[Fixed] Malware Analytics Invalid username or password error
The problem is now fixed, here are the steps you need to take in order for malware analysis to work:
- Deploy all available Live resources for Malware analysis. The target is every packet decoder you plan to include in malware monitoring.
- Add packet concentrator / broker to the Malware analysis broker
- Know / change the password for every service - concentrators, brokers and the malware services
- In the continuous monitoring configuration, we've pointed the Malware broker service at port 50003 (56003 for SSL).
- In order for Integration -> Test connection button to success, all above steps PLUS actively incoming packet sessions bust be present.
Bonus problems we've encountered:
If local Threat Grid appliance is installed, import the certificate from its console website (IP) to the Malware server.
Original post below
I'm having issues configuring a Malware Analytics server for Continuous Monitoring.
I have a Packet Concentrator that I want it to be monitored for files being transferred.
Files then should be automatically scanned by Malware Analytics.
On the first step to configure Continuous Scan, we provided the IP of the Packet Concentrator, its port 50005 and its service account.
I successfully used the same account to connect the Packet Decoder to the Concentrator, the Concentrator to the Malware Broker.
When we test the Integration connection following error appears:
Fail to establish a connection to the core device.
Checking the logs, Invalid username or password error appears.
We changed the password (Service -> Security tab) on both Malware Analytics and Packet Concentrator services, both were restarted.
Using SSL seems to stop the error log but still no connection is established.
We tried with new account created on the Packet Concentrator, still the same error.
Otherwise the manual upload and static analysis works just fine.
Can you give us some insight on what might be the problem?
Attached are screenshots of Malware Analytics & Broker configurations and logged errors.
- Community Thread
- Forum Thread
- Malware Analysis
- malware server
- RSA NetWitness
- RSA NetWitness Platform
I just wanted to provide an update since we found two steps not particularly addressed in the documentations.
First thing we tried was to add Malware Analysis Broker instead of the Packet Concentrator or the main Broker to the Continuous monitoring config.
The wrong username / password error persisted.
Then we tested the connection with SSL checkbox and SSL Broker port (56003) configured.
New error occurred in the logs:
0 sessions found. Please verify deployed RSA Live content including parsers and application rules.
Addressing that part, we deployed all Live parsers and rules for Malware Analysis (that was a missed step).
The test went successfully once, but I'm not able to reproduce it since we have some packet digesting issues.
Since we have yet to see a file extracted from packet session, I will keep updating this post.
Static analysis, Community scoring and ThreatGrid all work fine while manually uploading files.
Respond Auditing works too, generating alarms for the set thresholds.
I remain open for feedback.
Make sure you have deployed the "spectrum.lua" parser also and the "spectrum_consume.nwr" application rule, those are what tag the traffic to be consumed by malware analysis.