AnsweredAssumed Answered

Looking for searching criteria on SA based on Filename

Question asked by RSA Admin Employee on May 22, 2014
Latest reply on Jun 9, 2014 by Anil143

Dear Friends,

 

I want to search a infection based on file name and the filename information provided below

 

Find the below info which shows a successful exploit callback. I am not sure how to make search on SA with file name since the file name is alphanumeric and its gets change randomly. I believe there could be lots of infection with same pattern. We use only packet decoder so regex won't work.


Please note that i want search with only filename since the directory field is always empty.



 

orig_ip :  10.32.7.154

 

ip.addr :  10.32.7.154

 

action :  post

 

alias.ip :  188.165.235.115

 

directory :  /

 

 

 

 

alias.ip :  188.165.235.115

 

alert.id :  nw32550

 

 

threat.category :  spectrum

 

threat.source :  netwitness

 

orig_ip :  10.32.7.154

 


Thank you,


Awaiting for valuable response.



Outcomes