000033777 - Korean characters are displayed as numerical character reference in Suspicious File syslog from NetWitness Malware Analysis 10.6.0.2

Document created by RSA Customer Support Employee on Sep 5, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000033777
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Malware Analysis
RSA Version/Condition: 10.6.0.2
Platform: CentOS
O/S Version: EL6
Issue'Suspicious File' syslog events from the Malware Analysis service display Korean characters as the HTML numeric character reference for the Unicode characters as shown below.
Aug 10 11:12:20 malware WARNING:Suspicious File:Spectrum Analysis:user=Unknown identity:Detected suspicious 
file:static=0.0:nextgen=56.0:community=0.0:file.name=테스트문서
.xls.doc:file.size=176640:file.md5.hash=aabb31170222222d9ff50c4400bb4411:file.sha1.hash=
11111e58c5cd464ec7aebb379ca5af69b9000000:file.sha256.hash=
1111111e00790c6226405bcffd23a45efb275cd2d677a98ac40719e661000000:event.id=11

If the file name were displayed correctly, then the message would show as (filename=테스트문서.xls).
Aug 10 11:12:20 malware WARNING:Suspicious Event:Spectrum Analysis:user=Unknown identity:
Detected suspicious network event:static=0.0:nextgen=56.0:community=0.0:malware.nextgen.source=
nws://x.x.x.x:56003/sdk:event.type=NEXTGEN:event.id=11:country.dst=Private:filetype=office 2007
document,zip,office 95-2003 excel document:server=Microsoft-IIS/7.5:extension=
xls,xml,rels:org.src=xxx:lifetime=0:tcp.dstport=80:medium=1:sessionid=100:rid=100:directory=
_rels/,//ServerFiles/NoticeFileAttatch/,theme/theme/_rels/,theme/theme/:content=
application/vnd.ms-excel,spectrum.analyze,spectrum.consume:packets=11:eth.type=
2048:rpackets=2:tcp.srcport=10:ip.dst=x.x.x.x:city.src=Seoul:ip.proto=6:payload=
100:eth.src=FF:FF:FF:FF:FF:FF:client=Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1;
Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729):action=
get:longdec.src=111.0089:country.src=Korea, Republic of:threat.category=spectrum,nonstandard:alert.id=
nw32550,nw60020:tcp.flags=26:streams=2:eth.dst=FF:FF:FF:FF:FF:FF:alias.ip=x.x.x.x:threat.source=
netwitness:ip.src=x.x.x.x:filename=테스트문서.xls,themeManager.xml,
[Content_Types].xml,themeManager.xml.rels,.rels,테스트문서.xls,theme1.xml:size=268875:service=
80:time=Wed Aug 10 11:12:20 UTC 2016:risk.info=http over non-standard port,http direct to
ip request:latdec.src=11.2911:rpayload=2760:did=packetdecoder


 
CauseThis is due to a bug in the Malware Analysis service where the HTML code is not decoded back to the corresponding Unicode.
ResolutionThe fix will be added to a future release.
Please contact RSA Support to confirm the version that contains the fix.

Attachments

    Outcomes