I'm trying to solve two separate problems and running into brick walls with both.
Background: Running NetWitness 9.8.5.20 - Decoders + Concentrators + Broker.
Problem #1: I want to set an alert if a *packet* has a certain number of bytes in the data payload.
I went down the road of thinking the snort engine could do this with the "dsize" directive, but it appears this isn't implemented
in the NW snort parser. Note: I'm looking for a specific *packet*, not the whole session/stream.
Problem #2: I want to see if an HTTP Cookie matches a PCRE and set an alert. Similar issue-- thinking snort parser, but PCRE on snort parser only looks at URI. Should I try the Search engine for this (setting PATTERN to be "Cookie: <My PCRE>", or is there a better way?
Thanks for any insight-
--- Cris
One way in lua would be:
string.find(someString, "%u%u%u?%u?%u?=%a+")
%u is any upper case character
%a is any character (case-insensitive)
I'll write up a quick lua parser proof of concept for you soon.