RSA Netwitness Investigator Regular Expressions

In the blog post below (here) I talked about my theory to detect DGAs by looking for consecutive consonants in a row within a URL.  However my SNORT rule does not work like I wanted it to.  I thought the rule would look for the HOST: portion of the HTTP header and start the regex match after colon and whitespace. When what it seems to do is trying to match the whole line as one entity including the word HOST, this causes the match to fail if there are ANY vowels in the line vs. only caring if there are x number of consonants in a row before or after a vowel.  So I figured I’d leverage another tool, RSA’s Netwitness network forensics product would work. You can download a home version of the tool here.

Netwitness investigator allows users to use RegEx to filter the packet capture data including of course web surfing.  As I understand it they use the BOOST RegEx engine as opposed to the PCRE engine I’m more familiar with. Either way, there doesn’t seem to be a lot of documentation included with the product around the needed syntax. So I recommend you try just throwing in your regex and see what happens as Investigator will do some sanity checking. Taking my own advice I entered my SNORT regex as a custom drill in the field (a helpful message from an experienced Netwitness user made me realize I shouldn’t assume readers knew I was using a custom drill for this filter).  As you will quickly learn you need to backslash escape most non alpha-numeric characters until it works.  The pic below shows the error checking where I intentionally left off the backslash escape character in front of the comma in the repetition operator {9,}


Continue reading