RSA NetWitness Platform 11.5 has expanded support for Snort rules (also known as signatures) that can be imported into the network Decoders. Some of the newly supported rule parameters are:
- nocase
- byte-extract
- byte-jump
- threshold
- depth
- offset
This additional coverage enables administrators to use more commonly available detection rules that were not previously supported. The ability to use further Snort rules arms administrators with another mechanism, in addition to application rules and Lua parsers, to extend the detection of known threats.
To expand your knowledge on what is and is not supported, along with a much more detailed initial setup guide, check out Decoder Snort Detection
Once configured, to Investigate the threats that Snort rules have triggered, examine the Events pivoting in the metadata (sig.id, sig.name) populated from the rules themselves or query for threat.source = "snort rule" to find all Snort events. The Signature Identifier (sig.id) corresponds to the sid attribute in the Snort rule while the Signature Name (sig.name) corresponds to the msg attribute of the rule options.
As always, we welcome your feedback!
Please leave any feedback or suggestion on how to make this experience even better. To see what else may be in store for future releases, go to the RSA Ideas portal for the RSA NetWitness Platform to see enhancements that have been suggested, vote on them, and submit you own.
