We will be deploying NetWitness soon and we have been looking for how to leverage it for the packet capture portion of our new centralized Sguil deployment instead of sancp or daemonlogger. We have come up with a way, all be it a bit hackish, of modifying the Sguil client to allow you to view the pcap/session data from within NetWitness Investigator.
First, we modified client/sguil.tk and added the following line under the following line underneath the section of code notated by the comment # Xscript Menu:
$eventIDMenut add command -label "NetWitness" -command "NetWitness"
This will provide us with a NetWitness menu option where you normally see your Wireshark and Get Transcript options within the Sguil client:
Now that we have that, we need code that will do something when this option is selected. For that we need to add the following to the end of the client/lib/extdata.tcl file:
proc NetWitness { } {
global ACTIVE_EVENT SERVERHOST XSCRIPT_SERVER_PORT DEBUG CUR_SEL_PANE XSCRIPTDATARCVD
global socketWinName SESSION_STATE WIRESHARK_STORE_DIR WIRESHARK_PATH
if {!$ACTIVE_EVENT} {return}
set selectedIndex [$CUR_SEL_PANE(name) curselection]
set sidcidList [split [$CUR_SEL_PANE(name) getcells $selectedIndex,alertID] .]
set cnxID [lindex $sidcidList 1]
set sensorID [lindex $sidcidList 0]
set proto [$CUR_SEL_PANE(name) getcells $selectedIndex,ipproto]
set srcIP [$CUR_SEL_PANE(name) getcells $selectedIndex,srcip]
set srcPort [$CUR_SEL_PANE(name) getcells $selectedIndex,srcport]
set dstIP [$CUR_SEL_PANE(name) getcells $selectedIndex,dstip]
set dstPort [$CUR_SEL_PANE(name) getcells $selectedIndex,dstport]
if { $CUR_SEL_PANE(format) == "SSN" } {
set timestamp [$CUR_SEL_PANE(name) getcells $selectedIndex,starttime]
} else {
set timestamp [$CUR_SEL_PANE(name) getcells $selectedIndex,date]
}
exec wscript c:/users/user/test.vbs "nw://test?collection=test&time=All+Data&more-states=&more-all-states=&name=$srcIP+%3E+$dstIP+%3A+$dstPort&where=ip.src%3D$srcIP+%26%26+ip.dst%3D$dstIP+%26%26+tcp.dstport%3D$dstPort&view=session"
}
Now you will notice at the second to last line we are executing a vbscript called test.vbs in c:\users\user\. The contents of that file are as follows (and yes, all those quotes are necessary as you escape a quote with another quote when writing vbscript):
Set objShell = Wscript.CreateObject("Wscript.Shell")
Set ArgObj = WScript.Arguments
Cmd = """" & "c:\windows\system32\explorer.exe" & """" & " " & """" & WScript.Arguments.Item(0) & """"
objShell.Run Cmd
When this gets executed, it will have the NetWitness url (nw://<url>) with the source ip, destination ip and destination port, passed to the Windows shell (explorer.exe). We will be going back and adding time into the mix as well once our actual NetWitness deployment is up and running. We are currently just testing and demonstrating for proof of concept using the free version of NetWitness Investigator 9:
Now, this definately does not seem like the most direct or correct way to do this. However, we discovered some odd behavior that lead us down this path. If you attempt to pass the URL directly to the NwInvestigator.exe binary, it will crash it. If you attempt to pass the URL directly to explorer.exe from within the TCL script, it only opens up explorer but it does not open up NetWitness Investigator. I believe it has something to do with the quoted arguments and how they are passed, but I could not fix it as I know little of TCL and even less about how it works on Windows.