This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

RSA NetWitness® Platform Discussions

Discussions about the RSA NetWitness Platform.
RSAAdmin
Beginner
Beginner
‎2013-08-19 09:14 AM

How do I read an IP address in a flex parser?

Jump to solution

I'm trying to write a simple flex parser for netwitness 9.8 which will find the string "client:" in HTTP traffic and then return the IP address that follows that string.

I've run in to a few questions regarding this parser, would be great if anyone can contribute from their experience

1. I've seen examples of retrieving a set number of characters following a specific string but an IP address can be between 7 and 15 characters.

2. There is no point in applying my parser to all the traffic in the network, i need it to run only on very specific traffic (one subnet, port 80), is there a way to specify in my parser perhaps?

3. This string repeats itself many times in every session, identical value per session, would the parser stop once it found the first value or continue to run through the whole session?

 

Itay

0 Likes
Reply
1 Solution

Accepted Solutions
RuiAtaide
Frequent Contributor Frequent Contributor
Frequent Contributor
‎2013-08-22 10:03 AM

Jump to solution

Is this a proxy X-Forwarded-For: like header? I know certain proxies use Client-IP instead.

 

If that's the case, there is an xforwadedfor parser in NWLive content that might help you. I'm not sure if it actually also looks at the Client-IP as an option, I believe it does.

 

To answer your other question, again if the data you have is an HTTP header then the line would be terminated with a <newline> so what you can do is find the relative position of the 0x0d character and then read a string of that length.

 

Something like the lines below after your token match statement.

 

   <find name="Len" value="&#x0D;" length="25">

          <read name="clientIP" length="$Len">

 

Hope that helps!

 

Regards,

 

Rui

View solution in original post

0 Likes
Reply
5 Replies
RSAAdmin
Beginner
Beginner
‎2013-08-19 02:45 PM

Jump to solution

I'm not too sure what you are trying to detect, but yes, you can extract an IP or any other text string variable from a session for a specific service, port or other parameter you specify.  And yes, you can make it stop searching after a match.  Do you have a sample pcap of what you are trying to key on?

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2013-08-20 03:29 AM

Jump to solution

nothing I can send out unfortunately, but the packet contains a string like "Client-ip:10.0.0.1" either followed by additional info ("GET" for example), or at the end of the packet.

0 Likes
Reply
RuiAtaide
Frequent Contributor Frequent Contributor
Frequent Contributor
‎2013-08-22 10:03 AM

Jump to solution

Is this a proxy X-Forwarded-For: like header? I know certain proxies use Client-IP instead.

 

If that's the case, there is an xforwadedfor parser in NWLive content that might help you. I'm not sure if it actually also looks at the Client-IP as an option, I believe it does.

 

To answer your other question, again if the data you have is an HTTP header then the line would be terminated with a <newline> so what you can do is find the relative position of the 0x0d character and then read a string of that length.

 

Something like the lines below after your token match statement.

 

   <find name="Len" value="&#x0D;" length="25">

          <read name="clientIP" length="$Len">

 

Hope that helps!

 

Regards,

 

Rui

View solution in original post

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RuiAtaide
‎2013-08-22 11:54 AM

Jump to solution

Its very similar, looks like the x-forwarder parser would be just the thing but i couldn't figure out how to find out if it has options and how to set them if it does.

I might be going about the wrong way, but i've been trying to use investigator to test out the parser i tried writing and I always get an empty report for that value, this is what i've done based on the samples i have for parsers and your suggestion:

defined a key:

<key description="Cip" level="IndexValues" name="cl.ip" format="text" valueMax="100000" />

 

 

defined the parser:

<parser name="C_ip" desc="track C_ip">

  <declaration>

   <token name="ipaddress" value="Client-ip:" options="linestart" />

   <string name="Ipstring" scope="stream"/>

   <meta name="clientip" key="cl.ip" format="text"/>

  </declaration>

 

  <match name="ipaddress">

    <find name="EOL" value="&#x0D;" length="25" />

     <read name="Ipstring" length="$EOL" >

      <register name="clientip" value="$Ipstring"/>

     </read>

  </match>

</parser>

 

then open investigator and open a local collection that i imported a pcap file with the relevant packets into.

0 Likes
Reply
RuiAtaide
Frequent Contributor Frequent Contributor
Frequent Contributor
In response to RSAAdmin
‎2013-08-22 12:13 PM

Jump to solution

Looks OK, except I don't see EOL declared as a number. Is that the entire parser?

 

Also don't forget the <parsers>  </parsers> around your parser in your file.

 

Look at the logs any errors should show up there. They are under Help->Show Log

 

The X-Forwarded-For Parser will put the relevant info in the orig_ip meta which is "<key description="Originating IP Address" level="IndexKeys" name="orig_ip" />" in Investigator. Currently there is no way of passing parameters/options to parsers.

 

Hope that helps!

 

Regards,

 

Rui

0 Likes
Reply
© 2021 RSA Security LLC or its affiliates.
All rights reserved.