IBM Support

QRadar Network Insights: How file name data displays in the user interface details screen (IJ23036)

Troubleshooting


Problem

QRadar Network Insights populates information about file names when files are observed on the network. Administrators have reported in some circumstances where file names display as truncated file extensions, such as .xml, .zip, or .html. This technical note describes how QRadar Network Insights populates file names as an addendum to APAR IJ23036.

Symptom

Users might experience issues where the File Name column displays only the file extension. For example:
image 3821

Cause

QRadar Network Insights populates file attributes, such as file name, file size, MD5 file hash, when a “file” is observed on the network. This includes but is not limited to when:
  • A file is transferred across the network by a protocol. For example, SMB or FTP file transfers between hosts.
  • A file is uploaded or downloaded, such as files that are downloaded through HTTP.
  • An HTTP operation contains a payload, such as HTTP POST/PUT bodies or HTTP GET responses.
  • A file is observed by a domain inspector. For example, a file attachment on an email message viewed in Gmail.
The file name field is populated with the true file name when that information is available. There are certain circumstances where the file name field in the user interface contains different formats, including but not limited to:
  • POST_filename: File information is generated when an HTTP POST body is observed. The URI is prefixed with “POST_” in these cases. For example, POST_login.aspx.
  • FULL\QUALIFIED\FOLDER\STRUCTURE\file.txt: when available but not specified in other protocol-specific fields, the fully qualified folder structure leading to the file might be included, for example, SMB protocol.
  • Client.crt / Server.crt: Displayed when an X509 certificate is observed on the network from the client to the server.
  • .txt: File names that display as a .txt file extension might be HTTP flows where a response body is observed, but the response cannot be correlated to an earlier request. For example, lost packets or a long delay between the request and response that exceeds the idle timeout for the flow.

Environment

The lack of a file name can be caused by the following network or appliance issues:
  1. Packet loss issues before the data arrives at the QRadar Network Insights Appliance.
  2. Packet loss issues at the Napatech/Network Interface Card (NIC) level.
  3. Packet loss in QRadar Network Insights due to resource issues, such as decapper CPU utilization at or greater than 95%.
  4. Asymmetric routing where only QRadar Network Insights sees one half of the connection.
  5. A long delay between the request and response, which can cause QRadar Network Insights to consider the communication as two separate flows.

Resolving The Problem

Administrators who experience recurring issues with file names that display as extensions in the File Name column for QRadar Network Insights can open a case with QRadar Network Insights Support

Ensure that with your case you indicate the following information:
  • List your QRadar Network Insights version in your case.
  • Describe the issue and include to support you believe you are experiencing APAR IJ23036.
  • Describe the frequency with which file names appear to be absent from the File Name column.
  • Attach logs from your QRadar Network Insights Appliance to submit with the case.
  • Optional. Attempt to capture traffic from the Napatech card for examination. For example, the first command captures the traffic, then the second command converts the data to a PCAP file:
    /opt/napatech3/bin/capture -f networktraffic.stream1 -s 1 -b 1G -t 120
    /opt/napatech3/bin/capfileconvert -i networktraffic.stream1 -o stream1.pcap --outputformat=pcap

     

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS6E69","label":"IBM QRadar Network Insights"},"ARM Category":[{"code":"a8m0z0000000CF9AAM","label":"QRadar Incident Forensics->QRadar Network Insights->Inspector"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
27 May 2020

UID

ibm16217309