Analysis plugin: nsrlsvr

Joachim Metz edited this page Dec 2, 2017 · 6 revisions
Clone this wiki locally

Notes on how to use the nsrlsvr analysis plugin.

Setting up nsrlsvr

The source of nsrlsvr can be found here

Follow the installation instructions.

Running nsrlsvr

To run nsrlsvr:

nsrlsvr -f /fullpath/NSRLFile.txt

To test if nsrlsvr is working you'll need nsrllookup

To run nsrllookup against your instance of nsrlsvr:

echo $MD5 | nsrllookup -s localhost -p 9120 -k 

Which will return $MD5 if present in NSRLFile.txt and nothing when $MD5 does not present.

Running plaso

First run log2timeline to calculate the hashes:

log2timeline.py --hashers md5 timeline.plaso image.raw

Make sure to enable hashers supported by nsrlsvr, which is md5 in this example.

Next run psort to tag events:

psort.py --analysis nsrlsvr --nsrlsvr-hash md5 --nsrlsvr-host localhost --nsrlsvr-port 9120 -o null timeline.plaso