Parsers

Packet Parsers Packet Parsers

This topic discusses and describes the packet (Lua) parsers available in RSA NetWitness Platform. If you need a parser that does not already exist, you can Request a Parser.

Note: More information on each of these parsers is available in Live. Navigate to Live search, and select RSA Lua Parser in the Resource Types field. From the results, select any parser and click to display all the information for the parser.

ContextContext

Packet parsers identify the application layer protocol of sessions seen by the Decoder, and extract meta data from the packet payloads of the session.

Every packet parser is able to extract meta from every session. For example, a webmail session will be parsed by both an HTTP parser which identifies the session as HTTP and extracts meta from HTTP headers, and by a MAIL parser which extracts email-related meta from message headers. Further, if the session were to contain an executable file, its presence would be detected by a windows executable parser.

Packet parsers in RSA NetWitness may be broadly classified as:

System or Native parsers: These are compiled into the Decoder base code. Updates are delivered along with updates to RSA NetWitness. Many system parsers have Lua equivalents. In these cases, generally, the native parser may perform faster, while the Lua parser may extract more meta.
Lua parsers: these are written in the Lua programming language, and delivered via Live. Customers can write their own custom Lua parsers.
Flex parsers: these were written in a proprietary scripting language, Flex, and delivered via Live. These are now discontinued, and no longer delivered in Live. Every existing Flex parser has a better Lua equivalent, and all customers using NetWitness should not be using Flex parsers.

Packet Parsers in NetWitnessPacket Parsers in NetWitness

The following table describes the Lua parsers delivered with RSA NetWitness Platform.

Parser Name:
apt_artifacts
Description:
Detects possible apt WMI and windows registry manipulation.

Parser Name:
Avamar
Description:
Identifies Avamar Backup and Recovery, TCP port 28001.

Parser Name:
BGP_lua
Description:
Identifies BGP Routing Protocol.

Parser Name:
bittorrent_lua
Description:
Identifies the bittorrent protocol and registers the name of the file being downloaded.

Parser Name:
Canon_BJNP
Description:
Identifies Canon printer discover protocol BJNP.

Parser Name:
cerber
Description:
Detects potential Cerber ransomware beaconing.

Parser Name:
china_chopper
Description:
Detects cleartext China Chopper sessions.

Parser Name:
creditcard_detection_lua
Description:
Attempts to detect possible credit card numbers and validate with Luhn's Algorithm.

Parser Name:
CustomTCP
Description:
Detects CustomTCP beaconing activity. Registers C2 domain and victim hostname as alias.host meta.

Parser Name:
db2_lua
Description:
Extracts queries from DB2 database protocol sessions.

Parser Name:
DCERPC
Description:
Extracts action and Kerberos authentication from Microsoft's DCERPC protocol.

Parser Name:
Derusbi_Server_Handshake
Description:
Detects Derusbi server handshake.

Parser Name:
DHCP_lua
Description:
Identifies DHCP (BOOTP) and DHCPv6, extracts hosts and addresses.

Parser Name:
DNP3_lua
Description:
DNP3 Distributed Network Protocol (SCADA).

Parser Name:
DNS_verbose_lua
Description:
Identifies DNS sessions. Registers query and response records including record type. Registers protocol error messages.

Parser Name:
dr_watson_lua
Description:
Detects Dr Watson crash report and registers name of crashed process.

Parser Name:
duqu_lua
Description:
Detects binaries that may be related to the duqu threat.

Parser Name:
DynDNS
Description:
Detects dynamic DNS hosts and servers.

Parser Name:
ein_detection_lua
Description:
Attempts to detect Employer Identification Numbers.

Parser Name:
ethernet_oui
Description:
Determines the manufacturer of eth.

Parser Name:
Evilgrab
Description:
Detects possible Evilgrab APT malware activity.

Parser Name:
exif
Description:
Extract longitude and latitude coordinates from exif data embedded in JPEG files.

Parser Name:
fingerprint_7zip
Description:
Detects 7zip archive files.

Parser Name:
fingerprint_access_db_lua
Description:
Identifies Microsoft Access database files.

Parser Name:
fingerprint_apple_dmg_lua
Description:
Detects Mac OS X Disk Copy Disk Image files.

Parser Name:
fingerprint_apple_ios_lua
Description:
Detects Apple IOS App files.

Parser Name:
fingerprint_apple_iwork_lua
Description:
Detects Apple iWork files (Pages, Numbers and Keynote).

Parser Name:
fingerprint_appleExec_lua
Description:
Detects MAC OSX executable binary files.

Parser Name:
fingerprint_bmp
Description:
Detects BMP format image files.

Parser Name:
fingerprint_cab
Description:
Identifies cabinet files (cab).

Parser Name:
fingerprint_cad_lua
Description:
Detects Autodesk Autocad DWG, DXF, and DWF files.

Parser Name:
fingerprint_chm_lua
Description:
Identifies Microsoft Compiled Help files, and detects potentially suspicious elements within.

Parser Name:
fingerprint_flash
Description:
Detects Adobe Flash (swf) files.

Parser Name:
fingerprint_font
Description:
Identifies font files: embedded opentype (eot), web open format (woff), opentype (otf), and truetype (ttf).

Parser Name:
fingerprint_gif_lua
Description:
Identifies GIF files.

Parser Name:
fingerprint_gzip
Description:
Detects files which have been compressed using the gzip family of compression programs (gzip, bzip, etc).

Parser Name:
fingerprint_java
Description:
Detects Java JAR and CLASS files.

Parser Name:
fingerprint_javascript_lua
Description:
Detect javascript, and suspicious javascript actions and anomalies.

Parser Name:
fingerprint_job
Description:
Identifies windows job task scheduling files.

Parser Name:
fingerprint_jpg_lua
Description:
Detects JPEG image files.

Parser Name:
fingerprint_lnk_lua
Description:
Identifies lnk files and detects possible exploit characteristics.

Parser Name:
fingerprint_msi_lua
Description:
Identifies Microsoft OLE / Compound Document Format Windows Installer files.

Parser Name:
fingerprint_mssql_lua
Description:
Detects Microsoft SQL Server database files.

Parser Name:
fingerprint_office_lua
Description:
Identifies Microsoft Office 95-2007 Word, Excel, and Powerpoint documents.

Parser Name:
fingerprint_pdf_lua
Description:
Identifies PDF files and detects risky characteristics.

Parser Name:
fingerprint_pff
Description:
Detects Microsoft Outlook Personal File Folder objects such as pab, pst, and ost.

Parser Name:
fingerprint_pkcs12_lua
Description:
Detects PKCS #12 format private key files.

Parser Name:
fingerprint_png_lua
Description:
Detects PNG image files.

Parser Name:
Fingerprint_Private_Key
Description:
Detects SSH and PGP private key files.

Parser Name:
fingerprint_rar_lua
Description:
Detects RAR archive files.

Parser Name:
fingerprint_rtf_lua
Description:
Detects RTF files.

Parser Name:
fingerprint_unix_script_lua
Description:
Identifies shell, perl, ruby, and python scripts.

Parser Name:
fingerprint_webm
Description:
Detects webm and matroska video files.

Parser Name:
fingerprint_zip
Description:
Detects PK format zip files, and extracts the names of files contained in the archive.

Parser Name:
FIX_lua
Description:
Identifies the Financial Information Exchange Protocol. Form_Data_lua Extracts submitted values from HTTP POST actions.

Parser Name:
Form_Data_lua
Description:
Extracts submitted values from HTTP POST actions.

Parser Name:
FTP_lua
Description:
File Transfer Protocol (FTP) RFC 959.

Parser Name:
ghost
Description:
Detects likely Ghost Rat beacon sessions.

Parser Name:
glass_rat
Description:
Detects the network communication used by the GlassRAT Trojan identified by RSA Research.

Parser Name:
gnutella_lua
Description:
Identifies the Gnutella file sharing protocol.

Parser Name:
HTML_threat
Description:
Detects common HTML threat techniques such as hidden frames and embedded objects.

Parser Name:
htran_lua
Description:
Identifies the error message generated by the htran redirection tool.

Parser Name:
HTTP_lua
Description:
Extracts values from HTTP protocol request and response headers.

Parser Name:
HTTP_lua_options
Description:
Use this file to influence the behavior of the HTTP_lua parser. For details, see HTTP Lua Parser Options File.

Parser Name:
HTTP_SQL_Injection
Description:
Detect possible injection of SQL commands in HTTP requests.

Parser Name:
ICMP
Description:
Provides types and codes from ICMP packets.

Parser Name:
IDN_homograph
Description:
Detects punycode-encoded internationalized domain names which use non-Latin Unicode code points whose glyphs resemble those of Latin Unicode code points. Registers the decoded homograph as analysis.service meta.

Reference the RSA Link blog post from RSA Research for more details about this threat: Dissecting PunyCode - Not All Characters are Created Equal.

Parser Name:
IMAP_lua
Description:
Identifies IMAP, registers commands, errors, usernames, and passwords.

Parser Name:
IRC_verbose_lua
Description:
Expanded IRC parsing.

Parser Name:
ISAKMP
Description:
Identifies ISAKMP Internet Security Association and Key Management Protocol).

Parser Name:
iSCSI
Description:
Identifies SCSI-over-IP.

Parser Name:
JSON-RPC
Description:
Identifies JSON-RPC 2.0 streams. Will not identify JSON-RPC 1.0 streams, and may not identify JSON-RPC over transports such as HTTP.

Parser Name:
Kerberos
Description:
Extracts meta from the Kerberos network protocol.

Parser Name:
LDAP
Description:
Lightweight Directory Access Protocol, and extensions.

Parser Name:
LDAP_options
Description:
Lightweight Directory Access Protocol, and extensions. Use this file to influence the behavior of the LDAP parser. For details, see LDAP Parser Options File.

Parser Name:
Lync
Description:
Identifies Microsoft Lync (formerly Microsoft Office Communicator, Windows Messenger).

Parser Name:
MAIL_lua
Description:
Extracts values from email messages, such as email addresses, subject, and client.

Parser Name:
Mail_lua_options
Description:
Use this file to influence the behavior of the Mail_lua parser. For details, see Mail Lua Parser Options File.

Parser Name:
Mitozhan
Description:
Detects Mitozhan malware command and control.

Parser Name:
modbus
Description:
Identifies MODBUS TCP/IP, extracts commands, errors, and device identifications.

Parser Name:
MSU_rat
Description:
Detects MSU RAT activity.

Parser Name:
NetBIOS_lua
Description:
NetBIOS over TCP/IP: NBNS, NBDS, NBSS.

Parser Name:
NFS_lua
Description:
Identifies and parses RPC-related protocols NFS, MOUNT, and PORTMAP.

Parser Name:
NTLMSSP_lua
Description:
Extracts Active Directory user information from NTLM HTTP headers from proxy authorization.

Parser Name:
ntp_lua
Description:
Identifies Network Time Protocol.

Parser Name:
OCSP_lua
Description:
Extracts certificate information and status from OCSP messages.

Parser Name:
Packers
Description:
Detects specific packer used to pack executables.

Parser Name:
phishing_lua
Description:
Registers the host portion from each URL found within an email.

Parser Name:
plugx
Description:
Detect PlugX malware.

Parser Name:
Poison_Ivy
Description:
Detects Poison Ivy RAT activity.

Parser Name:
POP3_lua
Description:
Post Office Protocol version 3.

Parser Name:
Proxy_Block_Page
Description:
Parses proxy denied exception pages.

Parser Name: