RSA Admin

Using Regular Expressions within Investigator

Discussion created by RSA Admin Employee on Oct 30, 2012
Latest reply on Apr 24, 2014 by RSA Admin

Hello,

 

I recently blogged about my experiences around detecting domains in alias.host field created by Domain Generating algorithms within investigator by using some regex.  I'm not sure if the community allows link outs but I have screenshots and such there that would be a bit cumbersome to recreate here.  Also I wanted to get the word out about the home version of Investigator for people toying with info sec at home to the 3 or so people that stumble upon my blog a month.  

 

I'm interested in any more information around the syntax for regex within investigator. I view it as powerful as the regex abilities of an IDS signature, which I guess informer alerts would qualify as.

 

https://scottfromsecurity.com/blog/2012/10/28/rsa-netwitness-investigator-regular-expressions

 

 

If there is an issue around posting links, just let me know.  I didn't really see a "community rules" sticky.

Outcomes