RSA Admin

File Extraction Script

Discussion created by RSA Admin Employee on Sep 17, 2012
Latest reply on Sep 18, 2012 by Rui Ataide

I recently got the attached perl script from a Netwitness Engineer (he's not the author and is unable to provide direct assistance; I'm not terribly good at scripting either). It's built to extract files or other data out of Netwitness via CLI, but I'm unable to get it functioning correctly. One of the biggest issues I'm having is with the use of option '-l'. I've used the script to set the .lastmeta file to the latest meta session ID. When using the -l option, the search does nothing. If I don't use the -l option it starts processing at session 1 which means I'm searching through all 25 billion meta sessions which never finishes before the server runs out of memory. If anyone with more experience can take a look and let me know if you have any suggestions I would appreciate it. This is the only utility I've seen that can rip out exe's, pdf's, etc. through CLI for analysis. I would really like to get it working but if someone has something better, I'm open to all suggestions. Thanks!

I've tested the following queries (sensitive data removed)

./ -m "" -u username -p password -i -l -a query -o summary "service=53"

--This query does nothing

./ -m "" -u username -p password -i -t -a query -o summary "service=53"

--This query works, starts processing data from the beginning of time

./ -m "" -u username -p password -i -l 25037950437 -a query -o summary "service=53"

--Here I tried specifying the session I wanted it to start on but I get the following CLI error:

400 Bad Request[*] session info failed

--This command generates an SDK query such as the following (no id2 is specified and I get the following error)



<title>Bad Request</title>



<h1>Bad Request</h1>

<p id="string-error"><span style="color:red;">Parameter id2: Value '' is not a valid unsigned integer</span>