Remove Original IR Pack

Document created by RSA Information Design and Development on Nov 9, 2016Last modified by RSA Information Design and Development on Apr 10, 2018
Version 117Show Document
  • View in full screen mode

The Hunting Pack is designed to allow you to quickly hunt for indicators of compromise or anomalous network activity by dissecting packet traffic within the NetWitness Suite and populating specific meta keys with natural language values for investigation. This package was originally designed by, and distributed through, the RSA Incident Response Team. This content has now been integrated into the officially released content through RSA Live and can be deployed through the product. See for more information about the productized Hunting Pack.

RSA recommends that you remove the old IR Content Pack from your system before deploying the new Hunting Pack.

Note: Some of the original IR Content installed Reports and Rules may need modification or complete removal after updating to the new Hunting pack. Any customization to the older IR Content Reports, or Rules, added to the original IR Content installation should be reviewed prior to removal.

Unsupported Keys

The following keys are not supported by RSA:

  • http.request
  • http.response
  • req.uniq
  • resp.uniq

If you have rules written around any of these keys, we recommend that you contact RSA support for guidance.

Creation of Metadata

  1. Update Reports (or any custom content) to map to the metadata used in the new Hunting Pack.
  2. Stop the creation of duplicate meta. Perform one of the following procedures:

  3. Remove Application Rules from all decoders.
  4. Remove Feeds.

Consumption of Metadata

After you remove the original content, you should remove meta keys from indexes, meta groups, and profiles. For details, see Meta Keys

  1. Remove meta keys from meta groups and profiles.
  2. Remove meta keys from concentrator indexes.
  3. Remove meta keys from decoders.

Lua Parsers

You can disable or remove the IR content Lua parsers.

Note: RSA recommends you remove them.

Disable the IR Pack Lua Parsers

To Disable the IR content pack Lua Parsers:

  1. Depending on your version:

    • For NetWitness 11.x: In the NetWitness menu, select ADMIN > Services.
    • For Security Analytics 10.x: In the Security Analytics menu, select Administration > Services.
  2. Select a Decoder service.
  3. In the Actions column, select View > Explore.
  4. Expand decoders > parsers
  5. Click config.

  6. For parsers.disabled, enter the list of parsers to disable:

    IR_1_Advanced_RDP,IR_1_Binary_Indicators,IR_1_Binary_Streams,IR_1_DynDNS,IR_1_Email_Expanded,IR_1_HTTP,IR_1_HTTP_with_Base64_Payload,IR_1_HTTP_with_Binary_Payload,IR_1_ICMP,IR_1_Named_Pipes,IR_1_txrxBytes,IR_2_IR_APT_Artifacts,IR_2_APT_PlugX,IR_2_APT_PNGRAT_TECHNET_IP,IR_2_Base64_CLI_Shell,IR_2_China_Chopper,IR_2_MSU_RAT,IR_2_PoisonIvy,IR_2_Shellcrew Notepad Parser

  7. Click Enter

    You receive a message that the configuration was successful.

You can verify the parsers are disabled by navigating to Administration > Services > Decoder > Config > General.

Remove the IR Pack Lua Parsers

Remove the old IR pack Lua parsers from your Decoders:

  1. Depending on your version:

    • For Security Analytics 10.x: In the Security Analytics menu, select Administration > Services.
    • For NetWitness 11.x: In the NetWitness menu, select ADMIN > Services.
  2. Select a Decoder service.
  3. In the Actions column, select View > Config.
  4. Select the Parsers tab.
  5. Search for parsers that have names beginning with IR_, and select only these parsers.
  6. Click to remove the selected parsers.
Parser NameMetadata CategoryMetadata Generated



Extracts keyboard layout

Extracts key



Binary Indicator


req.binary res.binary ir.general

Determines binary data in the request stream Determines binary data in the response stream Binary_Handshake


dynamic dns host, dynamic dns server







Extracts From: address

Extracts To: address

Extracts X-Mailer:

Extracts domain from From: field

Extracts Language Encoding









Extracts HTTP Request Headers

Extracts HTTP Response Headers

Extracts unique values from HTTP Request Headers

Extracts unique values from HTTP Response Headers

Extracts User-Agent: field













ICMP Types and Codes into action and error. Large frames are alerted into ir.general.



Extracts Named PIPE from SMB/RPC traffic


txbytes rxbytes bytes.ratio

Payload Transmit Bytes Payload Receive Bytes Payload Transmit Receive Ratio



apt_possible_prefetch_deletion apt_possible_registry_deletion apt_possible_wmic_cleareventlog apt_possible_regedit apt_possible_invokemimikatz



apt_PlugX apt_PlugX_possible


ir.alert alias.ip







ASPX_China_Chopper PHP_China_Chopper CFM_China_Chopper


ir.alert crypto

apt_MSU_RAT XOR key


ir.alert ir.general

Possible_Poison_Ivy_Handshake Possible_Poison_Ivy_Beacon



sc_notepad request/response seen - c2 live sc_notepad initial beacon

Application Rules

Remove the old IR pack application rules from your Decoders:

  1. Depending on your version:

    • For Security Analytics 10.x: In the Security Analytics menu, select Administration > Services.
    • For NetWitness 11.x: In the NetWitness menu, select ADMIN > Services.
  2. Select a Decoder service.
  3. In the Actions column, select View > Config.
  4. Select the App Rules tab.
  5. In the Filter field, enter three hash tags: ### This returns the list of Application Rules that are part of the original IR pack.
  6. Select the rules that begin with the ### string.
  7. Click to remove the selected rules.

Additionally, the application rules listed in the table below should be removed from your Decoders. Use the steps provided above to search for and remove the additional application rules from your Decoders before you install the new Hunting Pack.

Rule NameMeta KeyRule
!advertisingir.generalthreat.category != 'advertising'"
!top20dstir.generalir.general != 'top20dst'"
apt_ActiveMonk_UAir.alertclient begins \"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; TERA\" ||client begins \"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; XSL\""
apt_Deep_Panda_C2ir.alert(directory = 'Catelog' && action = 'put' && filename = 'login.cgi' ) || (directory = 'Photos' && action = 'get' && filename = 'Query.cgi' ) || (directory = 'forum' && action = 'put' && filename = 'login.cgi' )"
apt_Foxy_RATir.alertaction = 'put' && filename = '404error.asp'"
apt_Lurid_RATir.alertservice = 80 && action = 'put' && client !exists && directory = 'cgi-bin','/Sjwpc/odw3ux'"
apt_MiniASPir.alertquery begins 'device_t='"
apt_NetTravler_RATir.alertfilename = 'nettraveler.asp'"
apt_NFlog_RATir.alertdirectory = 'Nflog' || client = 'www'"
apt_PhotoASP_RATir.alertclient = 'Mozilla/4.0' && filename = 'PHOTO.ASP' && http.request != 'referer'"
apt_PNG_Ratir.alertclient = 'Windows+NT+5.1'"
apt_Sykipot_RATir.alertclient= 'HTTP-GET'"
apt_WebC2_CSir.alertclient = 'Win32' && query begins 'ID=','INDEX='"
apt_ZipToken_UA_POSTir.alertclient = 'HttpBrowser/1.0' && action = 'put'"
bad_org_susp_otherir.generalir.general = 'suspicious_other' && ir.general = 'watchlist_org.dst'" = 'localhost' && service = 443 && direction = 'outbound'"
bytes.ratio_high_txir.generalmedium=1 && bytes.ratio = 75-u"
bytes.ratio_low_txir.generalmedium=1 && bytes.ratio = l-25"
bytes.ratio_med_txir.generalmedium=1 && bytes.ratio = 25-75"
bytes.ratio_tx_onlyir.generalrxbytes !exists && medium=1 && bytes.ratio = 100-u" ends ''"
common_srcir.generalorg.src='exacttarget','constant contact','responsys','sitewire marketspace solutions','isdnet','e-dialog','linkedin corporation','qwest communications',
'silverpop systems','psinet','postini','cheetahmail','','eloqua corporation','spark marketing llc','ibm-mgt','facebook','omeda communications','easystreet online services'"
Crimeware_Black_Hole_Exploit_Kitir.alertfilename = 'web7.dat'"
Crimeware_Zeusir.alertservice = 80 && action = 'put' && action != 'get' && filename = 'timestamps.php','gameover.php','gameover2.php','gameover3.php','gate.php' && http.request != 'referer'"
Crimeware_Zeus_Knownbadir.alertservice = 80 && query contains 'index.php?r=gate&id='"
direct to ip http requestrisk.suspiciousir.general = 'http_direct_to_ip'"
direct_to_ip_one_char_phpir.generalir.general = 'http_direct_to_ip' && ir.general = 'one_char_php_filename' && query exists"
dynamic_dns_queryir.generalservice = 53 && = 'dynamic dns host','dynamic dns server'"
Elderwood_XMailer_Artifactir.alertemailxmailer contains '10.40.1836'"
email_fwdir.generalir.general = 'inbound_email' && subject begins 'fwd'"
email_reir.generalir.general = 'inbound_email' && subject begins 're'"
exe_filetypeir.generalfiletype = 'x86_pe','x64_pe' || filetype begins 'windows'"
exe_under_10kir.generalsize=l-10000 && ir.general = 'exe_filetype'"
exe_under_5Kir.generalsize=l-5000 && ir.general = 'exe_filetype'"
exe_under_75Kir.generalsize=l-75000 && ir.general = 'exe_filetype'"
exe-ext_but_!exe-filetypeir.generalextension = 'exe' && ir.general != 'exe_filetype'"
exe-filetype_but_!exe-extir.generalextension exists && extension != 'exe' && ir.general = 'exe_filetype'"
express_x-mailerir.generalservice=25 && client contains 'express'"
external_dstir.generalir.general != 'rfc1918_dst' && netname.dst !exists"
external_srcir.generalir.general != 'rfc1918_src' && netname.src !exists"
filter_netwitness rule="(tcp.dstport = 50001-50008,50101-50108,56001-56008 || tcp.srcport = 50001-50008,50101-50108,56001-56008) && (netname.src = 'netwitness' || netname.dst = 'netwitness')
first_carveir.generaldirection = 'outbound' && ir.general != 'zero_payload' && ir.general != 'single_sided_tcp' && ir.general != 'single_sided_udp'"
first_carve_!advertisingir.generalir.general='first_carve' && ir.general = '!advertising'"
first_carve_!dnsir.generalir.general='first_carve' && service!=53"
first_carve_!top20dstir.generalir.general='first_carve' && ir.general = '!top20dst'"
first_carve_!top20dst_!advertisingir.generalir.general='first_carve_!top20dst' && ir.general = '!advertising'"
four_http_headersir.generalhttp.request exists && http.request count l-4 && service = 80 && ir.general != 'three_http_headers' && ir.general != 'two_http_headers'"
four_or_less_headersir.generalhttp.request exists && http.request count l-4 && service = 80"
high_tx_outboundir.generalmedium=1 && txbytes=4000000-u &&'outbound_traffic'"
http direct to ip requestrisk.infoir.general = 'http_direct_to_ip'"
http_access_to_dyndns_siteir.generalservice = 80 && = 'dynamic dns host','dynamic dns server'"
http_connectir.generalservice=80 && (action = 'connect' && action != 'get','head','options','delete','trace','put','patch')"
http_direct_to_ipir.generalservice = 80 &&'http direct to ip request'"
http_get_no_postir.generalservice=80 && action = 'get' && action != 'put','post'"
http_no_uair.generalservice = 80 && agent.ext !exists"
http_post_and_getir.generalservice=80 && action = 'put','post' && action = 'get'"
http_post_no_getir.generalservice=80 && action = 'put','post' && action != 'get'"
http_query_with_base64ir.generalservice = 80 && action = 'GET','POST' && query contains '==' && ir.general != 'top20dst'"
http_response_filenameir.generalres.uniq contains 'filename'"
http_response_filename_attachmentir.generalres.uniq contains 'filename' && res.uniq contains 'attachment'"
http_response_filename_binir.alertir.general = 'http_response_filename_inline','http_response_filename_attachment' && attachment ends 'bin'"
http_response_filename_exeir.alertir.general = 'http_response_filename_inline','http_response_filename_attachment' && ir.general = 'exe_filetype'"
http_response_filename_inlineir.generalres.uniq contains 'filename' && res.uniq contains 'inline'"
http_tunnel_ratir.alertquery contains '[not%20httptunnel]'"
icmp_large_sessionir.generalsize=1000-u && ip.proto = 1 && = 'outbound_traffic'"
icmp_tunnelir.generalservice != 0 && ip.proto = 1 && = 'outbound_traffic'"
ie_short_uair.generalir.general begins 'short_ie'"
inbounddirectionir.general = 'external_src' && ir.general = 'internal_dst'"