Phishing Lua Parser Options

Document created by RSA Information Design and Development on Aug 27, 2018Last modified by RSA Information Design and Development on Nov 15, 2018
Version 11Show Document
  • View in full screen mode
 

Caution: RSA strongly suggests that you do not subscribe to the options file. Subsequent downloads of this file will overwrite all changes that you have made to the file.

Note the following:

  • If you deploy the options file, it can be found in the same directory as parsers: /etc/netwitness/ng/parsers/.
  • The parser is not dependent upon the options file. The parser will load and run even in the absence of the options file. The options file is only required if you need to change the default settings.
  • If you do not have an options file (or if your options file is invalid), the parser uses the default settings.

Note: The parser will never use both the defaults and customized options. If the options file exists and its contents can be loaded, then the defaults will not be used at all.

The phishing_lua_options file contains the following options for controlling the parser:

  • Deduplicate Host Registration

  • Check Host Consistency

  • Whitelist Domain

  • Register URL Components

  • Register Entire URL

  • Host Key

To change an option from false to true, edit the line inside the corresponding function, from

return false

to

return true

And similarly to go from true to false.

Note: Modifying any of these options requires a service restart to take effect; a simple parser reload is insufficient.

Deduplicate Host Registration

Name: deduplicate. Default value: true

By default, if the same host portion appears in multiple HREFs within a session, it will only be registered once for that session.

If this option is disabled, then the host portion of an HREF will be registered each time it is seen, regardless of whether it has already been registered previously for that session.

Note that this option only affects the behavior of this parser. A host may still be registered by another parser. This option has no effect on the Check Host Consistency option.

Check Host Consistency

Name: hostCheck. Default value: true

Compares the host portions of all URLs found within an HREF. If the host portion is a hostname, then only the domain portion is compared. If the host portion is an IP address, the entire IP is compared.

Whitelist Domain

Name: whitelistDomain. Has no default value.

Intended for sites that rewrite HREFs in email messages. For example:

<a href="http://www.foo.com">http://www.foo.com</a>

becomes:

<a href="http://redirect.example.com?url=http://www.foo.com">http://www.foo.com</a>

This option accepts a domain to exclude from consistency checking. The domain must be enclosed in quotes, such as "example.com".

Note that in the following example, an alert will still be registered even if "example.com" is whitelisted:

<a href="http://redirect.example.com?url=http://www.foo.com">http://www.bar.com</a>

Register URL Components

Name: urlComponents. Default value: false.

Warning: Do not enable this option if you are enabling the Register Entire URL (registerURL) option.

In addition to host meta, this option registers the components of each URL found. For example, assume the following URL: http://www.example.com/directory/filename.ext?p=foo%3Dbar.

This registers the following meta:

  • directory: directory
  • filename: filename.ext
  • extension: ext
  • query: p=foo%3Dbar

No deduplication of components (other than host) is performed, even if the option Deduplicate Host Registration is enabled.

Register Entire URL

Name: registerUrl. Default value: false.

Warning: URLs are highly unique. Therefore, enabling this option will bloat the metadb, decreasing performance and retention, and is NOT ADVISED.

Do not enable this option if also enabling Register URL Components.

Registers the entirety of each URL found. The URL will be registered with the meta key url. Registered URLs will be a maximum of 256 characters (this is a standard meta length limitation).

No deduplication of URLs performed, even if the Deduplicate Host Registration option is enabled.

Host Key

Name: hostKey. Default is alias.host.

Default behavior is to register extracted hosts as alias.host, alias.ip, or alias.ipv6 as appropriate.

Modifying this value will cause extracted hosts to instead be registered with the specified key. If the key does not already exist, it will be created. Normal key name restrictions apply.

Previous Topic:SMTP Parser Options
You are here
Table of Contents > RSA NetWitness Platform Content > Parsers > Lua Packet Parsers > Phishing Lua Parsons Options

Attachments

    Outcomes