This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Snort Rules and SA/NetWitness

Go to solution
Anonymous
Not applicable

‎2014-01-13 12:54 AM

Hello

 

where can i find a document that describe how to impliment Snort Rules in SA/NW? i know that is possible but i cant seem to find a document to describe the process.

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Anonymous
Not applicable
In response to Anonymous

‎2014-01-13 04:42 PM

This might be what you are looking for.  Basically a vanilla snort.conf file and a rules folder with an emerging threats file in there.

View solution in original post

snort.zip
0 Likes
35 REPLIES 35

Go to solution
Anonymous
Not applicable

‎2014-01-13 07:24 AM

https://sadocs.emc.com/0_en-us/098_10.3_SP1_User_Guide

 

You are likely looking for an App rule on the packet decoder.

0 Likes

Go to solution
Anonymous
Not applicable

‎2014-01-13 12:51 PM

I'd like to see a document on parsers and such.

 

mainly because im looking for a way to exctact more data from crash reports that SA see's.

0 Likes

Go to solution
Anonymous
Not applicable

‎2014-01-13 03:44 PM

I believe the directions for implementing snort rules existed on the 9.8 administration guide.  I'll have to check if it is on the docs site.

 

Basically, what I did was add a snort folder to /etc/netwitness/ng.  In that snort folder, I had a rules folder and a basic snort.conf file that pointed to the rules folder.  Inside the rules folder, I kept my snort rules, which I grabbed from emerging threats.  Then, I made sure the snort parser was enabled and restarted services.

0 Likes

Go to solution
Anonymous
Not applicable

‎2014-01-13 03:46 PM

ive noticed that alot of the better material from the 9x documentation has yet to make it in to the 10.3x docs or any of the Sa docs.

0 Likes

Go to solution
Anonymous
Not applicable
In response to Anonymous

‎2014-01-13 03:49 PM

There is always room for improvement.

0 Likes

Go to solution
Anonymous
Not applicable
In response to Anonymous

‎2014-01-13 04:21 PM

Do you have an example of what the Snort Config file would look like and is there any special format for the snort rules?

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner

‎2014-01-13 04:35 PM

Here is an old doc I had on my laptop.  As noted above, if there is an NG directory, the snort subdirectory goes there.  I think the rest of the config is the same.  Also, this will register meta into the Feed Name, Feed Cat and Feed Desc keys, so if you hope to open these keys quickly, you should set indexing to IndexValues on the concentrators and brokers.

15 KB
0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2014-01-13 04:38 PM

Whoops, it populates into threat.source, threat cat and threat desc.

0 Likes

Go to solution
Anonymous
Not applicable
In response to Anonymous

‎2014-01-13 04:42 PM

This might be what you are looking for.  Basically a vanilla snort.conf file and a rules folder with an emerging threats file in there.

snort.zip
0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.