Nsrlsvr Analysis Plugin
Notes on how to use the nsrlsvr analysis plugin.
Setting up nsrlsvr
The source of nsrlsvr can be found here
Follow the installation instructions.
Running nsrlsvr
To run nsrlsvr:
nsrlsvr -f /fullpath/NSRLFile.txt
To test if nsrlsvr is working you’ll need nsrllookup
To run nsrllookup against your instance of nsrlsvr:
echo $MD5 | nsrllookup -s localhost -p 9120 -k
Which will return $MD5 if present in NSRLFile.txt and nothing when $MD5 does not present.
Running the analysis plugin
First run log2timeline to calculate the hashes:
log2timeline.py --hashers md5 --storage-file timeline.plaso image.raw
Make sure to enable hashers supported by nsrlsvr, which is md5 in this example.
Next run psort to tag events:
psort.py --analysis nsrlsvr --nsrlsvr-hash md5 --nsrlsvr-host localhost --nsrlsvr-port 9120 -o null timeline.plaso
The last step would be to export a timeline with the tags:
psort.py -o dynamic --fields datetime,timestamp_desc,source,source_long,message,parser,tag -w timeline.csv timeline.plaso