.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
How to parse URLs within an email body in NetWitness
Issue
This document describes the steps to parse all URLs within an email content.
Resolution
1. Deploy phishing_lua_options.lua parser from LIVE or Centralized Content Management to Packet Decoder and parser will be available in below directory of decoder./etc/netwitness/ng/parsers
2. Enable "registerUrl" option in phishing_lua_options.lua by editing the parser as below.
# vi phishing_lua_options.lua
FROM :
function
registerUrl()
--[[
"Register Entire URL" : default false
~~~~~~
--]]
return false
end
TO :
--[[
"Register Entire URL" : default false
~~~~~~
--]]
return false
end
function
registerUrl()
--[[
"Register Entire URL" : default false
~~~~~~
--]]
return true
end
--[[
"Register Entire URL" : default false
~~~~~~
--]]
return true
end
3. Save the file and restart Decoder service using below command.
service nwdecoder restart
4. Add the following line to /etc/netwitness/ng/index-concentrator-custom.xml in Concentrator
<key description="URL" level="IndexValues" name="url" format="Text" valueMax="100000" defaultAction="Open" />
5. Restart Concentrator service using below command
service nwconcentrator restart
Product Details
RSA Product Set: NetWitnessRSA Product/Service Type: Core Appliance
RSA Version/Condition: 12.x
Approval Reviewer Queue
Technical approval queue