This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA NetWitness® Platform Blog

Subscribe to the official RSA NetWitness Platform blog for information about new product features, industry insights, best practices, and more.

Top Level Domain (TLD) Lua Parser for Logs

EricPartington
Employee
Employee
3 2 8,079
‎2018-04-16 07:05 AM

The TLD parser has been updated to now deploy on Log Decoders.  

 

The parser looks for the following keys from log devices to parse out the same information as packets:

  • Alias.host
  • Host.src
  • Host.dst
  • Domain.dst
  • Domain.src
  • FQDN

 

Which writes out information into:

* alert.id - mapped to risk meta
* analysis.service - hostname characteristics
* cctld - (nonstandard) (optional) country-code top level domain, e.g., www.amazon.co.uk -> co.uk
* sld - (nonstandard) (optional) second level domain, e.g. www.amazon.co.uk -> amazon
* tld - top level domain, e.g. www.amazon.com -> com

 

When searching for Lua and Log in the RSA Live deployment screen you will see the following:

pastedImage_2.png

 

And linked dependancies:

pastedImage_3.png

 

So this is a really simple method of getting nwll.lua deployed to a log decoder if your custom parser requires that library (PaloAlto URL.raw parser for instance).

2 Comments
RichardvandenBe
Beginner
Beginner
‎2019-07-31 05:16 AM

Thanks a lot for this very useful info. I also found the documentation at Packet Parsers 

We observed the following:

 

  1. tld of mta1._domainkey.example.de -> example.de
  2. sld of mta1._domainkey.example.de -> _domainkey

This is pretty strange as it pollutes the tld and sld tables.

0 Likes
WilliamMotley1
Employee
Employee
‎2019-07-31 08:26 AM

That's intentional.  The behavior in the presence of a ccTLD is,

 

Four or more total tags

  • last tag -> cctld
  • 2nd to last and last tag combined -> tld
  • 3rd to last tag -> sld

Three or fewer total tags

  • last tag -> cctld
  • last tag -> tld (also)
  • 2nd to last tag -> sld

 

Examples:

    www.amazon.co.uk

        cctld:  uk

        tld:     co.uk

        sld:    amazon

 

    www.amazon.de

        cctld:  de

        tld:      de

        sld:     amazon

 

 

The parser does not account for policy differences between registries concerning 3rd-level domains, and instead uses the same "rules" consistently for all hosts.  The only record of those policy differences in the "Public Suffix List".  Incorporating those policy differences would necessitate the analyst also being familiar with the Public Suffix List and all the policy differences between registries.  Whereas the behavior of the parser is consistent for all hostnames.

0 Likes
© 2020 RSA Security LLC or its affiliates.
All rights reserved.