Nsrlsvr Analysis Plugin

Notes on how to use the nsrlsvr analysis plugin.

Setting up nsrlsvr

The source of nsrlsvr can be found here

Follow the installation instructions.

Running nsrlsvr

To run nsrlsvr:

nsrlsvr -f /fullpath/NSRLFile.txt

To test if nsrlsvr is working you’ll need nsrllookup

To run nsrllookup against your instance of nsrlsvr:

echo $MD5 | nsrllookup -s localhost -p 9120 -k

Which will return $MD5 if present in NSRLFile.txt and nothing when $MD5 does not present.

Running the analysis plugin

First run log2timeline to calculate the hashes:

log2timeline.py --hashers md5 --storage-file timeline.plaso image.raw

Make sure to enable hashers supported by nsrlsvr, which is md5 in this example.

Next run psort to tag events:

psort.py --analysis nsrlsvr --nsrlsvr-hash md5 --nsrlsvr-host localhost --nsrlsvr-port 9120 -o null timeline.plaso

The last step would be to export a timeline with the tags:

psort.py -o dynamic --fields datetime,timestamp_desc,source,source_long,message,parser,tag -w timeline.csv timeline.plaso