This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Snort Rules and SA/NetWitness

Go to solution
Anonymous
Not applicable

‎2014-01-13 12:54 AM

Hello

 

where can i find a document that describe how to impliment Snort Rules in SA/NW? i know that is possible but i cant seem to find a document to describe the process.

0 Likes
35 REPLIES 35

Go to solution
RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2014-01-14 10:11 AM

I'm guessing you need snort rules.  It should be in the snort directory as a single text-based file with a .rules extension.  Try to put one rule per line.  Then reload parsers again and it should show that rules are loaded.

0 Likes

Go to solution
Anonymous
Not applicable
In response to RSAAdmin

‎2014-01-14 10:18 AM

OK that worked!.  I had mistakenly thought that the rules need to be in a subdirectory of the snort folder.  Should all the rules be in one .rules file or can you have multiple rules files?

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2014-01-14 10:22 AM

I think it needs to be a single file.  Once it is uploaded you can actually edit the file directly via the files interface in Admin.

0 Likes

Go to solution
Anonymous
Not applicable
In response to RSAAdmin

‎2014-01-15 01:33 AM

i still cant get this to work. i have the snort folder in /etc/netwitness/ng/parsers
in that directory i have two files snort.conf and demo.rules. and when i run parsers reload i  get 1119303 2014-Jan-15 06:24:05 Snort info Loaded 0 snort rules, 0 small tokens, 0 with pcres, 0 parti

im using netwitness 9.8.5 any ideas?

0 Likes

Go to solution
Anonymous
Not applicable
In response to Anonymous

‎2014-01-15 08:38 AM

Have a look at the snort.conf file and look for the location it expects the rules to be in. Usually a sub folder called rules in the same path as the conf file.

 

Sent from my iPhone

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2014-01-15 09:52 AM

If you are running version 9.8, there should not be an NG subdirectory, unless one was already there?  You are looking for the location where all of the LIVE parsers get deployed locally.  That is where your snort directory should be.

0 Likes

Go to solution
Anonymous
Not applicable

‎2014-01-16 01:01 AM

the NG subdir was already there its the only subdir under /etc/netwitness/ under NG i have the parsers subdir which is where i created the snort directory

0 Likes

Go to solution
Anonymous
Not applicable

‎2014-01-16 01:52 AM

Ok i got this to work now i see my demo.rules in the file section in administrator

alert tcp any any -> $EXTERNAL_NET 80 (msg: "Hello Im Your New SNORT Rule";reference:url,http://www.snort.org/snort-rules/;content:"snort";flow:to_server;nocase;sid:9000547;)

but when i test this (genereting some http traffic to www.snort.org/snort-rules/) i dont see any new meta generated

but i see the traffic in NW. am i missing something?

0 Likes

Go to solution
Anonymous
Not applicable
In response to Anonymous

‎2014-01-16 12:16 PM

I used your rule that you posted earlier in this discussion.  If this is your demo rule then that might be your problem.  I tried this rule and it failed to load after I ran a 'parsers reload' at the console.

0 Likes

Go to solution
Anonymous
Not applicable

‎2014-01-16 03:46 PM

that's odd. i was able to upload it and i see it in the file folder on administrator. also when i checked the logs after parser reload it said 1 rule was uploaded.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.