AnsweredAssumed Answered

Questions on using Decoder parsers

Question asked by Cris Rhea on Jul 13, 2015
Latest reply on Jul 16, 2015 by RSA Admin

Like • Show 0 Likes0
Comment • 3

I'm trying to solve two separate problems and running into brick walls with both.

Background: Running NetWitness 9.8.5.20 - Decoders + Concentrators + Broker.

Problem #1: I want to set an alert if a *packet* has a certain number of bytes in the data payload.

I went down the road of thinking the snort engine could do this with the "dsize" directive, but it appears this isn't implemented

in the NW snort parser. Note: I'm looking for a specific *packet*, not the whole session/stream.

Problem #2: I want to see if an HTTP Cookie matches a PCRE and set an alert. Similar issue-- thinking snort parser, but PCRE on snort parser only looks at URI. Should I try the Search engine for this (setting PATTERN to be "Cookie: <My PCRE>", or is there a better way?

Thanks for any insight-

--- Cris

RSA Admin

Jul 16, 2015 5:37 PM

Correct Answer

One way in lua would be:

string.find(someString, "%u%u%u?%u?%u?=%a+")

%u is any upper case character

%a is any character (case-insensitive)

I'll write up a quick lua parser proof of concept for you soon.

See the reply in context

No one else had this question

Outcomes

RSA Admin

Jul 14, 2015 11:07 AM

(1) Correct, the snort implementation doesn't include dsize. This could be accomplished in flex, but it would be very painful - possibly crippling the decoder. You'd have to, starting at the beginning of each stream, loop (a) moving 1 byte, (b) getting a packetid, while (c) keeping a count of how many moves it takes for the packetid to increment.

However, lua on 10.x+ could do this easily - still a bit painful for the decoder, but not debilitating. Unfortunately, lua on 9.8 doesn't have the necessary functionality.

(2) A flex parser can do this. Match on "Cookie: ", use the <regex ... > function. However, it would be much easier and more efficient in lua, and a 9.8 lua parser can do this. Lua parsers aren't officially supported on 9.8, and don't have the full functionality of lua parsers on 10.x+, but it can be used. Caveat is that lua itself doesn't have full regex - but lua's pattern matching and string manipulation can accomplish pretty much any logic that can be done in regex.

If you can give me an example of what you're looking for in a cookie, I'll post a POC lua parser for you when I have a chance.

Actions

Cris Rhea @ RSA Admin on Jul 15, 2015 9:36 AM

I don't know much about LUA, but I'd like to see how you'd handle this with a LUA parser.

For an example PCRE cookie search, something like:

[A-Z]{2,5}=[A-Za-z]+

(basically being able to specify character sets and min/max occurrences.)

Thanks!

Actions

RSA Admin

@ Cris Rhea on Jul 16, 2015 5:37 PM

One way in lua would be:

string.find(someString, "%u%u%u?%u?%u?=%a+")

%u is any upper case character

%a is any character (case-insensitive)

I'll write up a quick lua parser proof of concept for you soon.

Actions

3 Replies

RSA Admin Jul 14, 2015 11:07 AM
Mark Correct
Correct Answer
(1) Correct, the snort implementation doesn't include dsize. This could be accomplished in flex, but it would be very painful - possibly crippling the decoder. You'd have to, starting at the beginning of each stream, loop (a) moving 1 byte, (b) getting a packetid, while (c) keeping a count of how many moves it takes for the packetid to increment.

However, lua on 10.x+ could do this easily - still a bit painful for the decoder, but not debilitating. Unfortunately, lua on 9.8 doesn't have the necessary functionality.

(2) A flex parser can do this. Match on "Cookie: ", use the <regex ... > function. However, it would be much easier and more efficient in lua, and a 9.8 lua parser can do this. Lua parsers aren't officially supported on 9.8, and don't have the full functionality of lua parsers on 10.x+, but it can be used. Caveat is that lua itself doesn't have full regex - but lua's pattern matching and string manipulation can accomplish pretty much any logic that can be done in regex.

If you can give me an example of what you're looking for in a cookie, I'll post a POC lua parser for you when I have a chance.
Like • Show 1 Like1
Actions
- Cris Rhea @ RSA Admin on Jul 15, 2015 9:36 AM
  Mark Correct
  Correct Answer
  I don't know much about LUA, but I'd like to see how you'd handle this with a LUA parser.
  
  For an example PCRE cookie search, something like:
  
  [A-Z]{2,5}=[A-Za-z]+
  
  (basically being able to specify character sets and min/max occurrences.)
  
  Thanks!
  Like • Show 0 Likes0
  Actions
  - RSA Admin @ Cris Rhea on Jul 16, 2015 5:37 PM
    Unmark Correct
    Correct Answer
    One way in lua would be:
    
    string.find(someString, "%u%u%u?%u?%u?=%a+")
    
    %u is any upper case character
    %a is any character (case-insensitive)
    
    I'll write up a quick lua parser proof of concept for you soon.
    Like • Show 0 Likes0
    Actions

Questions on using Decoder parsers

Outcomes

Related Content

Recommended Content