This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

SA not parsing source port from snort logs

jcarleton
New Contributor
New Contributor

‎2014-06-09 07:26 PM

Is there a way to force SA to parse the source port in snort logs?

 

As you know, traffic looks like this;

 

Jun 9 15:53:49 snortbox01 snort[123456]: [1:12345:6] SSH Activity Detected [Classification: Misc activity] [Priority: 3]: {TCP}

10.0.10.123:22 -> 10.0.10.124:5682

 

What I'm seeing in SA is that it pulls the ip.dstport meta is fine, but there is nothing in ip.srcport meta.

 

Any help would be appreciated

0 Likes
2 REPLIES 2

LeeKirkpatrick
Valued Contributor Valued Contributor
Valued Contributor

‎2014-06-10 04:00 AM

Hey,

 

This Meta is generated but only at the Decoder level and never pulled to the Concentrator. What you need to do is open the following file on your Decoder:


/etc/netwitness/ng/envision/etc/table-map.xml

 

Look for the line that looks like the below:

 

<mapping envisionName="sport" nwName="ip.srcport" flags="Transient" format="UInt16" envisionDisplayName="SourcePort|LocalPort|ServerPort" nullTokens="-|(null)"/>

 

And change the flags="Transient" to flags="None", like the below:

 

<mapping envisionName="sport" nwName="ip.srcport" flags="None" format="UInt16" envisionDisplayName="SourcePort|LocalPort|ServerPort" nullTokens="-|(null)"/>

 

The transient flag means that this Meta would only reside on the Decoder and never be pulled, changing this flag to "None" means it will be available to you at the Concentrator level. After making this change you must restart your Log Decoder service.

 

Now you have the make sure the "ip.srcport" Meta is available to you as a Meta key in Investigator. To do this follow the steps below:

 

Open the following file on your Concentrator:

 

/etc/netwitness/ng/index-concentrator.xml

 

Add the following line under the "Destination Port" Meta key:

 

<key description="Source Port" level="IndexValues" name="ip.srcport" format="UInt16" valueMax=65536" defaultAction="Closed"/>

 

Restart the Concentrator service for changes to take affect.

jcarleton
New Contributor
New Contributor
In response to LeeKirkpatrick

‎2014-06-10 01:07 PM

Hi,

 

That seems to do the trick. Had to wait for more logs to come in after changes were made, and when they did Source Port graced my screen. Source Port should really be a default field to be pulled.

 

Thanks for the help.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.