Using Regular Expressions within Investigator
I recently blogged about my experiences around detecting domains in alias.host field created by Domain Generating algorithms within investigator by using some regex. I'm not sure if the community allows link outs but I have screenshots and such there that would be a bit cumbersome to recreate here. Also I wanted to get the word out about the home version of Investigator for people toying with info sec at home to the 3 or so people that stumble upon my blog a month.
I'm interested in any more information around the syntax for regex within investigator. I view it as powerful as the regex abilities of an IDS signature, which I guess informer alerts would qualify as.
If there is an issue around posting links, just let me know. I didn't really see a "community rules" sticky.
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
Spoke to soon, looking at the concentrator shows that the regex query is being mangled with extra escape characters:
You didn't pass the full audit log, so I can't tell, but that may be legit. There are outer quotes passed for the full query and the inner quotes need to be escaped as part of the actual query. After the first level parsing, the second level would return to regular quotes. Try using single quotes ' instead of ".
Regardless, if you got the results you were expecting, it probably parsed fine.