This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
  • RSA.com
  • Products
    • Archer®
      • Archer®
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Knowledge Base
      • Archer® Exchange
      • Training
      • Upcoming Events
      • Videos
    • RSA® Fraud & Risk Intelligence Suite
      • RSA® Fraud & Risk Intelligence Suite
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Web Threat Detection
      • Upcoming Events
      • Videos
    • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Cloud
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Events
      • Ideas
      • Knowledge Base
      • Training
      • Upcoming Patch Content
      • Videos
    • RSA® Adaptive Authentication Mobile SDK
      • RSA® Adaptive Authentication Mobile SDK
      • Advisories
      • Events
      • Ideas
      • Knowledge Base
      • Request Access
      • Training
    • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Events
      • Ideas
      • Knowledge Base
      • Training
      • Videos
    • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Events
      • Ideas
      • Knowledge Base
      • Training
      • Videos
    • RSA® Adaptive Authentication for eCommerce
      • RSA® Adaptive Authentication for eCommerce
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Ideas
      • Knowledge Base
      • Training
      • Videos
    • RSA® FraudAction Services
      • RSA® FraudAction Services
      • Advisories
      • Discussions
      • Documentation
      • Ideas
      • Videos
    • RSA® Web Threat Detection
      • RSA® Web Threat Detection
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Knowledge Base
      • Videos
    • RSA NetWitness® Platform
      • RSA NetWitness® Platform
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Integrations
      • Knowledge Base
      • Training
      • Upcoming Events
      • Videos
    • RSA NetWitness® Detect AI
      • RSA NetWitness® Detect AI
      • Documentation
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
    • RSA NetWitness® Investigator
      • RSA NetWitness® Investigator
      • Documentation
      • Download the Client
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
    • RSA NetWitness® Orchestrator
      • RSA NetWitness® Orchestrator
      • Overview
      • Documentation
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
    • RSA SecurID® Suite
      • RSA SecurID® Suite
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Knowledge Base
      • Ideas
      • Integrations
      • Training
      • Videos
    • RSA® Identity Governance & Lifecycle
      • RSA® Identity Governance & Lifecycle
      • Advisories
      • Blog
      • Community Exchange
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Knowledge Base
      • Training
      • Upcoming Events
      • Videos
    • RSA SecurID® Access
      • RSA SecurID® Access
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Integrations
      • Knowledge Base
      • Training
      • Upcoming Events
      • Videos
    • Other RSA® Products
      • Other RSA® Products
      • RSA® Access Manager
      • RSA® Data Loss Prevention
      • RSA® Digital Certificate Solutions
      • RSA enVision®
      • RSA® Federated Identity Manager
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
  • Resources
    • Advisories
      • Product Advisories on RSA Link
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Hosted
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Product Advisories
    • Blogs
      • Blogs on RSA Link
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Blogs on RSA Link
    • Discussion Forums
      • Discussion Forums
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Discussion Forums on RSA Link
    • Documentation
      • Product Documentation
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Mobile SDK
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Documentation on RSA Link
    • Downloads
      • Product Downloads
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Downloads on RSA Link
    • Ideas
      • Idea Exchange
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Mobile SDK
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Documentation on RSA Link
    • Knowledge Base
      • Knowledge Base
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Mobile SDK
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Knowledge Base Pages on RSA Link
    • Upcoming Events on RSA Link
      • Upcoming Events
    • Videos
      • Videos on RSA Link
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Videos on RSA Link
  • Support
    • RSA Link Support
      • RSA Link Support
      • News & Announcements
      • Getting Started
      • Support Forum
      • Support Knowledge Base
      • Ideas & Suggestions
    • RSA Product Support
      • RSA Product Support
      • General Security Advisories and Statements
      • Product Life Cycle
      • Support Information
      •  
      •  
      •  
      •  
      •  
  • RSA Ready
  • RSA University
    • Certification Program
      • Certification Program
    • Course Catalogs
      • Course Catalogs
      • Archer®
      • RSA NetWitness® Platform
      • RSA SecurID® Suite
    • On-Demand Subscriptions
      • On-Demand Subscriptions
      • Archer®
      • RSA NetWitness® Platform
      • RSA SecurID® Suite
    • Product Training
      • Product Training
      • Archer®
      • RSA® Fraud & Risk Intelligence Suite
      • RSA® Identity Governance & Lifecycle
      • RSA NeWitness® Platform
      • RSA SecurID® Access
    • Student Resources
      • Student Resources
      • Access On-Demand Learning
      • Access Virtual Labs
      • Contact RSA University
      • Enrollments & Transcripts
      • Frequently Asked Questions
      • Getting Started
      • Learning Modalities
      • Payments & Cancellations
      • Private Training
      • Training Center Locations
      • Training Credits
      • YouTube Channel
    • Upcoming Events
      • Upcoming Events
      • Full Calendar
      • Conferences
      • Live Classroom Training
      • Live Virtual Classroom Training
      • Webinars
Sign In Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

Visit the Known Issues dashboard if you are experiencing issues on RSA Link

View Dashboard

RSA NetWitness® Platform Discussions

Discussions about the RSA NetWitness Platform.
  • RSA Link
  • :
  • Products
  • :
  • RSA NetWitness Platform
  • :
  • Discussions
  • :
  • How do I read an IP address in a flex parser?
  • Options
    • Subscribe to RSS Feed
    • Mark Topic as New
    • Mark Topic as Read
    • Float this Topic for Current User
    • Bookmark
    • Subscribe
    • Mute
    • Printer Friendly Page
RSAAdmin
RSAAdmin Beginner
Beginner
‎2013-08-19 09:14 AM
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

How do I read an IP address in a flex parser?

Jump to solution

I'm trying to write a simple flex parser for netwitness 9.8 which will find the string "client:" in HTTP traffic and then return the IP address that follows that string.

I've run in to a few questions regarding this parser, would be great if anyone can contribute from their experience

1. I've seen examples of retrieving a set number of characters following a specific string but an IP address can be between 7 and 15 characters.

2. There is no point in applying my parser to all the traffic in the network, i need it to run only on very specific traffic (one subnet, port 80), is there a way to specify in my parser perhaps?

3. This string repeats itself many times in every session, identical value per session, would the parser stop once it found the first value or continue to run through the whole session?

 

Itay

  • Tags:
  • Community Thread
  • Discussion
  • flex
  • Forum Thread
  • NetWitness
  • NW
  • NWP
  • Parser
  • RSA NetWitness
  • RSA NetWitness Platform
0 Likes
Share
Reply
  • All forum topics
  • Previous Topic
  • Next Topic
1 Solution

Accepted Solutions
RuiAtaide
Contributor RuiAtaide Contributor
Contributor
‎2013-08-22 10:03 AM
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Jump to solution

Is this a proxy X-Forwarded-For: like header? I know certain proxies use Client-IP instead.

 

If that's the case, there is an xforwadedfor parser in NWLive content that might help you. I'm not sure if it actually also looks at the Client-IP as an option, I believe it does.

 

To answer your other question, again if the data you have is an HTTP header then the line would be terminated with a <newline> so what you can do is find the relative position of the 0x0d character and then read a string of that length.

 

Something like the lines below after your token match statement.

 

   <find name="Len" value="&#x0D;" length="25">

          <read name="clientIP" length="$Len">

 

Hope that helps!

 

Regards,

 

Rui

View solution in original post

0 Likes
Share
Reply
5 Replies
RSAAdmin
RSAAdmin Beginner
Beginner
‎2013-08-19 02:45 PM
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Jump to solution

I'm not too sure what you are trying to detect, but yes, you can extract an IP or any other text string variable from a session for a specific service, port or other parameter you specify.  And yes, you can make it stop searching after a match.  Do you have a sample pcap of what you are trying to key on?

0 Likes
Share
Reply
RSAAdmin
RSAAdmin Beginner
Beginner
In response to RSAAdmin
‎2013-08-20 03:29 AM
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Jump to solution

nothing I can send out unfortunately, but the packet contains a string like "Client-ip:10.0.0.1" either followed by additional info ("GET" for example), or at the end of the packet.

0 Likes
Share
Reply
RuiAtaide
Contributor RuiAtaide Contributor
Contributor
‎2013-08-22 10:03 AM
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Jump to solution

Is this a proxy X-Forwarded-For: like header? I know certain proxies use Client-IP instead.

 

If that's the case, there is an xforwadedfor parser in NWLive content that might help you. I'm not sure if it actually also looks at the Client-IP as an option, I believe it does.

 

To answer your other question, again if the data you have is an HTTP header then the line would be terminated with a <newline> so what you can do is find the relative position of the 0x0d character and then read a string of that length.

 

Something like the lines below after your token match statement.

 

   <find name="Len" value="&#x0D;" length="25">

          <read name="clientIP" length="$Len">

 

Hope that helps!

 

Regards,

 

Rui

View solution in original post

0 Likes
Share
Reply
RSAAdmin
RSAAdmin Beginner
Beginner
In response to RuiAtaide
‎2013-08-22 11:54 AM
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Jump to solution

Its very similar, looks like the x-forwarder parser would be just the thing but i couldn't figure out how to find out if it has options and how to set them if it does.

I might be going about the wrong way, but i've been trying to use investigator to test out the parser i tried writing and I always get an empty report for that value, this is what i've done based on the samples i have for parsers and your suggestion:

defined a key:

<key description="Cip" level="IndexValues" name="cl.ip" format="text" valueMax="100000" />

 

 

defined the parser:

<parser name="C_ip" desc="track C_ip">

  <declaration>

   <token name="ipaddress" value="Client-ip:" options="linestart" />

   <string name="Ipstring" scope="stream"/>

   <meta name="clientip" key="cl.ip" format="text"/>

  </declaration>

 

  <match name="ipaddress">

    <find name="EOL" value="&#x0D;" length="25" />

     <read name="Ipstring" length="$EOL" >

      <register name="clientip" value="$Ipstring"/>

     </read>

  </match>

</parser>

 

then open investigator and open a local collection that i imported a pcap file with the relevant packets into.

0 Likes
Share
Reply
RuiAtaide
Contributor RuiAtaide Contributor
Contributor
In response to RSAAdmin
‎2013-08-22 12:13 PM
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Jump to solution

Looks OK, except I don't see EOL declared as a number. Is that the entire parser?

 

Also don't forget the <parsers>  </parsers> around your parser in your file.

 

Look at the logs any errors should show up there. They are under Help->Show Log

 

The X-Forwarded-For Parser will put the relevant info in the orig_ip meta which is "<key description="Originating IP Address" level="IndexKeys" name="orig_ip" />" in Investigator. Currently there is no way of passing parameters/options to parsers.

 

Hope that helps!

 

Regards,

 

Rui

0 Likes
Share
Reply
Powered by Khoros
  • Products
  • Resources
  • Solutions
  • RSA University
  • Support
  • RSA Labs
  • RSA Ready
  • About RSA Link
  • Terms & Conditions
  • Privacy Statement
  • Provide Feedback
© 2020 RSA Security LLC or its affiliates.
All rights reserved.