Remove Original IR Pack

Document created by RSA Information Design and Development on Nov 9, 2016Last modified by RSA Information Design and Development on Nov 15, 2018
Version 145Show Document
  • View in full screen mode
 

The Hunting Pack is designed to allow you to quickly hunt for indicators of compromise or anomalous network activity by dissecting packet traffic within RSA NetWitness Platform and populating specific meta keys with natural language values for investigation. This package was originally designed by, and distributed through, the RSA Incident Response Team. This content has now been integrated into the officially released content through RSA Live and can be deployed through the product. See https://community.rsa.com/docs/DOC-62341 for more information about the productized Hunting Pack.

RSA recommends that you remove the old IR Content Pack from your system before deploying the new Hunting Pack.

Note: Some of the original IR Content installed Reports and Rules may need modification or complete removal after updating to the new Hunting pack. Any customization to the older IR Content Reports, or Rules, added to the original IR Content installation should be reviewed prior to removal.

Unsupported Keys

The following keys are not supported by RSA:

  • http.request
  • http.response
  • req.uniq
  • resp.uniq

If you have rules written around any of these keys, we recommend that you contact RSA support for guidance.

Creation of Metadata

  1. Update Reports (or any custom content) to map to the metadata used in the new Hunting Pack.
  2. Stop the creation of duplicate meta. Perform one of the following procedures:

  3. Remove Application Rules from all decoders.
  4. Remove Feeds.

Consumption of Metadata

After you remove the original content, you should remove meta keys from indexes, meta groups, and profiles. For details, see Meta Keys

  1. Remove meta keys from meta groups and profiles.
  2. Remove meta keys from concentrator indexes.
  3. Remove meta keys from decoders.

Lua Parsers

You can disable or remove the IR content Lua parsers.

Note: RSA recommends you remove them.

Disable the IR Pack Lua Parsers

To Disable the IR content pack Lua Parsers:

  1. Depending on your version:

    • For NetWitness 11.x: In the NetWitness menu, select ADMIN > Services.
    • For Security Analytics 10.x: In the Security Analytics menu, select Administration > Services.
  2. Select a Decoder service.
  3. In the Actions column, select View > Explore.
  4. Expand decoders > parsers
  5. Click config.

  6. For parsers.disabled, enter the list of parsers to disable:

    IR_1_Advanced_RDP,IR_1_Binary_Indicators,IR_1_Binary_Streams,IR_1_DynDNS,IR_1_Email_Expanded,IR_1_HTTP,IR_1_HTTP_with_Base64_Payload,IR_1_HTTP_with_Binary_Payload,IR_1_ICMP,IR_1_Named_Pipes,IR_1_txrxBytes,IR_2_IR_APT_Artifacts,IR_2_APT_PlugX,IR_2_APT_PNGRAT_TECHNET_IP,IR_2_Base64_CLI_Shell,IR_2_China_Chopper,IR_2_MSU_RAT,IR_2_PoisonIvy,IR_2_Shellcrew Notepad Parser

  7. Click Enter

    You receive a message that the configuration was successful.

You can verify the parsers are disabled by navigating to Administration > Services > Decoder > Config > General.

Remove the IR Pack Lua Parsers

Remove the old IR pack Lua parsers from your Decoders:

  1. Depending on your version:

    • For Security Analytics 10.x: In the Security Analytics menu, select Administration > Services.
    • For NetWitness 11.x: In the NetWitness menu, select ADMIN > Services.
  2. Select a Decoder service.
  3. In the Actions column, select View > Config.
  4. Select the Parsers tab.
  5. Search for parsers that have names beginning with IR_, and select only these parsers.
  6. Click to remove the selected parsers.
                                                                                                            
Parser NameMetadata CategoryMetadata Generated

IR_1_Advanced_RDP.lua

language

rdp.info

Extracts keyboard layout

Extracts key

IR_1_Binary_Indicators

ir.general

Binary Indicator

IR_1_Binary_Streams

req.binary res.binary ir.general

Determines binary data in the request stream Determines binary data in the response stream Binary_Handshake

IR_1_DynDNS.lua

risk.info

dynamic dns host, dynamic dns server

IR_1_Email_Expanded.lua

emailfrom

emailto

emailxmailer

emailfromdomain

language

Extracts From: address

Extracts To: address

Extracts X-Mailer:

Extracts domain from From: field

Extracts Language Encoding

IR_1_HTTP.lua

http.request

http.response

req.uniq

res.uniq

agent.ext

ir.general

action

Extracts HTTP Request Headers

Extracts HTTP Response Headers

Extracts unique values from HTTP Request Headers

Extracts unique values from HTTP Response Headers

Extracts User-Agent: field

Explicit_Proxy_Request

put_method

IR_1_HTTP_with_base64.lua

ir.general

http_with_possible_base64

IR_1_HTTP_with_binary.lua

ir.general

HTTP_with_binaryPayload

IR_1_ICMP.lua

action

error

ir.general

ICMP Types and Codes into action and error. Large frames are alerted into ir.general.

IR_1_Named_Pipes.lua

named.pipe

Extracts Named PIPE from SMB/RPC traffic

IR_1_txrxByptes

txbytes rxbytes bytes.ratio

Payload Transmit Bytes Payload Receive Bytes Payload Transmit Receive Ratio

IR_2_APT_Artificats

ir.alert

apt_possible_prefetch_deletion apt_possible_registry_deletion apt_possible_wmic_cleareventlog apt_possible_regedit apt_possible_invokemimikatz

IR_2_apt_PlugX

ir.alert

apt_PlugX apt_PlugX_possible

IR_2_APT_PNGRAT_TECHNET_IP

ir.alert alias.ip

APT_PNGRAT_@MICR0S0FT_IP IP Address

IR_2_B64_Shell

ir.alert

Possible_B64_Shell

IR_2_China_Chopper

ir.alert

ASPX_China_Chopper PHP_China_Chopper CFM_China_Chopper

IR_2_MSU

ir.alert crypto

apt_MSU_RAT XOR key

IR_2_Poison_Ivy

ir.alert ir.general

Possible_Poison_Ivy_Handshake Possible_Poison_Ivy_Beacon

IR_2_sc_notepad

ir.alert

sc_notepad request/response seen - c2 live sc_notepad initial beacon

Application Rules

Remove the old IR pack application rules from your Decoders:

  1. Depending on your version:

    • For Security Analytics 10.x: In the Security Analytics menu, select Administration > Services.
    • For NetWitness 11.x: In the NetWitness menu, select ADMIN > Services.
  2. Select a Decoder service.
  3. In the Actions column, select View > Config.
  4. Select the App Rules tab.
  5. In the Filter field, enter three hash tags: ### This returns the list of Application Rules that are part of the original IR pack.
  6. Select the rules that begin with the ### string.
  7. Click to remove the selected rules.

Additionally, the application rules listed in the table below should be removed from your Decoders. Use the steps provided above to search for and remove the additional application rules from your Decoders before you install the new Hunting Pack.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     
Rule NameMeta KeyRule
!advertisingir.generalthreat.category != 'advertising'"
!top20dstir.generalir.general != 'top20dst'"
apt_ActiveMonk_UAir.alertclient begins \"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; TERA\" ||client begins \"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; XSL\""
apt_Deep_Panda_C2ir.alert(directory = 'Catelog' && action = 'put' && filename = 'login.cgi' ) || (directory = 'Photos' && action = 'get' && filename = 'Query.cgi' ) || (directory = 'forum' && action = 'put' && filename = 'login.cgi' )"
apt_Foxy_RATir.alertaction = 'put' && filename = '404error.asp'"
apt_Lurid_RATir.alertservice = 80 && action = 'put' && client !exists && directory = 'cgi-bin','/Sjwpc/odw3ux'"
apt_MiniASPir.alertquery begins 'device_t='"
apt_NetTravler_RATir.alertfilename = 'nettraveler.asp'"
apt_NFlog_RATir.alertdirectory = 'Nflog' || client = 'www'"
apt_PhotoASP_RATir.alertclient = 'Mozilla/4.0' && filename = 'PHOTO.ASP' && http.request != 'referer'"
apt_PNG_Ratir.alertclient = 'Windows+NT+5.1'"
apt_Sykipot_RATir.alertclient= 'HTTP-GET'"
apt_WebC2_CSir.alertclient = 'Win32' && query begins 'ID=','INDEX='"
apt_ZipToken_UA_POSTir.alertclient = 'HttpBrowser/1.0' && action = 'put'"
bad_org_susp_otherir.generalir.general = 'suspicious_other' && ir.general = 'watchlist_org.dst'"
bad_sslir.generalalias.host = 'localhost' && service = 443 && direction = 'outbound'"
bytes.ratio_high_txir.generalmedium=1 && bytes.ratio = 75-u"
bytes.ratio_low_txir.generalmedium=1 && bytes.ratio = l-25"
bytes.ratio_med_txir.generalmedium=1 && bytes.ratio = 25-75"
bytes.ratio_tx_onlyir.generalrxbytes !exists && medium=1 && bytes.ratio = 100-u"
common_domainsir.generalalias.host ends 'gvt1.com'"
common_srcir.generalorg.src='exacttarget','constant contact','responsys','sitewire marketspace solutions','isdnet','e-dialog','linkedin corporation','qwest communications',
'silverpop systems','psinet','postini','cheetahmail','amazon.com','eloqua corporation','spark marketing llc','ibm-mgt','facebook','omeda communications','easystreet online services'"
Crimeware_Black_Hole_Exploit_Kitir.alertfilename = 'web7.dat'"
Crimeware_Zeusir.alertservice = 80 && action = 'put' && action != 'get' && filename = 'timestamps.php','gameover.php','gameover2.php','gameover3.php','gate.php' && http.request != 'referer'"
Crimeware_Zeus_Knownbadir.alertservice = 80 && query contains 'index.php?r=gate&id='"
direct to ip http requestrisk.suspiciousir.general = 'http_direct_to_ip'"
direct_to_ip_one_char_phpir.generalir.general = 'http_direct_to_ip' && ir.general = 'one_char_php_filename' && query exists"
dynamic_dns_queryir.generalservice = 53 && risk.info = 'dynamic dns host','dynamic dns server'"
Elderwood_XMailer_Artifactir.alertemailxmailer contains '10.40.1836'"
email_fwdir.generalir.general = 'inbound_email' && subject begins 'fwd'"
email_reir.generalir.general = 'inbound_email' && subject begins 're'"
exe_filetypeir.generalfiletype = 'x86_pe','x64_pe' || filetype begins 'windows'"
exe_under_10kir.generalsize=l-10000 && ir.general = 'exe_filetype'"
exe_under_5Kir.generalsize=l-5000 && ir.general = 'exe_filetype'"
exe_under_75Kir.generalsize=l-75000 && ir.general = 'exe_filetype'"
exe-ext_but_!exe-filetypeir.generalextension = 'exe' && ir.general != 'exe_filetype'"
exe-filetype_but_!exe-extir.generalextension exists && extension != 'exe' && ir.general = 'exe_filetype'"
express_x-mailerir.generalservice=25 && client contains 'express'"
external_dstir.generalir.general != 'rfc1918_dst' && netname.dst !exists"
external_srcir.generalir.general != 'rfc1918_src' && netname.src !exists"
filter_netwitness rule="(tcp.dstport = 50001-50008,50101-50108,56001-56008 || tcp.srcport = 50001-50008,50101-50108,56001-56008) && (netname.src = 'netwitness' || netname.dst = 'netwitness')
first_carveir.generaldirection = 'outbound' && ir.general != 'zero_payload' && ir.general != 'single_sided_tcp' && ir.general != 'single_sided_udp'"
first_carve_!advertisingir.generalir.general='first_carve' && ir.general = '!advertising'"
first_carve_!dnsir.generalir.general='first_carve' && service!=53"
first_carve_!top20dstir.generalir.general='first_carve' && ir.general = '!top20dst'"
first_carve_!top20dst_!advertisingir.generalir.general='first_carve_!top20dst' && ir.general = '!advertising'"
four_http_headersir.generalhttp.request exists && http.request count l-4 && service = 80 && ir.general != 'three_http_headers' && ir.general != 'two_http_headers'"
four_or_less_headersir.generalhttp.request exists && http.request count l-4 && service = 80"
high_tx_outboundir.generalmedium=1 && txbytes=4000000-u && risk.info='outbound_traffic'"
http direct to ip requestrisk.infoir.general = 'http_direct_to_ip'"
http_access_to_dyndns_siteir.generalservice = 80 && risk.info = 'dynamic dns host','dynamic dns server'"
http_connectir.generalservice=80 && (action = 'connect' && action != 'get','head','options','delete','trace','put','patch')"
http_direct_to_ipir.generalservice = 80 && risk.info='http direct to ip request'"
http_get_no_postir.generalservice=80 && action = 'get' && action != 'put','post'"
http_no_uair.generalservice = 80 && agent.ext !exists"
http_post_and_getir.generalservice=80 && action = 'put','post' && action = 'get'"
http_post_no_getir.generalservice=80 && action = 'put','post' && action != 'get'"
http_query_with_base64ir.generalservice = 80 && action = 'GET','POST' && query contains '==' && ir.general != 'top20dst'"
http_response_filenameir.generalres.uniq contains 'filename'"
http_response_filename_attachmentir.generalres.uniq contains 'filename' && res.uniq contains 'attachment'"
http_response_filename_binir.alertir.general = 'http_response_filename_inline','http_response_filename_attachment' && attachment ends 'bin'"
http_response_filename_exeir.alertir.general = 'http_response_filename_inline','http_response_filename_attachment' && ir.general = 'exe_filetype'"
http_response_filename_inlineir.generalres.uniq contains 'filename' && res.uniq contains 'inline'"
http_tunnel_ratir.alertquery contains '[not%20httptunnel]'"
icmp_large_sessionir.generalsize=1000-u && ip.proto = 1 && risk.info = 'outbound_traffic'"
icmp_tunnelir.generalservice != 0 && ip.proto = 1 && risk.info = 'outbound_traffic'"
ie_short_uair.generalir.general begins 'short_ie'"