AnsweredAssumed Answered

regex on Netwitness 9.8

Question asked by Cris Rhea on Mar 29, 2016
Latest reply on Apr 13, 2016 by Cris Rhea

Like • Show 0 Likes0
Comment • 3

Running Investigator 9.8.5.19. Trying (unsuccessfully) to use a regex expression to look for specific HTTP Cookie patterns.

As a simple test, I've tried this custom drill (after narrowing results to HTTP and specific alerts):

req.uniq regex 'C5=;'

(Single quotes surrounding expression, and literally looking for the 4 character string). This runs successfully, but returns no results. If I look at the sessions, there clearly are sessions with this string in req.uniq.

What's magic about trying to get regex working? Will they work properly on a meta data item that may exist multiple times in session?

My end goal is a more complex regex, but if I can't get a simple match to work, more complicated certainly won't...

Thanks--

No one else has this question

Outcomes

Cris Rhea Apr 7, 2016 10:03 AM

Well, it seems that req.uniq and res.uniq are from the IR pack and since they deal with widely varying data ARE NOT INDEXED. So, to answer my own question:

No, I CANNOT use regex with Investigator to find this pattern, but I CAN use regex in an App Rule to set meta, based on this pattern.

Actions

Rui Ataide

@ Cris Rhea on Apr 13, 2016 6:45 AM

Hi Cris,

You are correct! I would advise however that you try to avoid "regex" in rules as much as possible as there is a considerable performance impact.

We recently completely rewrote the IR content pack to replace all regex rules with equivalent logic as much as possible.

For example, a two characters .exe rule would have been changed from

filename regex '.{1,2}\.exe'

filename length 5-6 && extension='exe'

So depending on your goal this may be a better option. Please feel me to send me a direct message if you want me to look at your specific case.

Thank you,

Rui

Actions

Cris Rhea @ Rui Ataide on Apr 13, 2016 10:30 AM

In my case, I was looking for a specific value (pattern) of a cookie (especially, since none of the NW parsers currently break out individual cookies in web sessions, AFAIK). Similar comments for using the SNORT engine-- there are times when REGEX syntax or SNORT syntax would make searching much more simple. I wish they could be used with less risk of a performance penalty.

Actions

3 Replies

Cris Rhea Apr 7, 2016 10:03 AM
Mark Correct
Correct Answer
Well, it seems that req.uniq and res.uniq are from the IR pack and since they deal with widely varying data ARE NOT INDEXED. So, to answer my own question:

No, I CANNOT use regex with Investigator to find this pattern, but I CAN use regex in an App Rule to set meta, based on this pattern.
Like • Show 0 Likes0
Actions
- Rui Ataide @ Cris Rhea on Apr 13, 2016 6:45 AM
  Mark Correct
  Correct Answer
  Hi Cris,
  
  You are correct! I would advise however that you try to avoid "regex" in rules as much as possible as there is a considerable performance impact.
  
  We recently completely rewrote the IR content pack to replace all regex rules with equivalent logic as much as possible.
  
  For example, a two characters .exe rule would have been changed from
  
  filename regex '.{1,2}\.exe'
  to
  filename length 5-6 && extension='exe'
  
  So depending on your goal this may be a better option. Please feel me to send me a direct message if you want me to look at your specific case.
  
  Thank you,
  
  Rui
  Like • Show 0 Likes0
  Actions
  - Cris Rhea @ Rui Ataide on Apr 13, 2016 10:30 AM
    Mark Correct
    Correct Answer
    In my case, I was looking for a specific value (pattern) of a cookie (especially, since none of the NW parsers currently break out individual cookies in web sessions, AFAIK). Similar comments for using the SNORT engine-- there are times when REGEX syntax or SNORT syntax would make searching much more simple. I wish they could be used with less risk of a performance penalty.
    Like • Show 0 Likes0
    Actions

regex on Netwitness 9.8

Outcomes

Related Content

Recommended Content