AnsweredAssumed Answered

Questions on using Decoder parsers

Question asked by Cris Rhea on Jul 13, 2015
Latest reply on Jul 16, 2015 by RSA Admin

I'm trying to solve two separate problems and running into brick walls with both.

 

Background:  Running NetWitness 9.8.5.20 - Decoders + Concentrators + Broker.

 

Problem #1:  I want to set an alert if a *packet* has a certain number of bytes in the data payload. 

I went down the road of thinking the snort engine could do this with the "dsize" directive, but it appears this isn't implemented

in the NW snort parser.  Note:  I'm looking for a specific *packet*, not the whole session/stream.

 

Problem #2: I want to see if an HTTP Cookie matches a PCRE and set an alert.   Similar issue-- thinking snort parser, but PCRE on snort parser only looks at URI. Should I try the Search engine for this (setting PATTERN to be "Cookie: <My PCRE>", or is there a better way?

 

Thanks for any insight-

 

--- Cris

Outcomes