Convert SNORT rule to NetWitness Investigator 9.8 search/filter
I am new with NW/SA, please have patience .
Does anyone know if there is a way for me to convert this rule to make a custom filter or to search in NetWitness Investigator for the following SNORT rule:
Outgoing traffic through standard HTTP/HTTPS ports 80, 443 (and possibly others), but obfuscates traffic by
XORing the traffic with 0x36. The below is a SNORT signature related to this activity:
alert tcp any any -> any any (content:"|6E|"; depth: 1; content:"|36 36 36 58 36 36 36|"; offset: 3; depth: 7;
msg: "Beacon C2"; sid: 1000000001; rev:0)
Any help is appreciated.
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform