2014-01-13 12:54 AM
Hello
where can i find a document that describe how to impliment Snort Rules in SA/NW? i know that is possible but i cant seem to find a document to describe the process.
2014-01-13 04:42 PM
This might be what you are looking for. Basically a vanilla snort.conf file and a rules folder with an emerging threats file in there.
2014-01-13 07:24 AM
https://sadocs.emc.com/0_en-us/098_10.3_SP1_User_Guide
You are likely looking for an App rule on the packet decoder.
2014-01-13 12:51 PM
I'd like to see a document on parsers and such.
mainly because im looking for a way to exctact more data from crash reports that SA see's.
2014-01-13 03:44 PM
I believe the directions for implementing snort rules existed on the 9.8 administration guide. I'll have to check if it is on the docs site.
Basically, what I did was add a snort folder to /etc/netwitness/ng. In that snort folder, I had a rules folder and a basic snort.conf file that pointed to the rules folder. Inside the rules folder, I kept my snort rules, which I grabbed from emerging threats. Then, I made sure the snort parser was enabled and restarted services.
2014-01-13 03:46 PM
ive noticed that alot of the better material from the 9x documentation has yet to make it in to the 10.3x docs or any of the Sa docs.
2014-01-13 03:49 PM
There is always room for improvement.
2014-01-13 04:21 PM
Do you have an example of what the Snort Config file would look like and is there any special format for the snort rules?
2014-01-13 04:35 PM
Here is an old doc I had on my laptop. As noted above, if there is an NG directory, the snort subdirectory goes there. I think the rest of the config is the same. Also, this will register meta into the Feed Name, Feed Cat and Feed Desc keys, so if you hope to open these keys quickly, you should set indexing to IndexValues on the concentrators and brokers.
2014-01-13 04:38 PM
Whoops, it populates into threat.source, threat cat and threat desc.
2014-01-13 04:42 PM