Analysis plugin: nsrlsvr

Notes on how to use the nsrlsvr analysis plugin.

Setting up nsrlsvr

The source of nsrlsvr can be found here

Follow the installation instructions.

Running nsrlsvr

To run nsrlsvr:

nsrlsvr -f /fullpath/NSRLFile.txt

To test if nsrlsvr is working you'll need nsrllookup

To run nsrllookup against your instance of nsrlsvr:

echo $MD5 | nsrllookup -s localhost -p 9120 -k 

Which will return $MD5 if present in NSRLFile.txt and nothing when $MD5 does not present.

Running plaso

First run log2timeline to calculate the hashes: --hashers md5 timeline.plaso image.raw

Make sure to enable hashers supported by nsrlsvr, which is md5 in this example.

Next run psort to tag events: --analysis nsrlsvr --nsrlsvr-hash md5 --nsrlsvr-host localhost --nsrlsvr-port 9120 -o null timeline.plaso