risk meta

RISK VALUES

warning
* derusbi server handshake

HUNTING VALUES
None
packetthreat, attack phase, command and control, malware, remote access trojans
DHCP_luadhcpIdentifies DHCP (BOOTP) and DHCPv6, extracts hosts and addresses.


DEPENDENCIES
Parsers
* NETWORK

CONFLICTS
Parsers
* DHCP

KEYS
* alert.id - mapped to risk meta
* alias.host - client hostname, client fqdn
* alias.ip - client ipv4, server ipv4
* alias.ipv6 - client ipv6, server ipv6
* alias.mac - client identifier, client hardware
* extension - filename extension of bootfile
* filename - bootfile
* service - '67'

RISK VALUES
None

HUNTING VALUES
None
packetoperations, event analysis, protocol analysis
DNP3_luadnp3DNP3 Distributed Network Protocol (SCADA).

Only DNP3 sessions on port 20000 will be parsed.


DEPENDENCIES
Parsers
* NETWORK

CONFLICTS
Parsers
* dnp3

KEYS
* action - dnp3 function
* device.host - client identifier, server identifier
* error - dnp3 errors
* service - '20000'

RISK VALUES
None

HUNTING VALUES
None
packetoperations, event analysis, protocol analysis
DNS_verbose_luadns_verboseIdentifies DNS sessions. Registers query and response records
including record type. Registers protocol error messages. Alerts for
dns anamolies.

DNS sessions on ports other than 53 will not be parsed. Sessions
other than DNS on port 53 will result in an alert being registered for
the session.


DEPENDENCIES
Parsers
* FeedParser
* NETWORK
* nwll
Feeds
* investigation

CONFLICTS
Parsers
* DNS
* dns_verbose

KEYS
* alert.id - mapped to risk meta
* alias.host - hostnames of requests / answers
* alias.ip - ipv4 addresses of requests / answers
* alias.ipv6 - ipv6 addresses of requests / answers
* analysis.service - dns characteristics of interest
* dns.querytype - (nonstandard) type of record in the dns query
* dns.responsetype - (nonstandard) type of record dns response
* dns.resptext - (nonstandard) contents of dns txt records
* error - dns errors
* ioc - indicators of compromise
* service - '53'

RISK VALUES

info
* dns large answer
* dns long query
* dns low ttl
* dns query for uncommon record type
* dns response with uncommon record type

suspicious
* anomalous dns message
* dns extremely large number of answers
* dns extremely low auth ttl
* dns extremely low ttl
* dns invalid query type
* dns large number of additional records
* dns large number of answers
* dns large number of authority records
* dns large number of queries
* dns query contains answer records
* dns query contains authority records
* dns query for uncommon record class
* dns reserved value present
* dns unsolicited response records
* dns z reserved present
* hostname looks like ip address
* ip-like hostname resolves to different ip

warning
* anomalous or non-dns session on dns port

HUNTING VALUES

analysis.service
* dns base36 txt record
* dns base64 txt record
* dns single request response
* large session dns port
* large session dns service
* loopback resolution of non-local name
* outbound dns
* suspicious traffic port 53

ioc
* dns with executable
* dns with file
packetoperations, event analysis, protocol analysis
dr_watson_luabasic_dr_watsonDetects Dr Watson crash report and registers name of crashed process.


DEPENDENCIES
Parsers
* FeedParser
Feeds
* investigation

CONFLICTS
Parsers
* dr_watson

KEYS
* alert.id - mapped to risk meta
* filename - name of crashed process

RISK VALUES

info
* dr watson crash report

HUNTING VALUES
None
packetoperations, event analysis, application analysis
duqu_luaduquDetects binaries that may be related to the duqu threat.

This parser indicates that a file exhibits some characteristics in
common with Duqu-related binaries and thus may warrant further
analysis. It does not claim that any file so indicated is, as a
matter of fact, related to Duqu.


DEPENDENCIES
Parsers
* FeedParser
Feeds
* investigation

CONFLICTS
Parsers
* duqu

KEYS
* alert.id - mapped to risk meta

RISK VALUES

suspicious
* potential binary from duqu group

HUNTING VALUES
None
packetthreat, attack phase, command and control, malware, remote access trojans
DynDNSdyndnsDetects dynamic DNS hosts and servers.


DEPENDENCIES
Parsers
* FeedParser
* NETWORK
Feeds
* investigation

CONFLICTS
Parsers
* IR_DynDNS
* IR_dyndns-http

KEYS
* alert.id - mapped to risk meta
* analysis.service - 'dynamic dns http', 'dynamic dns query', 'dynamic dns server', 'dynamic dns host'

RISK VALUES

info
* dynamic dns host
* dynamic dns server

HUNTING VALUES

analysis.service
* dynamic dns http
* dynamic dns query
packetoperations, event analysis, protocol analysis
ein_detection_luaeinAttempts to detect Employer Identification Numbers. Intended as a
replacement for the EIN detection in search.ini

This parser utilizes many short tokens. Do not enable if decoder
performance is a concern.

In order to avoid redundancy, the EIN search in search.ini should be
disabled if this parser is to be used.

EIN numbers are expected to be formatted as:

2-digit prefix, followed by a hyphen, followed by 7 digits

e.g., 12-3456789

EIN numbers not in this format will not be detected.


DEPENDENCIES
Parsers
* FeedParser
Feeds
* investigation

CONFLICTS
Parsers
* ein_detection

KEYS
* alert.id - mapped to risk meta
* ein.number - (nonstandard) detected ein numbers

RISK VALUES

info
* employer identification number

HUNTING VALUES
None
packetfeatured, operations, event analysis, application analysis, identity, accounting
ethernet_ouiethernet_ouiDetermines the manufacturer of eth.src, eth.dst, and alias.mac
addresses.

Reserved OUI's such as those used for broadcast or multicast will not
result in vendor meta.

If the decoder is placed between layer 3 gateways (i.e., routers), the
meta for source and destination MAC will be the same for every
session. In such cases, this parser should not be used.


DEPENDENCIES
Parsers
* NETWORK

CONFLICTS
Parsers
* MAC_Vendor

KEYS
* eth.dst.vendor - (nonstandard) manufacturer of destination ethernet controller
* eth.src.vendor - (nonstandard) manufacturer of source ethernet controller

RISK VALUES
None

HUNTING VALUES
None
log, packetevent analysis, featured, operations, protocol analysis
EvilgrabevilgrabDetects possible Evilgrab APT malware activity.


DEPENDENCIES
Parsers
* FeedParser
Feeds
* investigation

CONFLICTS
None

KEYS
* alert.id - mapped to risk meta

RISK VALUES

suspicious
* possible evilgrab traffic

HUNTING VALUES
None
packetthreat, attack phase, command and control, malware, remote access trojans
exifexifExtract longitude and latitude coordinates from exif data embedded
in JPEG files.


DEPENDENCIES
None

CONFLICTS
None

KEYS
* latdec.src - latitudinal coordinate from exif data
* longdec.src - longitudinal coordinate from exif data

RISK VALUES
None

HUNTING VALUES
None
packetfeatured, operations, event analysis, file analysis
fingerprint_7zipfingerprint_7zipDetects 7zip archive files.

Filename is extracted only if all of the following are true:
a) there is a single file in the archive
b) there is no directory structure
c) filename field is not encrypted in the archive headers
d) archive file is not encrypted or otherwise encoded (eg, base64)


DEPENDENCIES
None

CONFLICTS
None

KEYS
* filename - filename within archive
* filetype - '7zip'

RISK VALUES
None

HUNTING VALUES
None
packetfeatured, operations, event analysis, file analysis
fingerprint_access_db_luafingerprint_access_dbIdentifies Microsoft Access database files.


DEPENDENCIES
None

CONFLICTS
Parsers
* fingerprint_access_db

KEYS
* filetype - 'access db'

RISK VALUES
None

HUNTING VALUES
None
packetfeatured, operations, event analysis, file analysis
fingerprint_apple_dmg_luafingerprint_apple_dmgDetects Mac OS X Disk Copy Disk Image files.


DEPENDENCIES
None

CONFLICTS
Parsers
* fingerprint_apple_dmg

KEYS
* filetype - 'apple dmg'

RISK VALUES
None

HUNTING VALUES
None
packetfeatured, operations, event analysis, file analysis
fingerprint_apple_ios_luafingerprint_apple_ios_appDetects Apple IOS App files.


DEPENDENCIES
Parsers
* nwll

CONFLICTS
Parsers
* fingerprint_apple_ios

KEYS
* extension - filename extension (if applicable)
* filename - filename of ios app
* filetype - 'apple ios app'

RISK VALUES
None

HUNTING VALUES
None
packetfeatured, operations, event analysis, file analysis
fingerprint_apple_iwork_luafingerprint_apple_iworkDetects Apple iWork files (Pages, Numbers and Keynote).


DEPENDENCIES
None

CONFLICTS
Parsers
* fingerprint_apple_iwork

KEYS
* filetype - 'apple iwork'

RISK VALUES
None

HUNTING VALUES
None
packetfeatured, operations, event analysis, file analysis
fingerprint_appleExec_luafingerprint_apple_execDetects MAC OSX executable binary files.


DEPENDENCIES
None

CONFLICTS
Parsers
* fingerprint_apple_exec

KEYS
* filetype - 'apple executable (pef)', 'apple executable (mach-o)'

RISK VALUES
None

HUNTING VALUES
None
packetfeatured, operations, event analysis, file analysis
fingerprint_bmpfingerprint_bmpDetects BMP format image files.

Will not detect base64 encoded BMP files, such as MIME attachments.


DEPENDENCIES
Parsers
* FeedParser
Feeds
* investigation

CONFLICTS
None

KEYS
* alert.id - mapped to risk meta
* filetype - 'bmp'

RISK VALUES

info
* uncommon bmp format

HUNTING VALUES
None
packetoperations, event analysis, file analysis
fingerprint_cabfingerprint_cabIdentifies cabinet files (cab).


DEPENDENCIES
None

CONFLICTS
Parsers
* fingerprint_cab_files

KEYS
* filetype - 'cab'

RISK VALUES
None

HUNTING VALUES
None
packetfeatured, operations, event analysis, file analysis
fingerprint_cad_luafingerprint_cadDetects Autodesk Autocad DWG, DXF, and DWF files.

Supports detection of base64-encoded files (e.g. email attachment).

Meta for "filetype" will only be registered once per session,
irrespective of whether further CAD files are present in the session.

Supports the following DWG and DXF file format versions:
AC1024 AutoCAD 2010/2011/2012
AC1021 AutoCAD 2007/2008/2009
AC1018 AutoCAD 2004/2005/2006
AC1015 AutoCAD 2000/2000i/2002
AC1014 Release 14
AC1012 Release 13
AC1009 Release 11/12
AC1006 Release 10
AC1004 Release 9
AC1003 Version 2.60
AC1002 Version 2.50
AC1001 Version 2.22
AC2.22 Version 2.22
AC2.21 Version 2.21
AC2.10 Version 2.10
AC1.50 Version 2.05
AC1.40 Version 1.40
AC1.2 Version 1.2
MC0.0 Version 1.0

CAD files created by non-Autodesk software may not detected.

CAD files converted into non-CAD formats (PDF, JPG, PNG, etc) will not
be detected as CAD files.


DEPENDENCIES
None

CONFLICTS
Parsers
* fingerprint_cad

KEYS
* filetype - 'autocad'

RISK VALUES
None

HUNTING VALUES
None
packetfeatured, operations, event analysis, file analysis
fingerprint_chm_luafingerprint_chmIdentifies Microsoft Compiled Help files, and detects potentially
suspicious elements within.


DEPENDENCIES
Parsers
* FeedParser
Feeds
* investigation

CONFLICTS
Parsers
* fingerprint_chm
* malware_chm

KEYS
* alert.id - mapped to risk meta
* filetype - 'chm'

RISK VALUES

suspicious
* suspicious chm

warning
* chm contains exe

HUNTING VALUES
None
packetoperations, event analysis, file analysis
fingerprint_flashfingerprint_flashDetects Adobe Flash (swf) files. Detects Flash embedded within a pdf.


DEPENDENCIES
Parsers
* FeedParser
Feeds
* investigation

CONFLICTS
Parsers
* Fingerprint Encrypted SWF
* base64_swf
* fingerprint_swf

KEYS
* alert.id - mapped to risk meta
* filetype - 'swf'

RISK VALUES

suspicious
* potential embedded swf in pdf

HUNTING VALUES
None
packetfeatured, operations, event analysis, file analysis
fingerprint_fontfingerprint_fontIdentifies font files: embedded opentype (eot), web open format (woff),
opentype (otf), and truetype (ttf).

OTF with TTF outlines may be identified as TTF.


DEPENDENCIES
None

CONFLICTS
None

KEYS
* filetype - 'eot font', 'otf font', 'svg font', 'ttf font, 'woff font'

RISK VALUES
None

HUNTING VALUES
None
packetoperations, event analysis, file analysis
fingerprint_gif_luafingerprint_gifIdentifies GIF files. Detects malformed GIF elements.


DEPENDENCIES
Parsers
* FeedParser
Feeds
* investigation

CONFLICTS
Parsers
* fingerprint_gif

KEYS
* alert.id - mapped to risk meta
* filetype - 'gif'

RISK VALUES

info
* malformed gif header

HUNTING VALUES
None
packetfeatured, operations, event analysis, file analysis
fingerprint_gzipfingerprint_gzipDetects files which have been compressed using the gzip family
of compression programs (gzip, bzip, etc).

Will not detect a gzip file in an HTTP stream which utilizes
gzip content-encoding.


DEPENDENCIES
None

CONFLICTS
None

KEYS
* filetype - 'gzip compressed'

RISK VALUES
None

HUNTING VALUES
None
packetoperations, event analysis, file analysis
fingerprint_javafingerprint_javaDetects Java JAR and CLASS files.


DEPENDENCIES
None

CONFLICTS
Parsers
* fingerprint_jar
* fingerprint_java_class

KEYS
* analysis.file - file characteristics
* filetype - 'java class', 'java jar'

RISK VALUES
None

HUNTING VALUES

analysis.file
* one two filename java class
* small java class
* small java jar
packetoperations, event analysis, file analysis
fingerprint_javascript_luafingerprint_javascriptDetect javascript, and suspicious javascript actions and anomolies.


DEPENDENCIES
Parsers
* FeedParser
Feeds
* investigation

CONFLICTS
Parsers
* fingerprint_javascript
* javascript_packers
* javascript_shellcode
* javascript_suspicious

KEYS
* alert.id - mapped to risk meta
* filetype - 'javascript'

RISK VALUES

info
* js arguments callee
* js browser probe
* js eval
* js eval escape
* js eval no docwrite
* js os browser detection
* js string fromcharcode

suspicious
* javascript doc
* javascript edwards packer
* javascript nerot packer
* javascript obfuscation
* js extrememly long charcode decode
* js inside textarea
* js shellcode evasion
* js sprayheap
* js var replace chars
* js var suspicious name

warning
* js noop shellcode

HUNTING VALUES
None
packetoperations, event analysis, file analysis
fingerprint_jobfingerprint_jobIdentifies windows job task scheduling files.

Note that "action", "directory", and "username" meta are relevant to
the job, not the transport of the job file. E.g., username is the
account with which the job will be run - it is not the user submitting
the job file.


DEPENDENCIES
None

CONFLICTS
None

KEYS
* action - command, parameters, and trigger of job
* directory - working directory for job
* filetype - 'windows job file'
* username - account with which the job is to be run

RISK VALUES
None

HUNTING VALUES
None
packetoperations, event analysis, file analysis
fingerprint_jpg_luafingerprint_jpgDetects JPEG image files.


DEPENDENCIES
None

CONFLICTS
Parsers
* fingerprint_jpg

KEYS
* filetype - 'jpg'

RISK VALUES
None

HUNTING VALUES
None
packetfeatured, operations, event analysis, file analysis
fingerprint_lnk_luafingerprint_lnkIdentifies lnk files and detects possible exploit characteristics.

Detects if an icon resource points to a DLL. Note that there are other
possible methods to exploit a .lnk file.


DEPENDENCIES
Parsers
* FeedParser
Feeds
* investigation

CONFLICTS
Parsers
* exploit_lnk_file
* fingerprint_lnk

KEYS
* alert.id - mapped to risk meta
* filetype - 'lnk'

RISK VALUES

suspicious
* exploit lnk file

HUNTING VALUES
None
packetoperations, event analysis, file analysis
fingerprint_msi_luafingerprint_msiIdentifies Microsoft OLE / Compound Document Format Windows
Installer files.


DEPENDENCIES
None

CONFLICTS
Parsers
* fingerprint_msi

KEYS
* filetype - 'windows installer msi'

RISK VALUES
None

HUNTING VALUES
None
packetoperations, event analysis, file analysis
fingerprint_mssql_luafingerprint_mssqlDetects Microsoft SQL Server databse files.


DEPENDENCIES
None

CONFLICTS
Parsers
* fingerprint_mssql

KEYS
* filetype - 'mssql'

RISK VALUES
None

HUNTING VALUES
None
packetfeatured, operations, event analysis, file analysis
fingerprint_office_luafingerprint_officeIdentifies Microsoft Office 95-2007 Word, Excel, and Powerpoint
documents.

A file saved from Office 2007+ but in 95-2003 format may register both
filetype meta.

If the fingerprint_zip parser is also enabled, an Office 2007+ file
will also be detected as being a zip file. This is because an Office
2007+ is in reality zipped XML.

A base64 encoded Microsoft Installer file (.msi) may be detected as a
base64 encoded Office 2003 file.


DEPENDENCIES
None

CONFLICTS
Parsers
* encoded_file_fingerprinting
* fingerprint_office95-2003
* fingerprint_office_2007

KEYS
* filetype - 'office 95-2003 word document', 'office 95-2003 excel document', 'office 95-2003 powerpoint document', 'office 95-2003 document', 'office 2007 document'

RISK VALUES
None

HUNTING VALUES
None
packetfeatured, operations, event analysis, file analysis
fingerprint_pdf_luafingerprint_pdfIdentifies PDF files and detects risky characteristics.


DEPENDENCIES
Parsers
* FeedParser
Feeds
* investigation

CONFLICTS
Parsers
* encoded_file_fingerprinting
* fingerprint_pdf
* malware_pdf

KEYS
* alert.id - mapped to risk meta
* alias.host - host portion of urls found in pdf (if name)
* alias.ip - host portion of urls found in pdf (if IPv4)
* alias.ipv6 - host portion of urls found in pdf (if IPv6)
* analysis.file - file characteristics
* directory - directory portion of urls found in pdf
* extension - extension portion of filename of urls found in pdf
* filename - filename portion of urls found in pdf
* filetype - 'pdf'
* query - querystring portion of urls found in pdf
* version - pdf format version

RISK VALUES

info
* pdf deflating embedded file
* pdf single page
* pdf stream ascii85 encoded
* pdf stream ccittfax encoded
* pdf stream crypt encoded
* pdf stream hex encoded
* pdf stream lwz encoded
* pdf stream runlength encoded
* pdf with additional actions
* pdf with launch action
* pdf with names
* pdf with open action
* pdf with xfa

suspicious
* pdf with javascript

warning
* pdf creates and launches vbs
* pdf inconsistent xref size
* pdf launches exe
* pdf with javascript hidden in xfa
* pdf with nested filters
* pdf with obfuscated objects

HUNTING VALUES

analysis.file
* pdf with url
packetmalware analysis, spectrum, operations, event analysis, file analysis
fingerprint_pfffingerprint_pffDetects Microsoft Outlook Personal File Folder objects such as pab,
pst, and ost.

Does not differentiate between types of pff files.


DEPENDENCIES
None

CONFLICTS
None

KEYS
* filetype - 'pff'

RISK VALUES
None

HUNTING VALUES
None
packetoperations, event analysis, file analysis
fingerprint_pkcs12_luafingerprint_pkcs12Detects PKCS #12 format private key files.

Peforms detection only. No meta is extracted from the contents of the
pkcs12 file.


DEPENDENCIES
None

CONFLICTS
Parsers
* fingerprint_pkcs12

KEYS
* filetype - 'private encryption key pkcs12'

RISK VALUES
None

HUNTING VALUES
None
packetoperations, event analysis, file analysis
fingerprint_png_luafingerprint_pngDetects PNG image files.


DEPENDENCIES
None

CONFLICTS
Parsers
* fingerprint_png

KEYS
* filetype - 'png'

RISK VALUES
None

HUNTING VALUES
None
packetfeatured, operations, event analysis, file analysis
Fingerprint_Private_Keyfingerprint_keyDetects SSH and PGP private key files.


DEPENDENCIES
None

CONFLICTS
Parsers
* fingerprint_private_encryption_keys

KEYS
* filetype - 'private encryption key', 'private pgp encryption key', 'putty public private key pair'

RISK VALUES
None

HUNTING VALUES
None
packetoperations, event analysis, file analysis
fingerprint_rar_luafingerprint_rarDetects RAR archive files. Registers names of files within archive
files if available.

A rar may be password protected or encrypted. An encrypted rar is
always password protected - in which case, only the "encrypted" alert
is registered.

Filenames extracted are names of the files within the archive, not the
name of the archive itself.

Filenames can be extracted from a passord protected rar, but not an
encrypted rar.

For a base64-encoded rar, only "encrypted" is detected, not "password
protected". No filenames are extracted.


DEPENDENCIES
Parsers
* FeedParser
* nwll
Feeds
* investigation

CONFLICTS
Parsers
* encoded_file_fingerprinting
* fingerprint_rar

KEYS
* alert.id - mapped to risk meta
* directory - directory of file within archive
* extension - extension of file within archive
* filename - name of file within archive
* filetype - 'rar'

RISK VALUES

suspicious
* rar file encrypted
* rar file password protected

HUNTING VALUES
None
packetfeatured, malware analysis, spectrum, malware analysis, spectrum, operations, event analysis, file analysis
fingerprint_rtf_luafingerprint_rtfDetects RTF files.


DEPENDENCIES
Feeds
* investigation

CONFLICTS
Parsers
* encoded_file_fingerprinting
* fingerprint_rtf

KEYS
* analysis.file - 'suspicious rtf'
* filetype - 'rtf'

RISK VALUES
None

HUNTING VALUES

analysis.file
* rtf invalid magic number
* suspicious rtf
packetfeatured, malware analysis, spectrum, operations, event analysis, file analysis
fingerprint_unix_script_luafingerprint_unix_scriptIdentifies shell, perl, ruby, and python scripts.


DEPENDENCIES
None

CONFLICTS
Parsers
* fingerprint_unix_script

KEYS
* filetype - 'unix shell script', 'perl script', 'python script', 'ruby script'

RISK VALUES
None

HUNTING VALUES
None
packetfeatured, operations, event analysis, file analysis
fingerprint_webmfingerprint_webmDetects webm and matroska video files.


DEPENDENCIES
None

CONFLICTS
None

KEYS
* filetype - 'webm', 'matroska'

RISK VALUES
None

HUNTING VALUES
None
packetoperations, event analysis, file analysis
fingerprint_zipfingerprint_zipDetects PK format zip files, and extracts the names of files
contained in the archive.

Parses PK-format zip archive files only. PK format is used by WinZip
and Windows XP+. Other formats such as gzip and 7zip are parsed by
other parsers.

Filenames are the names of the files contained within the zip file,
not the name of the zip file itself (the name of the zip file itself
is not in the zip file).


DEPENDENCIES
Parsers
* FeedParser
* nwll
Feeds
* investigation

CONFLICTS
Parsers
* encoded_file_fingerprinting
* pkware

KEYS
* alert.id - mapped to risk meta
* analysis.file - file characteristics
* directory - directory of file within archive
* extension - extension of file within archive
* filename - name of file within archive
* filetype - 'zip'
* ioc - indicators of compromise

RISK VALUES

info
* zip file language encoded

suspicious
* zip file encrypted
* zip file obfuscated

HUNTING VALUES

analysis.file
* zipped chm
* zipped hta
* zipped wsf

ioc
* spora ransomware
packetoperations, event analysis, file analysis
FIX_luafixIdentifies the Financial Information Exchange Protocol.


DEPENDENCIES
Parsers
* NETWORK

CONFLICTS
Parsers
* FIX

KEYS
* service - '8082'

RISK VALUES
None

HUNTING VALUES
None
packetfeatured, operations, event analysis, protocol analysis
Form_Data_luaformdataExtracts submitted values from HTTP POST actions.

Supports:
- application/x-www-form-urlencoded
- application/json
- multipart/form-data

For urlencoded and json, each chunk of name:value pairs is registered
as a single "query" meta.

Values are not de-urlencoded - this makes "eyeballing" them more
difficult, but makes writing app rules and feeds easier and more
accurate.

For multipart/form-data, only name is registered since the value
usually consists of chunks of binary data such as images, files,
etc.

Only application/x-form-urlencoded will be examined for possible
base64 values, since multipart/form-data is routinely encoded
with base64.


DEPENDENCIES
Parsers
* FeedParser
Feeds
* investigation

CONFLICTS
Parsers
* Form_Data_Elements

KEYS
* alert.id - mapped to risk meta
* query - HTTP POST form data

RISK VALUES

info
* http post missing content-length
* http post missing content-type

suspicious
* possible base64 http form data

HUNTING VALUES
None
packetfeatured, operations, event analysis, protocol analysis
FTP_luaftpFile Transfer Protocol (FTP) RFC 959.

Parses only FTP command sessions. FTP data sessions are not
identified or parsed.

Registers the actual FTP command, e.g. "STOR" (unlike the
native parser "FTP" which registers action meta "put" for
uploads).

Filename is prepended to link meta for active transfers but
not passive.


DEPENDENCIES
Parsers
* NETWORK
* nwll

CONFLICTS
Parsers
* FTP

KEYS
* action - FTP command
* directory - target directory of FTP command
* extension - extension of filename
* filename - target filename of FTP command
* link - query parameters for identification of corresponding data session
* password - password credential provided to server
* service - '21'
* username - user credential provided to server

RISK VALUES
None

HUNTING VALUES
None
packetoperations, event analysis, protocol analysis
GeoIP2 Database Filesgeoip2_database_filesMaxMind's GeoIP product lets you discover information about a specific IP address such as domain, organization, country, city, ISP and latitude and longitude. RSA NetWitness Platform 11.2 and higher has a system parser called GeoIP2 that uses the MaxMind databases and it is enabled by default. Updates to these databases are published on RSA Live weekly and it's recommended you subscribe to these database files in order to deploy timely updates. The meta keys for country, domain and organization are enabled by default. See the CONFIGURATION section to enable or disable the meta output by the parser.

REFERENCES
See MaxMind's description of the databases here: https://dev.maxmind.com/geoip/geoip2/downloadable/

VERSIONS SUPPORTED
RSA NetWitness Platform 11.2+

CONFIGURATION
To enable or disable meta keys generated by the GeoIP2 system parser, go to the UI > Admin > Services > Deocder (or Log Decoder) > Parsers Configuration > GeoIP2

GENERATED METADATA
city.dst
city.src
country.dst
country.src
domain.dst
domain.src
isp
latdec.dst
latdec.src
longdec.dst
longdec.src
org.dst
org.src

DEPENDENCIES
GeoIP2 System Parser
log, packetevent analysis, flow analysis, operations
ghostghostDetects likely Ghost Rat beacon sessions.


DEPENDENCIES
Parsers
* FeedParser
Feeds
* investigation

CONFLICTS
Parsers
* ghost_protocol

KEYS
* alert.id - mapped to risk meta

RISK VALUES

suspicious
* ghost-protocol-variant

warning
* ghost-protocol-00000
* ghost-protocol-00000000
* ghost-protocol-7hero
* ghost-protocol-ABCDE
* ghost-protocol-Adobe
* ghost-protocol-Assas
* ghost-protocol-B1X6Z
* ghost-protocol-BEiLa
* ghost-protocol-BeiJi
* ghost-protocol-Black
* ghost-protocol-Blues
* ghost-protocol-ByShe
* ghost-protocol-CCTV0
* ghost-protocol-CHINA
* ghost-protocol-ChEnA
* ghost-protocol-DNSYU
* ghost-protocol-DrAgOn
* ghost-protocol-EXXMM
* ghost-protocol-Eyes1
* ghost-protocol-Eyes2
* ghost-protocol-FKJP3
* ghost-protocol-FLYNN
* ghost-protocol-FWAPR
* ghost-protocol-FWKJG
* ghost-protocol-GM110
* ghost-protocol-GOLDt
* ghost-protocol-GWRAT
* ghost-protocol-Gh0st
* ghost-protocol-Gi0st
* ghost-protocol-HEART
* ghost-protocol-HTTP/
* ghost-protocol-HTTPS
* ghost-protocol-HXWAN
* ghost-protocol-Heart
* ghost-protocol-Hello
* ghost-protocol-Hyxhj
* ghost-protocol-IM007
* ghost-protocol-ITore
* ghost-protocol-KOBBX
* ghost-protocol-KrisR
* ghost-protocol-LUCKK
* ghost-protocol-LURK0
* ghost-protocol-LYRAT
* ghost-protocol-Level
* ghost-protocol-LkxCq
* ghost-protocol-Lover
* ghost-protocol-Lyyyy
* ghost-protocol-MYFYB
* ghost-protocol-MoZhe
* ghost-protocol-MyRat
* ghost-protocol-NIGHT
* ghost-protocol-Naver
* ghost-protocol-NoNul
* ghost-protocol-OXXMM
* ghost-protocol-Origi
* ghost-protocol-PCRat
* ghost-protocol-QQ_124971919
* ghost-protocol-QWPOT
* ghost-protocol-Shado
* ghost-protocol-Snown
* ghost-protocol-SocKt
* ghost-protocol-Spidern
* ghost-protocol-Super
* ghost-protocol-Sw@rd
* ghost-protocol-Tyjhu
* ghost-protocol-URATU
* ghost-protocol-VGTLS
* ghost-protocol-W0LFKO
* ghost-protocol-Wangz
* ghost-protocol-Wh0vt
* ghost-protocol-Winds
* ghost-protocol-World
* ghost-protocol-X6M9K
* ghost-protocol-X6RAT
* ghost-protocol-XDAPR
* ghost-protocol-Xiaoq
* ghost-protocol-Xjjhj
* ghost-protocol-YANGZ
* ghost-protocol-YinLe
* ghost-protocol-ag0ft
* ghost-protocol-apach
* ghost-protocol-attac
* ghost-protocol-cb1st
* ghost-protocol-chevr
* ghost-protocol-cyl22
* ghost-protocol-https
* ghost-protocol-httpx
* ghost-protocol-kaGni
* ghost-protocol-light
* ghost-protocol-lvxYT
* ghost-protocol-v2010
* ghost-protocol-wcker
* ghost-protocol-whmhl
* ghost-protocol-wings
* ghost-protocol-xhjyk
* ghost-protocol-xqwf7

HUNTING VALUES
None
packetfeatured, threat, attack phase, command and control, malware, remote access trojans
glass_ratglass_ratDetects the network communication used by the GlassRAT Trojan
identified by RSA Research.

Additional details can be found here:

https://blogs.rsa.com/peering-into-glassrat/


DEPENDENCIES
Parsers
* FeedParser
Feeds
* investigation

CONFLICTS
None

KEYS
* alert.id - mapped to risk meta

RISK VALUES

suspicious
* glass rat c2 handshake beacon
* glass rat c2 handshake connection

HUNTING VALUES
None
packetfeatured, threat, attack phase, command and control, malware, remote access trojans
gnutella_luagnutellaIdentifies the Gnutella file sharing protocol.


DEPENDENCIES
Parsers
* NETWORK

CONFLICTS
Parsers
* GNUTELLA

KEYS
* action - gnutella command: 'connect', 'get'
* service - '6346'

RISK VALUES
None

HUNTING VALUES
None
packetfeatured, operations, event analysis, protocol analysis
HTML_threatHTML_threatDetects common HTML threat techniques such as hidden frames
and embedded objects.


DEPENDENCIES
Parsers
* FeedParser
* HTTP_lua
* NETWORK
* nwll
Feeds
* investigation

CONFLICTS
Parsers
* HTML_Threat_Analysis
* exploit_web_pages

KEYS
* alert.id - mapped to risk meta
* alias.host - host from external or hidden iframe referece if hostname
* alias.ip - host from external or hidden iframe referece if IPv4
* alias.ipv6 - host from external or hidden iframe referece if IPv6
* directory - directory from external or hidden iframe reference
* eoc - service analysis
* extension - extension from external or hidden iframe reference
* filename - filename from external or hidden iframe reference

RISK VALUES

info
* embedded html applet
* embedded html applet with params
* embedded html codebase
* embedded html object
* iframe src cgi
* iframe src htm
* iframe src html

suspicious
* iframe embedded js
* iframe hidden values
* iframe inside hidden div
* iframe src php
* pdf inside hidden div

warning
* iframe src pdf

HUNTING VALUES

eoc
* html form external submission
* html hidden div
* html hidden post
* html hidden span
* html iframe external reference
packetmalware analysis, operations, event analysis, file analysis
htran_luahtranIdentifies the error message generated by the htran redirection tool.


DEPENDENCIES
Parsers
* FeedParser
Feeds
* investigation

CONFLICTS
Parsers
* htran

KEYS
* alert.id - mapped to risk meta

RISK VALUES

suspicious
* htran redirector

HUNTING VALUES
None
packetthreat, attack phase, action on objectives, malware
HTTP_luahttpExtracts values from HTTP protocol request and response
headers.

Parses ICAP (HTTP) requests. If the parser detects that it is
seeing an ICAP session, then only the ICAP's request stream is
parsed, which represents the original HTTP request or response
prior to any modification that may performed by the ICAP server.

Performs HTTP header anomaly detection. Does not attempt to
detect risky HTML elements such as hidden iframes (that
functionality is performed by the parser 'HTML_threat').


DEPENDENCIES
Parsers
* FeedParser
* NETWORK
* nwll
Feeds
* investigation

CONFLICTS
Parsers
* Browser-Detect
* HTTP
* ICAP_HTTP
* NTLMSSP
* NTLMSSP_lua
* OS-Detect
* crafted_http_header
* http-flex
* http_connect
* http_error_codes
* http_error_codes
* http_header
* querystring-elements
* servers
* user-agent
* xfwdfor

KEYS
* action - request method ('get', 'post', et al)
* ad.computer.src - host credential from 'NTLMSSP' authorization
* ad.domain.src - domain credential from 'NTLMSSP' authorization
* ad.username.src - user credential from 'NTLMSSP' authorization
* alert.id - HTTP header anomalies
* alias.host - request 'HOST:' header
* alias.ip - request 'HOST:' header if IPv4
* alias.ipv6 - request 'HOST:' header if IPv6
* analysis.service - (optional) advanced http analysis characteristics
* attachment - filename submitted in a POST request
* client - request 'USER-AGENT:' header
* content - 'CONTENT-TYPE' header
* directory - request directory
* email - proxy client if email address
* error - response status code if not '2xx'
* extension - request filename extension
* filename - request filename
* http.request - (nonstandard) (optional) request header type
* http.response - (nonstandard) (optional) response header type
* ioc - (optional) indicators of compromise from advanced analysis
* language - languages from lanauge headers
* orig_ip - IP address of proxy client
* password - password credential from 'Basic' authorization
* query - request querystring
* referer - request 'REFERER:' header
* req.uniq - (nonstandard) (optional) request header value
* resp.uniq - (nonstandard) (optional) response header value
* server - response 'SERVER:' header
* service - '80'
* url - (nonstandard) (optional) full request URL
* username - user credential from 'Basic' authorization

RISK VALUES

info
* http content-md5 overflow
* http contentdisposition with filename
* http direct to ip request
* http1.0 high header count
* http1.0 low header count
* http1.0 server location redirect
* http1.0 ssdp
* http1.0 uncommon keepalive header
* http1.0 unsupported cache header
* http1.0 unsupported connection header
* http1.0 unsupported cookie header
* http1.0 unsupported etag header
* http1.0 unsupported host header
* http1.0 unsupported max-forwards header
* http1.0 unsupported md5 header
* http1.0 unsupported options method
* http1.0 unsupported proxyauth header
* http1.0 unsupported proxyauthenticate header
* http1.0 unsupported range header
* http1.0 unsupported server reply
* http1.0 unsupported te header
* http1.0 unsupported transferencoding header
* http1.0 unsupported upgrade header
* http1.0 unsupported vary header
* http1.0 unsupported warning header
* http1.0 webdav
* http1.0 without referer header
* http1.0 without server header
* http1.0 without user-agent
* http1.1 high header count
* http1.1 low header count
* http1.1 server location redirect
* http1.1 ssdp
* http1.1 uncommon te header
* http1.1 uncommon upgrade header
* http1.1 webdav
* http1.1 without accept header
* http1.1 without connection header
* http1.1 without host header
* http1.1 without referer header
* http1.1 without server header
* http1.1 without user-agent header

suspicious
* http invalid transfer encoding

warning
* http large byte range

HUNTING VALUES

analysis.service
* Microsoft BITS
* Microsoft RPC over HTTP
* Microsoft SCCM
* Qualys Scan
* content-disposition filename contains null character
* direct to ip one char php
* host header contains port
* http connect
* http content header string concatenation
* http direct to ip request
* http explicit proxy request
* http four headers
* http four or less headers
* http get no post
* http get no post with content-length
* http host header is an integer
* http invalid allow methods
* http java 1.3
* http java 1.4
* http java 1.5
* http java 1.6
* http java 1.7
* http java 1.8
* http long query
* http long user-agent
* http max length user-agent
* http mid length user-agent
* http misspelled referer
* http misspelled user-agent
* http netbox server
* http no referer
* http no user-agent
* http nonstandard mozilla
* http not good mozilla
* http possible exploitkit
* http post and get
* http post no get
* http post no get low header count not flash
* http post no get missing content-length
* http post no get no referer
* http post no get no referer directtoip
* http post no get short filename suspicious extension
* http post no get short user-agent
* http query with base64
* http request path host header mismatch
* http response filename
* http response filename attachment
* http response filename bin
* http response filename exe
* http response filename inline
* http short user-agent
* http short user-agent ie
* http single request
* http single response
* http six or less headers
* http suspicious 4 headers
* http suspicious 6 headers
* http suspicious connect
* http suspicious no cookie
* http suspicious user-agent
* http three headers
* http two headers
* http uncommon origin schema
* http webshell
* http webshell error
* http webshell no error
* http wget direct to ip
* http with base64
* http with binary
* watchlist file extension
* watchlist file fingerprint
* websocket

ioc
* Crimeware Black Hole Exploit Kit
* Crimeware Zeus
* Crimeware Zeus Knownbad
* Known Bad File Name
* Known Bad UA CredentialLeak
* Known Bad UA IE6Beta
* Known Bad UA UPSPhishing
* Trojan/Napolor
* Xtreme RAT
* apache struts CVE-2017-12611 attempt
* apache struts exploit attempt
* apt ActiveMonk UA
* apt Deep Panda C2
* apt Foxy RAT
* apt Lurid RAT
* apt MiniASP
* apt NFlog Rat
* apt NetTraveler RAT
* apt PNG Rat
* apt PhotoASP RAT
* apt Sykipot Rat
* apt WebC2 CS
* apt ZipToken UA Post
* emissary malware
* http tunnel rat
* java exe
* java pdf
* malware sinkhole
* possible malware user-agent
* possible redkit
packetfeatured, operations, event analysis, protocol analysis
HTTP_lua OptionsHTTP_lua_optionsOptional parameters to alter the behavior of the HTTP_lua parser.packetevent analysis, operations, protocol analysis
HTTP_SQL_Injectionhttp_sql_injectionDetect possible injection of SQL commands in HTTP requests.

The goal of this parser is to indicate the possibility that an HTTP
request contains SQL statements.

It is not the goal of this parser to make a definitive determination
that any specific HTTP request does as a matter of fact contain SQL
statements. Nor does it extrapolate the functionality of any such SQL
statements, nor make any claims as to their purpose (legitimate or
nefarious). Thus, the parser simply indicates that further analysis
may be warranted.


DEPENDENCIES
Parsers
* FeedParser
* Form_Data_lua
* HTTP_lua
Feeds
* investigation

CONFLICTS
Parsers
* http_sql_injection

KEYS
* alert.id - mapped to risk meta

RISK VALUES

suspicious
* possible sql injection

HUNTING VALUES
None
packetthreat, attack phase, action on objectives
ICMPicmpProvides types and codes from ICMP packets.


DEPENDENCIES
Parsers
* NETWORK

CONFLICTS
Parsers
* IR_1_ICMP

KEYS
* action - icmp type
* analysis.session - other icmp characteristics
* error - icmp code

RISK VALUES
None

HUNTING VALUES

analysis.session
* large icmp request frame
* large icmp response frame
* reserved icmp type
packetprotocol analysis, operations, event analysis
IDN_homographidn_homographDetects punycode-encoded internationalized domain names which
use non-Latin Unicode code points whose glyphs resemble those
of Latin Unicode code points.

Registers the decoded homograph as analysis.service meta.


DEPENDENCIES
Parsers
* FeedParser
Feeds
* investigation

CONFLICTS
None

KEYS
* analysis.service - host as which the homograph is masquerading
* ioc - indicators of compromise

RISK VALUES
None

HUNTING VALUES

ioc
* homograph detected
packetfeatured, operations, event analysis, protocol analysis
IMAP_luaimapIdentifies IMAP, registers commands, errors, usernames, and passwords.


DEPENDENCIES
Parsers
* NETWORK

CONFLICTS
Parsers
* IMAP
* IMAP-flex

KEYS
* action - IMAP command issued
* error - IMAP error
* password - password credential provided to server
* service - '143'
* username - user credential provided to server

RISK VALUES
None

HUNTING VALUES
None
packetoperations, event analysis, protocol analysis
IRC_verbose_luairc_verboseExpanded IRC parsing.


DEPENDENCIES
Parsers
* NETWORK
* nwll

CONFLICTS
Parsers
* IRC
* irc-expanded

KEYS
* action - IRC command
* alias.host - target host of IRC command, if name
* alias.ip - target host of IRC command, if IPv4
* alias.ipv6 - target host of IRC command, if IPv6
* group - target channel of IRC command
* message - message sent or received
* password - password credential provided to server
* service - '6667'
* subject - text of topic command
* username - username credential provided to server

RISK VALUES
None

HUNTING VALUES
None
packetoperations, event analysis, protocol analysis
ISAKMPisakmpIdentifies ISAKMP.

For IKE type 132 (fragment) payloads, an alert is registered
if the length field is less than 8, which indicates an attempt
to exploit Cisco ASA Buffer Overflow CVE-2016-1287.

ISAKMP sessions on ports other than UDP 500 or 4500 will not
be parsed.


DEPENDENCIES
Parsers
* FeedParser
* NETWORK
Feeds
* investigation

CONFLICTS
None

KEYS
* alert.id - mapped to risk meta
* service - '500'

RISK VALUES

warning
* isakmp buffer overflow

HUNTING VALUES
None
packetoperations, event analysis, protocol analysis
iSCSIiscsiIdentifies SCSI-over-IP.

Performs identification only. No meta is extracted.


DEPENDENCIES
Parsers
* NETWORK

CONFLICTS
Parsers
* iscsi

KEYS
* service - '3260'

RISK VALUES
None

HUNTING VALUES
None
packetoperations, event analysis, protocol analysis
JSON-RPCJSON-RPCIdentifies JSON-RPC 2.0 streams.

Will not identify JSON-RPC 1.0 streams. May not identify JSON-RPC over transports such as HTTP.


DEPENDENCIES
Parsers
* NETWORK

CONFLICTS
None

KEYS
* ioc - indicators of compromise
* service - 49152

RISK VALUES
None

HUNTING VALUES

ioc
* monero mining
packetoperations, event analysis, protocol analysis, threat, attack phase
KerberoskerberosExtracts meta from the Kerberos network protocol.

Does not parse Kerberos authentication as utilized by other protocols.


DEPENDENCIES
Parsers
* NETWORK
* nwll

CONFLICTS
None

KEYS
* action - Kerberos commands
* ad.computer.dst - host to which user is attempting authentication
* ad.computer.src - client source host
* ad.domain.dst - domain to which user is attempting authentication
* ad.domain.src - client source domain
* ad.username.dst - user as which actions are performed
* ad.username.src - client user
* crypto - Kerberos cryptography suite used for session
* error - Kerberos errors
* service - '88'

RISK VALUES
None

HUNTING VALUES
None
packetoperations, event analysis, protocol analysis, identity, authentication
LDAPldapLightweight Directory Access Protocol, and extensions.

Only LDAP sessions on port 389 or port 686 will be parsed by default.
The list of ports for which to parse LDAP sessions may be modified
with the "LDAP Ports" option.

Only LDAP requests are parsed by default.

Some vendor-specific LDAP extensions such as Active Directory are not
parsed. However, values from unparsed operations will be registered
if the option "Register All Values" is enabled. Note that enabling
this option is not advised.


DEPENDENCIES
Parsers
* NETWORK
* nwll

CONFLICTS
None

KEYS
* action - LDAP protocol operation
* error - LDAP error response messages sent by a server to a client
* ldap - (optional) (nonstandard) uninterpreted LDAP values
* ldap.query - (nonstandard) search criteria from an LDAP search
* ldap.response - (nonstandard) results from an LDAP search
* password - if simple authentication, password used to authenticate to the LDAP server
* service - '389'
* username - name used to authenticate to the LDAP server

RISK VALUES
None

HUNTING VALUES
None
packetoperations, event analysis, protocol analysis, identity, authentication
LDAP OptionsLDAP_optionsOptional parameters to alter the behavior of the LDAP parser.packetoperations, event analysis, protocol analysis, identity, authentication
LynclyncIdentifies Microsoft Lync (formerly Microsoft Office Communicator,
Windows Messenger).

Performs identification only. No meta is extracted or registered.

Only encrypted / TLS Lync sessions on port 5061 are supported.


DEPENDENCIES
Parsers
* NETWORK

CONFLICTS
None

KEYS
* service - '5061'

RISK VALUES
None

HUNTING VALUES
None
packetoperations, event analysis, application analysis
MAIL_luamailExtracts values from email messages such as email addresses,
subject, and client.

Parsing of an Internet Message Format message (RFC 5322) is
independent of the transport of the message (SMTP, POP, IMAP,
LMTP, etc.). Think of the relationship as that between HTML
and HTTP - this parses the equivalent of HTML, not HTTP.

Meta "content" of an attachment is the literal value of the
Content-Type: header, which is easily forged. Do not consider
content meta as any more authoritative than you would a filename
extension.


DEPENDENCIES
Parsers
* FeedParser
* nwll
Feeds
* investigation

CONFLICTS
Parsers
* MAIL
* MAIL-flex
* email-ip

KEYS
* action - mail action performed: 'sendfrom, 'sendto', 'attach'
* alert.id - mapped to risk meta
* alias.host - hostname values from x-originating-ip headers, received headers, and (optional) email addresses
* alias.ip - ipv4 values from x-originating-ip headers, received headers, and (optional) email addresses
* alias.ipv6 - ipv6 values from x-originating-ip headers, received headers, and (optional) email addresses
* analysis.service - characteristics of email messages
* attachment - filenames of email attachments
* client - values from x-mailer: headers
* content - 'mail', value of Content-Type headers within messages
* email - email address found within messages
* email.dst - (optional) message recipients
* email.src - (optional) message originators
* extension - extension from filenames of email attachments
* fullname - comment portion of addresses, typically a name
* ioc - indicators of compromise
* subject - values from subject: headers

RISK VALUES

info
* email missing recipients
* email recipients cc/bcc only

suspicious
* email address domain is an IP
* received header IP mismatch
* received header hostname mismatch

HUNTING VALUES

analysis.service
* base64 email attachment
* express x-mailer
* inbound email
* interesting email
* subject phish
* uncommon mail source

ioc
* Elderwood XMailer Artifact
packetfeatured, operations, event analysis, application analysis
MAIL_lua OptionsMAIL_lua_optionsOptional parameters to alter the behavior of the MAIL_lua parser.packetevent analysis, operations, protocol analysis
MitozhanmitozhanDetects Mitozhan malware command and control.

See the RSA FirstWatch paper "Terracotta VPN"


DEPENDENCIES
Parsers
* FeedParser
Feeds
* investigation

CONFLICTS
None

KEYS
* alert.id - mapped to risk meta

RISK VALUES

warning
* mitozhan connection string

HUNTING VALUES
None
packetthreat, attack phase, command and control, malware, remote access trojans
modbusmodbusIdentifies MODBUS TCP/IP, extracts commands, errors, and device
identifications.


DEPENDENCIES
Parsers
* NETWORK

CONFLICTS
Parsers
* modbus-w_port

KEYS
* action - MODBUS protocol function
* device.type - device identification
* error - MODBUS error responses
* service - '502'

RISK VALUES
None

HUNTING VALUES
None
packetoperations, event analysis, protocol analysis
MSU_ratMSU_ratDetects MSU RAT activity.

Detects direct-to-IP version. Does not detect HTTP version.


DEPENDENCIES
Parsers
* FeedParser
Feeds
* investigation

CONFLICTS
None

KEYS
* alert.id - mapped to risk meta
* crypto - XOR key
* ioc - ir alerts

RISK VALUES

warning
* MSU RAT activity

HUNTING VALUES

ioc
* apt MSU RAT
packetthreat, attack phase, command and control, malware, remote access trojans
NetBIOS_luaNetBIOSNetBIOS over TCP/IP: NBNS, NBDS, NBSS.


DEPENDENCIES
Parsers
* NETWORK

CONFLICTS
Parsers
* NETBIOS

KEYS
* action - opcode value from NBNS
* alias.host - server host if name
* alias.ip - server host if IPv4
* alias.ipv6 - server host if IPv6
* service - '137' (NBNS), '138' (NBDS), '139' (NBSS)

RISK VALUES
None

HUNTING VALUES
None
packetoperations, event analysis, protocol analysis, identity, authentication
NFS_luanfsIdentifies and parses RPC-related protocols NFS, MOUNT, and PORTMAP.

It is critical to the proper parsing of NFS that both sides of the
session be seen by the decoder.

Although PORTMAP and MOUNT occur in a session other than the NFS
request/response session, they will also be identified as NFS.

Values for "action" and "error" directly reflect the name of the
procedure, operation, or error from the relevant RFC. No attempt at
interpretation has been made.

Support for NFSv4 is limited. It will be identified, and most actions
and error codes should be extracted.


DEPENDENCIES
Parsers
* NETWORK
* nwll

CONFLICTS
Parsers
* NFS
* nfs-flex
* sunrpc

KEYS
* action - NFS command
* alias.host - target host of NFS command if name
* alias.ip - target host of NFS command if IPv4
* alias.ipv6 - target host of NFS command if IPv6
* directory - target directory of NFS command
* error - NFS errors
* extension - filename extension
* filename - target file of NFS command
* service - '2049'

RISK VALUES
None

HUNTING VALUES
None
packetoperations, event analysis, protocol analysis
NTLMSSP_luantlmsspExtracts Active Directory user information from NTLM HTTP headers from
proxy authorization.

This parser is not needed if using HTTP_lua. Enabling this parser in
addition to HTTP_lua will result in duplicate meta.


DEPENDENCIES
None

CONFLICTS
Parsers
* HTTP_lua
* NTLMSSP

KEYS
* ad.computer.src - host credential provided to server
* ad.domain.src - domain credential provided to server
* ad.username.src - user credential provided to server

RISK VALUES
None

HUNTING VALUES
None
packetoperations, event analysis, protocol analysis, identity, authentication
ntp_luantpIdentifies Network Time Protocol.

Performs identification only. No meta is extracted.


DEPENDENCIES
Parsers
* NETWORK

CONFLICTS
Parsers
* NTP

KEYS
* service - '123'

RISK VALUES
None

HUNTING VALUES
None
packetoperations, event analysis, protocol analysis
nwllnwllCommonly used parser functions in lua.

This file itself is not a parser.


DEPENDENCIES
None

CONFLICTS
None

KEYS
None
packet
OCSP_luaocspExtracts certificate information and status from OCSP messages. In
case of a revoked status, risk.suspicious "revoked certificate" will
be registered.

Registers the serial number from OCSP request and response messages.


DEPENDENCIES
Parsers
* FeedParser
Feeds
* investigation

CONFLICTS
Parsers
* OCSP

KEYS
* alert.id - mapped to risk meta
* ssl.serial - (nonstandard) serial number of the target certificate

RISK VALUES

suspicious
* revoked certificate

HUNTING VALUES
None
packetfeatured, operations, event analysis, protocol analysis
PackerspackersDetects specific packer used to pack executables.

By itself the use of any particular packer is not necessarily
suspicious. These alerts are most useful when used in conjunction
with other alerts and information.


DEPENDENCIES
Parsers
* FeedParser
Feeds
* investigation

CONFLICTS
Parsers
* malware_packers_anskyapolybox1
* malware_packers_anskyapolybox3
* malware_packers_antireverse
* malware_packers_armadillo1
* malware_packers_armadillo2
* malware_packers_armadillo3
* malware_packers_armadillo4
* malware_packers_aspack1
* malware_packers_aspack2
* malware_packers_aspack3
* malware_packers_aspack4
* malware_packers_aspack5
* malware_packers_asprotect
* malware_packers_cryptx1
* malware_packers_cryptx2
* malware_packers_cryptx3
* malware_packers_dotfx
* malware_packers_enigma1
* malware_packers_enigma2
* malware_packers_enigma3
* malware_packers_exestealth
* malware_packers_expressor
* malware_packers_fsg
* malware_packers_hmimys
* malware_packers_hying
* malware_packers_lamecryp
* malware_packers_mew
* malware_packers_morphine
* malware_packers_morphine2
* malware_packers_morphna1
* malware_packers_morphna2
* malware_packers_mpack
* malware_packers_mzcrypt
* malware_packers_nspack
* malware_packers_nspack2
* malware_packers_packman
* malware_packers_pearmor
* malware_packers_pecompact
* malware_packers_pecompact2
* malware_packers_pelock
* malware_packers_poherna1
* malware_packers_poherna3
* malware_packers_poherna4
* malware_packers_upack
* malware_packers_upx
* malware_packers_windir

KEYS
* alert.id - mapped to risk meta

RISK VALUES

info
* packer upx

suspicious
* packer anskyapolybox
* packer antireverse
* packer armadillo
* packer aspack
* packer asprotect
* packer cryptx
* packer dotfx
* packer enigma
* packer exestealth
* packer expressor
* packer fsg
* packer hmimys
* packer hying
* packer lamecryp
* packer mew
* packer morphine
* packer morphna
* packer mpack
* packer mzcrypt
* packer nspack
* packer packman
* packer pearmor
* packer pecompact
* packer pelock
* packer poherna
* packer upack
* packer windir

HUNTING VALUES
None
packetoperations, event analysis, file analysis, threat, malware
phishing_luaphishingRegisters the host portion from each URL found within an email.

Optionally alerts if there is an inconsistency of URLs found within an
HREF.

Optionally registers the entire URL.

This parser does not identify email sessions. It relies on other
parsers having previously identified sessions containing email.

The host portion from each URL found within an email will be
registered as appropriate (alias.host, alias.ip, or alias.ipv6) so
that it can be matched against feeds.

Optionally, the domain portions from all URLs found within an HREF
will be compared for consistency. For example:

<a href="http://www.badguys.com">http://www.goodguys.com</a>

<a href="http://www.badguys.com">
<img src="http://www.goodguys.com"/>
</a>

Proofpoint URL Defense:

Values are extracted from the encoded url. E.g.,

urldefense.proofpoint.com/v2/url?u=3Dhttp-3A__example.com_

will result in meta alias.host: example.com

The proofpoint host itself is whitelisted from consistency checks,
but the host from the encoded url is still used for consistency
checking.


DEPENDENCIES
Parsers
* FeedParser
* MAIL_lua
* nwll
Feeds
* investigation

CONFLICTS
Parsers
* email_url_host
* phishing

KEYS
* alert.id - mapped to risk meta
* alias.host - hostnames from urls found within email messages
* alias.ip - ipv4 addresses from urls found within email messages
* alias.ipv6 - ipv6 addresses from urls found within email messages
* directory - (optional) directories from urls found within email messages
* extension - (optional) extensions from urls found within email messages
* filename - (optional) filenames from urls found within email messages
* query - (optional) querystrings from urls found within email messages
* url - (nonstandard) (optional) urls found within email messages

RISK VALUES

warning
* href host doesn't match displayed host

HUNTING VALUES
None
packetfeatured, threat, attack phase, action on objectives
plugxplugxDetect PlugX malware.


DEPENDENCIES
Parsers
* FeedParser
Feeds
* investigation

CONFLICTS
Parsers
* IR_2_APT_PlugX

KEYS
* ioc - indicators of compromise

RISK VALUES
None

HUNTING VALUES

ioc
* apt PlugX
* apt PlugX possible
packetthreat, attack phase, command and control, malware, remote access trojans
Poison_Ivypoison_ivyDetects Poison Ivy RAT activity.


DEPENDENCIES
Parsers
* FeedParser
Feeds
* investigation

CONFLICTS
None

KEYS
* alert.id - mapped to risk meta
* ioc - indicators of compromise
* password - detected Poison Ivy password

RISK VALUES

warning
* poison ivy rat activity

HUNTING VALUES

ioc
* possible poison ivy beacon
* possible poison ivy handshake
packetthreat, attack phase, command and control, malware, remote access trojans
POP3_luapopPost Office Protocol version 3.


DEPENDENCIES
Parsers
* NETWORK

CONFLICTS
Parsers
* POP3

KEYS
* action - POP command
* ad.computer.src - host credential if NTLMSSP
* ad.domain.src - domain credential if NTLMSSP
* ad.username.src - user credential if NTLMSSP
* error - POP error
* password - password credential provided to server
* service - '110'
* username - username credential provided to server

RISK VALUES
None

HUNTING VALUES
None
packetoperations, event analysis, protocol analysis
Proxy_Block_Pageproxy_blockParses proxy denied exception pages. Registers the url that was
requested and the reason for denial.

Blue Coat and Palo Alto are currently supported.

Extraction of 'username' is supported for Palo Alto only,
not Blue Coat.

Customized exception pages may not be detected and parsed.


DEPENDENCIES
Parsers
* FeedParser
Feeds
* investigation

CONFLICTS
None

KEYS
* alert.id - mapped to risk meta
* alias.host - target host of page request if name
* alias.ip - target host of page request if IPv4
* alias.ipv6 - target host of page request if IPv6
* directory - target directory of page request
* extension - filename extension of page request
* filename - target file of page request
* query - querystring parameters of page request
* site.cat - categorization of site as reported by proxy
* url - (optional) (nonstandard) full url of page request
* username - user credential provided to proxy

RISK VALUES

info
* proxy denied

HUNTING VALUES
None
packetoperations, event analysis, protocol analysis, assurance, compliance, corporate
pvidpvidDetect PGV_PVID malware activity.


DEPENDENCIES
Parsers
* FeedParser
* HTTP_lua
Feeds
* investigation

CONFLICTS
None

KEYS
* ioc - indicators of compromise

RISK VALUES
None

HUNTING VALUES

ioc
* potential PGV_PVID malware activity
packetthreat, attack phase, command and control, malware, remote access trojans
pwdumppwdumpDetects output from Windows password dumping tools such as pwdump.


DEPENDENCIES
Parsers
* FeedParser
Feeds
* investigation

CONFLICTS
Parsers
* encoded_hash

KEYS
* alert.id - mapped to risk meta
* crypto - xor key used to encode file

RISK VALUES

warning
* base64 encoded pwdump output
* plaintext pwdump output
* xor encoded pwdump output

HUNTING VALUES
None
packetthreat, attack phase, action on objectives
QQ_luaqqIdentifies QQ (OICQ protocol) sessions. Extracts number QQ user id,
and login/logout events.

Individual QQ messages are encrypted; message content is not available.


DEPENDENCIES
Parsers
* NETWORK

CONFLICTS
Parsers
* qq

KEYS
* action - QQ command
* service - '8000'
* username - user credential provided to server

RISK VALUES
None

HUNTING VALUES
None
packetoperations, event analysis, protocol analysis, identity, authentication
radiusradiusRemote Authentication Dial In User Service.

RADIUS sessions utilizing TCP or UDP ports 1645, 1646, 1812, or 1813
will be identified. RADIUS sessions utilizing other ports will not.

Meta will be registered for attribute types 1, 2, 8, and 31.

Attribute type 31 ("Calling Station ID") historically is to be a phone
number. In modern practice it is rarely a phone number, rather often
being a MAC address or some other identifier. However, it is
nonetheless registered as index key "phone".

Vendor-specific attributes (sub values of attribute type 26) are not
extracted nor registered.


DEPENDENCIES
Parsers
* NETWORK

CONFLICTS
None

KEYS
* action - packet type for requests and non-rejection responses
* alias.ip - attribute type 8, 'Framed IP Address'
* error - packet type for rejection responses
* password - attribute type 2, 'Password'
* phone - attribute type 31, 'Calling Station ID'
* service - '1812' for RADIUS, '1813' for RADIUS-ACCOUNTING
* username - attribute type 1, 'User Name'

RISK VALUES
None

HUNTING VALUES
None
packetoperations, event analysis, protocol analysis, identity, authentication
RDP_luardpIdentifies the Microsoft Remote Desktop Protocol.

Performs identification only. RDP is encrypted by default - no
other meta is extracted.


DEPENDENCIES
Parsers
* NETWORK

CONFLICTS
Parsers
* RDP

KEYS
* alias.host - client name
* analysis.service - RDP characteristics of interest
* language - keyboard type and layout
* service - '3389'

RISK VALUES
None

HUNTING VALUES

analysis.service
* AUTODETECT
* High-Speed Broadband
* LAN
* Low-Speed Broadband
* Modem
* Satellite
* WAN
packetfeatured, operations, event analysis, protocol analysis
rekafrekafDetects a variant of rekaf and derives the xor key (crypto) and name
of infected host.


DEPENDENCIES
Parsers
* FeedParser
Feeds
* investigation

CONFLICTS
None

KEYS
* alias.host - name of infected host
* crypto - xor key
* ioc - indicators of compromise

RISK VALUES
None

HUNTING VALUES

ioc
* rekaf beacon
packetthreat, attack phase, command and control, malware
ripng_luaripngIdentifies the RIP routing protocol.

RIPv1, RIPv2, and RIPng are supported.

Performs identification only - no meta is registered.


DEPENDENCIES
Parsers
* NETWORK

CONFLICTS
Parsers
* RIP
* ripng

KEYS
* service - '520'

RISK VALUES
None

HUNTING VALUES
None
packetfeatured, operations, event analysis, protocol analysis
rloginrloginIdentifies Remote Login protocol. Performs identification only,
no other meta is registered.


DEPENDENCIES
Parsers
* NETWORK

CONFLICTS
None

KEYS
* service - '513'

RISK VALUES
None

HUNTING VALUES
None
packetoperations, event analysis, protocol analysis
rsyncrsyncIdentifies the RSYNC network protocol.

Performs identification only. No meta is extracted.


DEPENDENCIES
Parsers
* NETWORK

CONFLICTS
None

KEYS
* service - '873'

RISK VALUES
None

HUNTING VALUES
None
packetoperations, event analysis, protocol analysis
rtmp_luartmpReal Time Messaging Protocol.

Identifies RTMP (port 1935) and RTMPT (RTMP over HTTP).

For RTMPT, if the session has been identified as HTTP then content
meta "RTMPT" is registered, but service "80" is unmodified. If the
session has not been identified as HTTP then service "1935" will be
set for the session.

Will not identify RTMPS or RTMPE.


DEPENDENCIES
Parsers
* NETWORK
* nwll

CONFLICTS
Parsers
* RTMP

KEYS
* alias.host - target host of RTMP url if name
* alias.ip - target host of RTMP url if IPv4
* alias.ipv6 - target host of RTMP url if IPv6
* content - 'RTMPT' for RTMPT over HTTP
* directory - target directory of RTMP url
* extension - filename extension of RTMP url
* filename - target file of RTMP url
* query - querystring parameters of RTMP url
* service - '1935'

RISK VALUES
None

HUNTING VALUES
None
packetoperations, event analysis, protocol analysis
RTSPrtspIdentifies Real Time Streaming Protocol. Extracts RTSP request
method and host, path and file from request URI.


DEPENDENCIES
Parsers
* NETWORK
* nwll

CONFLICTS
None

KEYS
* action - RTSP request method
* alias.host - uri host, if hostname
* alias.ip - uri host, if IPv4
* alias.ipv6 - uri host, if IPv6
* directory - uri path
* extension - uri filename extension
* filename - uri filename
* query - uri querystring
* service - '554'

RISK VALUES
None

HUNTING VALUES
None
packetoperations, event analysis, protocol analysis
SCCP_luasccpCisco Skinny Client Control Protocol.

Only Skinny sessions utilizing tcp port 2000 will be identified
and parsed.


DEPENDENCIES
Parsers
* NETWORK

CONFLICTS
Parsers
* SCCP

KEYS
* fullname - calling and called party names
* phone - calling and called party numbers
* service - '2000'

RISK VALUES
None

HUNTING VALUES
None
packetoperations, event analysis, protocol analysis
Search_Enginessearch_enginesExtracts search terms from search engine queries.

Search terms cannot be extracted from SSL encrypted search engine
queries without some method of SSL decryption.

Supports Bing and Google.


DEPENDENCIES
Parsers
* HTTP_lua
* nwll

CONFLICTS
Parsers
* SearchEngines
* search_query

KEYS
* search.text - (nonstandard) search terms

RISK VALUES
None

HUNTING VALUES
None
packetoperations, event analysis, application analysis
sekursekurSekur binary protocol handshake.


DEPENDENCIES
Parsers
* NETWORK

CONFLICTS
None

KEYS
* ioc - indicators of compromise

RISK VALUES
None

HUNTING VALUES

ioc
* sekur handshake
packetthreat, attack phase, command and control, malware, remote access trojans
session_analysissession_analysisAnalyzes session characteristics such as bytes transmitted vs bytes received, TCP flags seen, etc.


DEPENDENCIES
Parsers
* FeedParser
* NETWORK
* traffic_flow
Feeds
* investigation

CONFLICTS
Parsers
* tcp-flags
Feeds
* TCP Flags Seen

KEYS
* analysis.session - session characteristics
* boc - behavior of compromise
* ioc - indicator of compromise
* requestpayload - number of payload bytes in the request stream
* responsepayload - number of payload bytes in the response stream
* tcpflags - (optional) tcp flags seen anywhere in the session

RISK VALUES
None

HUNTING VALUES

analysis.session
* first carve
* first carve not dns
* first carve not top 20 dst
* high transmitted outbound
* icmp large session
* icmp tunnel
* inbound traffic
* long connection
* medium transmitted outbound
* outbound syslog
* potential beacon
* ratio high transmitted
* ratio low transmitted
* ratio medium transmitted
* response no payload
* session size 0-5k
* session size 10-50k
* session size 100-250k
* session size 5-10k
* session size 50-100k
* single sided tcp
* single sided udp
* suspicious other
* suspicious other bad org
* watchlist port
* zero payload

ioc
* Possible Poison Ivy
* binary handshake
* binary indicator
* possible zeroaccess p2p botnet

boc
* suspicious tcp beaconing
packetoperations, event analysis, protocol analysis
shadyrat_luashadyratIdentifies potential artifacts related to shadyrat command and
control traffic.


DEPENDENCIES
Parsers
* FeedParser
Feeds
* investigation

CONFLICTS
Parsers
* shadyrat

KEYS
* alert.id - mapped to risk meta

RISK VALUES

suspicious
* shadyrat encoded command

HUNTING VALUES
None
packetthreat, attack phase, command and control, malware, remote access trojans
Signed_ExecutablesigexeExtracts the Certificate Authority, Subject, and Serial Number from
the first x509v3 certificate in the certificate chain of a signed
executable.


DEPENDENCIES
Parsers
* FeedParser
* nwll
Feeds
* investigation

CONFLICTS
None

KEYS
* alert.id - mapped to risk meta
* filetype - 'signed executable'
* ssl.ca - certificate authority which signed the certificate
* ssl.serial - (nonstandard) certificate serial number
* ssl.subject - organization for whom the certificate was signed

RISK VALUES

suspicious
* SSL certificate missing Issuer Organizational Name
* SSL certificate missing Subject Organizational Name
* SSL certificate self-signed

HUNTING VALUES
None
packetoperations, event analysis, file analysis
SIP_luasipSession Initiation Protocol (SIP).


DEPENDENCIES
Parsers
* NETWORK
* nwll

CONFLICTS
Parsers
* SIP

KEYS
* alias.host - target host if name
* alias.ip - target host if IPv4
* alias.ipv6 - target host if IPv6
* content - value of Content-Type header
* email - sender and recipient addresses
* email.dst - (optional) (nonstandard) recipient address
* email.src - (optional) (nonstandard) sender address
* error - value SIP error response
* fullname - sender and recipient names
* service - '5060'
* username - address from SIP request

RISK VALUES
None

HUNTING VALUES
None
packetoperations, event analysis, protocol analysis
SMB_luasmbParses the Microsoft SMB/CIFS protocol, versions 1 and 2.

Version 1 of SMB/CIFS was used in Windows 3.1.1 through Windows XP,
and Windows NT through Server 2003.

Version 2 of SMB/CIFS is used in Windows Vista, 7, and Server 2008.

Version 3 of SMB/CIFS will be used in Windows 8 and Server 2012. This
parser does not parse version 3.

It is absolutely vital to proper parsing of SMB that both sides of the
conversation be seen. If the response stream is not seen then
filenames and commands will still be registered, but no relationship
between them can be inferred. If the request stream is not seen then
commands and errors will be registered, but no filenames (filenames
generally appear only in the request stream).

Action meta is generally the SMB command issued by the client - not an
interpreted "meaning" of the command. For example, "create" is used
to open a file even if the file already exists. Thus action meta
"create" is registered rather than "open" - the existential status of
the file is not in the session, so no inference can be made. As
another example, "Tree Connect" is used to map/mount a network drive -
action meta "tree connect" is registered rather than "mount".

Likewise, error meta is the direct value of the status code from the
CIFS documentation, rather than an interpretation of what the error
might mean. For example, status code 0x0000010C will register error
meta "notify enum dir".

If there are network anamolies such as retransmissions and dropped
packets, then the accuracy of the order in which meta is registered
can't be guaranteed. All available actions, filenames, errors, etc.
will always be registered nonetheless, but not necessarily in the
proper order.

There will be redundant meta - probably lots of it. This is so that
the relationship between actions and files can easily be seen. For
example:

action: create
file: hello.txt
action: read
file: hello.txt
action: create
file: world.txt
action: read
file: world.txt

In the above example - action meta "create" is registered twice, as is
action meta "read". File meta "hello.txt" is registered twice, as is
file meta "world.txt". However, it is easy to see that "hello.txt"
was opened and read, then "world.txt" was opened and read.

The exception is UserID, which will only be registered if it changes
in the session. If the UID of a request is the same as the UID of the
previous request, it will not be registered.

Optionally, if registering redundant meta is problematic (such as many
sessions reaching Max Meta) the option "Register Redundant Meta" may
be disabled - which case meta that has been registered once in a
session will not be registered again (see OPTIONS).


DEPENDENCIES
Parsers
* FeedParser
* NETWORK
* nwll
Feeds
* investigation

CONFLICTS
Parsers
* SMB
* smb-flex
* smb-id

KEYS
* action - SMB or DCERPC operation
* ad.computer.dst - target host of authentication
* ad.computer.src - source host of authenticated user
* ad.domain.dst - target domain of authentication
* ad.domain.src - source domain of authenticated user
* ad.username.dst - authenticated as user
* ad.username.src - authenticated user
* alert.id - mapped to risk meta
* alias.host - target host of operation if hostname
* alias.ip - target host of operation if IPv4
* alias.ipv6 - target host of operation if IPv6
* analysis.service - SMB characteristics of interest
* crypto - Kerberos crypto type used for authentication
* directory - path directory
* eoc - enablers of compromise
* error - error response from server
* extension - filename extension
* filename - target of file operation
* ioc - indicators of compromise
* password - password from Tree Connect operation
* service - '139'

RISK VALUES

info
* at service
* remote scheduled task
* remote service control

suspicious
* Invalid SMB command
* SMB session on non-SMB port

HUNTING VALUES

analysis.service
* named pipe
* smb at command

ioc
* psexec remote execution

eoc
* SMB v1 Request
* SMB v1 Response
packetoperations, event analysis, protocol analysis
SMTP_luasmtpParses the SMTP protocol (RFC 5321).

Does not parse the contents of email messages themselves. Email
messages are parsed by any of MAIL, MAIL_lua, or MAIL-flex.

Many MTAs put all sorts of badly formatted strings in greeting
banners. This will most likely manifest as alias.host meta that isn't
a hostname.


DEPENDENCIES
Parsers
* FeedParser
* NETWORK
* nwll
Feeds
* investigation

CONFLICTS
Parsers
* SMTP

KEYS
* action - SMTP command
* alert.id - mapped to risk meta
* alias.host - host from client or server greeting banner (if hostname)
* alias.ip - host from client or server greeting banner (if IPv4 address)
* alias.ipv6 - host from client or server greeting banner (if IPv6 address)
* email - address from MAIL FROM and RCPT TO request
* email.dst - address from RCPT TO, VRFY, and EXPN requests (optional)
* email.src - address from MAIL FROM request (optional)
* error - error code from SMTP responses
* service - '25'

RISK VALUES

suspicious
* smtp reverse path is null

HUNTING VALUES
None
packetoperations, event analysis, protocol analysis
SMTP_lua OptionsSMTP_lua_optionsOptional parameters to alter the behavior of the SMTP_lua parser.packetoperations, event analysis, protocol analysis
SNMP_luasnmpParses SNMP versions 1, 2c, 2p, 2u, and 3. However, SNMP versions
2p and 2u will not generate meta beyond identification.

SNMP v3 if encrypted will be identified but may not generate further
meta.

For "get" requests, OID is registered. For "set" requests, OID and
value are registered.

For SNMP responses and traps, neither OID nor value are registered in
order to avoid the registration of overwhelming amounts of meta.

If both options to register OIDs are disabled, then error meta will
also not be registered.


DEPENDENCIES
Parsers
* NETWORK
* nwll

CONFLICTS
None

KEYS
* action - SNMP PDU Operation type
* error - PDU error status if non-zero
* password - SNMP community string
* service - '161'
* snmp.oid - (nonstandard) SNMP Object Identifier
* snmp.value - (nonstandard) value from SNMP set requests

RISK VALUES
None

HUNTING VALUES
None
packetoperations, event analysis, protocol analysis
socks_luasocksIdentifies Socks protocol version 4 and 5.

Service Type will be the tunnelled session, not SOCKS. Only if there
is no identifiable tunnelled service type will Service Type be SOCKS.

Meta for ip.dst is the Socks server, not the tunnelled destination.

Tunnelled destination is registered as alias.host, alias.ip, or
alias.ipv6 as appropriate.

For example, if a client is using a socks5 server at 1.2.3.4 to reach
an HTTP server at www.example.com:

ip.dst: 1.2.3.4
service: HTTP
alias.host: www.example.com


DEPENDENCIES
Parsers
* NETWORK

CONFLICTS
Parsers
* socks

KEYS
* action - SOCKS request: 'connect', 'bind', 'udp associate'
* alias.host - target host of SOCKS request, if name
* alias.ip - target host of SOCKS request, if IPv4
* alias.ipv6 - target host of SOCKS request, if IPv6
* password - password credential provided to SOCKS server
* service - '1080'
* username - user credential provided to SOCKS server

RISK VALUES
None

HUNTING VALUES
None
packetoperations, event analysis, protocol analysis
SoulSeek_luasoulseekIdentifies the SoulSeek file sharing protocol.

Performs identification only, no meta is extracted.


DEPENDENCIES
Parsers
* NETWORK

CONFLICTS
Parsers
* SoulSeek

KEYS
* service - '2240'

RISK VALUES
None

HUNTING VALUES
None
packetfeatured, operations, event analysis, protocol analysis
spectrum_luaspectrumDetermines which sessions are sent to Malware Analysis, based upon
file types seen in the session, and total session size.


DEPENDENCIES
Parsers
* fingerprint_office_lua
* fingerprint_pdf_lua
* fingerprint_rar_lua
* fingerprint_rtf_lua
* fingerprint_zip
* windows_executable

CONFLICTS
Parsers
* spectrum
* spectrum11

KEYS
* content - 'spectrum.analyze'

RISK VALUES
None

HUNTING VALUES
None
packetmalware analysis, spectrum
SSH_luasshIdentifies SSH protocol. Registers client and server, and crypto used.

This parser does NOT perform any decryption of SSH sessions, nor does
it register any meta from within the encrypted portion of SSH sessions.

For protocol version 1 crypto meta is not registered.


DEPENDENCIES
Parsers
* FeedParser
* NETWORK
Feeds
* investigation

CONFLICTS
Parsers
* SSH

KEYS
* alert.id - mapped to risk meta
* client - SSH client software name
* crypto - cryptography suite used for encryption of the session
* server - SSH server software name
* service - '22'

RISK VALUES

info
* ssh protocol version 1

HUNTING VALUES
None
packetoperations, event analysis, protocol analysis
struts_exploitstruts_exploitDetects attempts to exploit Apache Struts vulnerabilities.


DEPENDENCIES
Feeds
None

CONFLICTS
None

KEYS
* action - injected command
* ioc - indicators of compromise

RISK VALUES
None

HUNTING VALUES

ioc
* apache struts CVE-2017-9805 attempt
packetaction on objectives, attack phase, threat
supercmdsupercmdDetects SuperCMD Trojan beaconing.


DEPENDENCIES
Parsers
* FeedParser
Feeds
* investigation

CONFLICTS
None

KEYS
* alias.host - hostname of compromised host
* alias.ip - address of compromised host
* alias.mac - MAC address of compromised host
* ioc - indicators of compromise

RISK VALUES
None

HUNTING VALUES

ioc
* supercmd trojan beacon
packetthreat, attack phase, command and control, malware
TDS_luatdsIdentifies Microsoft SQL Server 'Tabular Data Stream' protocol.
Registers client actions and sql queries.

Only TDS sessions on port 1433 will be identified and parsed.

Only SQL queries and actions are registered - results are not.

No values are extracted from encrypted (SSL) messages.


DEPENDENCIES
Parsers
* NETWORK

CONFLICTS
Parsers
* TDS

KEYS
* action - SQL command: 'bulk write', 'login', 'rpc request', or batch command performed
* service - '1433'
* sql - SQL query performed

RISK VALUES
None

HUNTING VALUES
None
packetfeatured, operations, event analysis, protocol analysis
teredoteredoIdentifies teredo tunneled sessions. Performs identification only.
No meta is extracted.


DEPENDENCIES
Parsers
* NETWORK
Feeds
* investigation

CONFLICTS
None

KEYS
* analysis.session - teredo tunnel

HUNTING VALUES

analysis.session
* teredo tunnel
packetoperations, protocol analysis
TFTP_luatftpIdentifies Trivial File Transfer Protocol, extracts names of files
transfered.

Identifies TFTP command sessions. Does not identify data sessions.

Only command sessions utilizing TCP destination port 69 will be
parsed.


DEPENDENCIES
Parsers
* NETWORK
* nwll

CONFLICTS
Parsers
* TFTP

KEYS
* action - 'read', 'write'
* directory - target directory of TFTP command
* extension - filename extension of target filename
* filename - target filename of TFTP command
* service - '69'

RISK VALUES
None

HUNTING VALUES
None
packetoperations, event analysis, protocol analysis
TLD_luatldExtracts the top level domain and second level domain portions from
hostnames.

This parser operates on meta alias.host as registered by other
parsers, as well as (optionally) domain.src and domain.dst as
registered by GeoIP.

If an alias.host value is an IP address, a risk.informational alert
is registered, and the value registered with the appropriate key
(e.g., "1.2.3.4" -> alias.ip).

If a hostname is invalid, an alert is registered. Hostnames which
begin with "*." are not considered invalid, since these are often
used as "common name" for SSL certificates.

Specifically,

Meta for "tld" will be the last tag (portion from the last
"." to the end).

Meta for "sld" will be the 2nd-to-last tag (portion between
the next-to-last "." to the last ".")

EXCEPTION: If the last tag is a ccTLD (e.g., "uk"), then:

If the FQDN consists of at least 4 tags, such as
"www.amazon.co.uk":

meta for "cctld" will be the last tag

meta for "tld" will be the combined 2nd-to-last and
last tag

meta for "sld" will be the 3rd-to-last tag

Otherwise ("www.amazon.de"):

meta for "cctld" will be the last tag

meta for "tld" will also be the last tag

meta for "sld" will be the 2nd-to-last tag

Examples:

www.amazon.com
sld: amazon
tld: com

www.amazon.co.uk
sld: amazon
tld: co.uk
cctld: uk

www.amazon.de
sld: amazon
tld: de
cctld: de

In each case, meta for sld is "amazon".

NOTE: Policy differences among registries regarding third
level domains are not taken into account - the only record
of which is the "Public Suffix List". To incorporate the
Public Suffix List would expect the analyst to be familiar
with all individual registry policies, whereas the rules
above are consistent and easily applied to queries.


DEPENDENCIES
Parsers
* FeedParser
Feeds
* investigation

CONFLICTS
Parsers
* TLD

KEYS
* alert.id - mapped to risk meta
* analysis.service - hostname characteristics
* cctld - (nonstandard) (optional) country-code top level domain, e.g., www.amazon.co.uk -> co.uk
* sld - (nonstandard) (optional) second level domain, e.g. www.amazon.co.uk -> amazon
* tld - top level domain, e.g. www.amazon.com -> com

RISK VALUES

suspicious
* hostname consecutive consonants
* hostname invalid

HUNTING VALUES

analysis.service
* hostname consecutive consonants
* hostname invalid
* suspiciously named domain
* tld not com net org
packet, logfeatured, operations, event analysis, protocol analysis
TLD_lua Parser OptionsTLD_lua_optionsOptions file for the TLD_lua parser.log, packetevent analysis, operations, protocol analysis
TLS_luatlsIdentifies SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2.

Extracts the Certificate Authority, Subject, and Serial Number from
x509v3 certificates in SSL 3, TLS 1.0, TLS 1.1 and TLS 1.2 sessions.

Only the first certificate in a chain will generate ssl.subject and
alias.host (or alias.ip[v6]), since that is the certificate most
relevant to the host presenting the certificate.

Optionally, all certificates in a chain will generate ssl.serial
and/or ssl.ca. Other- wise, only the first certificate in a chain
will generate ssl.serial and/or ssl.ca

The Organizational Name from the Issuer section is the Certificate
Authority, and is registered as meta "ssl.ca".

If the Issuer section is missing an Organizational Name, then the
Common Name from the Issuer section is registered as meta "ssl.ca"
and an alert is registered.

The Organization Name from the Subject section is registered as meta
"ssl.subject".

If the Subject section is missing an Organizational Name, then the
Common Name from the Subject section is registered as meta
"ssl.subject" and an alert is registered.

The Common Name from the Subject section is registered as meta
"alias.host", "alias.ip", or "alias.ipv6" as appropriate.

If there is only one certificate in a chain, then:

A) If ssl.ca and ssl.subject are the same, an alert is
registered for a self-signed certificate.

B) If ssl.ca and ssl.subject are NOT the same, an alert is
registered for an incomplete certificate chain.

SSL 3.0 is detected from either the record layer or server hello
version. This may result in an SSL 3.0 alert even if TLS is
subsequently used for the session.

SSL 2.0 is detected from the server handshake. If the response
stream of an SSL 2.0 session is not seen or the server does not
offer a certificate, then the session will not be identified as
SSL 2.0. If the server responds with SSL 3.0 or TLS, the session
will be identified as SSL, and an alert for SSL 2.0 will not be
registered (an alert for SSL 3.0 will still be registered as
appropriate).


DEPENDENCIES
Parsers
* FeedParser
* NETWORK
* nwll
Feeds
* investigation

CONFLICTS
Parsers
* HTTPS
* TLS-flex
* TLS_id
* TLSv1

KEYS
* alert.id - mapped to risk meta
* alias.host - common name from the subject section of a certificate, if hostname
* alias.ip - common name from the subject section of a certificate, if ipv4
* alias.ipv6 - common name from the subject section of a certificate, if ipv6
* analysis.service - TLS/SSL characteristics of interest
* crypto - ssl/tls version for the session, cipher suite used for encryption
* ioc - indicators of compromise
* service - '443'
* ssl.ca - organizational name (if present, otherwise common name) from the issuer section of a certificate
* ssl.common - (nonstandard) (optional) Issuer and Subject Common Names
* ssl.serial - (nonstandard) Certificate serial number
* ssl.subject - organizational name (if present, otherwise common name) from the subject section of a certificate

RISK VALUES

info
* openssl vulnerable to heartbleed

suspicious
* SSL certificate chain incomplete
* SSL certificate missing Issuer Organizational Name
* SSL certificate missing Subject Organizational Name
* SSL certificate self-signed
* ssl 2.0
* ssl 3.0

warning
* heartbleed data leak

HUNTING VALUES

analysis.service
* bad ssl

ioc
* Known Bad Self Signed Cert MyCompanyLtd
packetoperations, event analysis, protocol analysis
TN3270E_luatn3270eIdentifies IBM TN3270E sessions.

Performs identification only. No other meta is extracted.


DEPENDENCIES
Parsers
* NETWORK

CONFLICTS
Parsers
* tn3270e

KEYS
* service - '3270'

RISK VALUES
None

HUNTING VALUES
None
packetoperations, event analysis, protocol analysis
Traffic Flow Optionstraffic_flow_optionsOptionally download this parser with the traffic_flow LUA parser. Configure internal subnets as described within the full product documentation for this parser.log, packetevent analysis, operations, protocol analysis
traffic_flowtraffic_flowProvides subnet names for internal networks, and directionality of
the session (inbound, outbound, lateral).

Addresses will be matched against the defined list of subnets. An
address not matched by any defined subnet will be named "other".

Meta for netname will be the name of the subnet followed by one of:

"src" - ip.src, ipv6.src
"dst" - ip.dst, ipv6.dst
"misc" - alias.ip, alias.ipv6, ip.orig, ipv6.orig
(legacy) orig_ip, ip.addr, ipv6.addr

Direction is determined from the subnet names for src and dst:

outbound - initiated by a matched host to an unmatched host
inbound - initiated by an unmatched host to a matched host
lateral - initiated by a matched host to a matched host

Additional netname meta will be registered for IPv4 broadcast
addresses.


DEPENDENCIES
Parsers
* GeoIP
* NETWORK
Feeds
* investigation

CONFLICTS
None

KEYS
* analysis.session - session characteristics
* direction - 'inbound', 'outbound', or 'lateral'
* netname - name of source and destination subnet

HUNTING VALUES

analysis.session
* not top 20 dst
* watchlist dst
packet, logevent analysis, operations
vCard_luavcard_luaExtracts fullname and email values from vCard, xCard, jCard, and
hCard formats.

The following versions are supported:

vCard 2.1, 3.0, and 4.0
xCard 1.0
jCard 4.0
hCard 1.0


DEPENDENCIES
None

CONFLICTS
Parsers
* VCARD

KEYS
* email - value from 'email' field
* fullname - value from 'fn' field

RISK VALUES
None

HUNTING VALUES
None
packetoperations, event analysis, file analysis
VNCvncIdentifies the Remote Framebuffer protocol used by VNC and its
derivatives.


DEPENDENCIES
Parsers
* NETWORK
Feeds
* investigation

CONFLICTS
Parsers
* vnc-rfb

KEYS
* action - 'login'
* error - 'login failure'
* service - '5900'

RISK VALUES

info
* no authentication required

HUNTING VALUES
None
packetoperations, event analysis, protocol analysis
windows_command_shell_luawindows_command_shellIdentifies Microsoft Windows command shell sessions.

Identifies command shell sessions only. No meta (such as commands
executed) is registered.


DEPENDENCIES
Parsers
* FeedParser
Feeds
* investigation

CONFLICTS
Parsers
* SHELL
* windows_command_shells

KEYS
* alert.id - mapped to risk meta
* client - 'MS Command Shell'
* ioc - indicators of compromise

RISK VALUES

suspicious
* windows cli admin commands

warning
* windows command shell

HUNTING VALUES

ioc
* possible base64 windows shell
packetfeatured, threat, malware, web shells
windows_executablewindows_executableIdentifies windows executables, and analyzes them for anomolies and
other suspicious characteristics.

There may be non-nefarious reasons for many of these alerts. Alerts
indicate that the executable in question may warrant further
scrutiny. Alerts should not be interpreted as a definitive
determination that an executable is malicious.


DEPENDENCIES
Parsers
* FeedParser
Feeds
* investigation

CONFLICTS
Parsers
* CMS_windows_executable
* advanced_windows_executable
* encoded_file_fingerprinting

KEYS
* alert.id - mapped to risk meta
* analysis.file - characteristics of the executable
* filetype - 'windows executable', 'x86 pe', 'windows dll', 'x64pe'

RISK VALUES

info
* exe abnormal e_cblp
* exe abnormal e_cp
* exe abnormal e_cparhdr
* exe abnormal e_crlc
* exe abnormal e_cs
* exe abnormal e_csum
* exe abnormal e_ip
* exe abnormal e_maxalloc
* exe abnormal e_minalloc
* exe abnormal e_oemid
* exe abnormal e_oeminfo
* exe abnormal e_ovno
* exe abnormal e_res1_1
* exe abnormal e_res1_2
* exe abnormal e_res1_3
* exe abnormal e_res1_4
* exe abnormal e_res2_1
* exe abnormal e_res2_2
* exe abnormal e_res2_3
* exe abnormal e_res2_4
* exe abnormal e_sp
* exe abnormal e_ss
* exe abnormal number of symbols
* exe dos loader missing
* exe one dos header anomaly
* exe timestamp zero
* exe two dos header anomalies
* exe two sections

suspicious
* exe abnormal file alignment
* exe abnormal loader flags
* exe abnormal major os ver
* exe abnormal minor os ver
* exe abnormal rva sizes
* exe abnormal section alignment
* exe abnormal size of section headers
* exe abnormal subsystem ver
* exe dos loader missing
* exe four dos header anomalies
* exe pe offset extremely high
* exe three dos header anomalies
* exe timestamp before 1999
* exe timestamp close to zero
* exe timestamp in the future

warning
* exe linker both version zero
* exe linker major ver too high
* exe linker minor ver too high
* exe linker version zero
* exe many dos header anomalies
* exe missing magic number
* exe nt header inside dosheader

HUNTING VALUES

analysis.file
* exe extension but not exe filetype
* exe filetype
* exe recently compiled
* exe under 10k
* exe under 5k
* exe under 75k
packetoperations, event analysis, file analysis
X11_luax11Identifies the X11 protocol (RFC 1013).

Performs identification only. No meta is extracted.


DEPENDENCIES
Parsers
* NETWORK

CONFLICTS
Parsers
* x11_flex

KEYS
* service - '6000'

RISK VALUES
None

HUNTING VALUES
None
packetfeatured, operations, event analysis, protocol analysis
xor_executable_luaxor_executableDetects executables that have been xor or hex encoded.

Registers a risk.warning alert if an xor- or hex- encoded executable
is detected.

For xor-encoded, registers the xor value used for the encoding.

1-byte xor keys are supported. Multi-byte or rotating xor keys are
not detected.


DEPENDENCIES
Parsers
* FeedParser
Feeds
* investigation

CONFLICTS
Parsers
* xor_executable

KEYS
* alert.id - mapped to risk meta
* crypto - xor key used for encoding
* filetype - 'windows executable'
* ioc - indicators of compromise

RISK VALUES

warning
* hex encoded executable
* xor encoded executable

HUNTING VALUES

ioc
* xor exe
packetmalware analysis, spectrum, operations, event analysis, file analysis

Discontinued Packet Parsers

The following table lists the Lua parsers that have been removed from the system.

                       
NameDescriptionNotes

AIM_lua

OSCAR protocol used by AIM (AOL Instant Messenger) and ICQ, and AIM-express web client.

As of December 15, 2017, AOL Instant Messenger products and services have been shut down and no longer work.

BITS

Identifies Microsoft BITS Protocol.

BITS was added to HTTP_lua, making the standalone BITS parser redundant. BITS parsing in HTTP_lua is also much more complete than it was in the standalone parser.

Previous Topic:System Packet Parsers
You are here
Table of Contents > RSA NetWitness Platform Content > Parsers > Lua Packet Parsers

Attachments

    Outcomes