AnsweredAssumed Answered

Convert SNORT rule to NetWitness Investigator 9.8 search/filter

Question asked by RSA Admin Employee on Aug 21, 2014

I am new with NW/SA, please have patience .


Does anyone know if there is a way for me to convert this rule to make a custom filter or to search in NetWitness Investigator for the following SNORT rule:


Network-Based Indicator

Outgoing traffic through standard HTTP/HTTPS ports 80, 443 (and possibly others), but obfuscates traffic by

XORing the traffic with 0x36.  The below is a SNORT signature related to this activity:



alert tcp any any -> any any (content:"|6E|"; depth: 1; content:"|36 36 36 58 36 36 36|"; offset: 3; depth: 7;

msg: "Beacon C2"; sid: 1000000001; rev:0)



Any help is appreciated.


Thank you.