This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Snort Rules and SA/NetWitness

Go to solution
Anonymous
Not applicable

‎2014-01-13 12:54 AM

Hello

 

where can i find a document that describe how to impliment Snort Rules in SA/NW? i know that is possible but i cant seem to find a document to describe the process.

0 Likes
35 REPLIES 35

Go to solution
Anonymous
Not applicable

‎2014-01-23 09:20 AM

so while this thread has helped with getting this working within th elegacy NW/NG environment, i cant seem to find anything that refers to how to implement within SA.

im reaching out to my account rep to see if they can provide anything...

0 Likes

Go to solution
huanzhou1
Beginner
Beginner
In response to Anonymous

‎2014-01-23 11:39 AM

NetWitness Administrator V9.8.pdf

 

SNORT® rules and configuration are added to the parsers/snort directory for

INVESTIGATOR and DECODER. DECODER supports the payload detection capabilities of

SNORT® rules.

0 Likes

Go to solution
Anonymous
Not applicable
In response to huanzhou1

‎2014-01-23 11:41 AM

right as i said legacy. nothing really about 10.x?

0 Likes

Go to solution
Anonymous
Not applicable
In response to Anonymous

‎2014-01-23 11:52 AM

While it doesn’t say SA on the cover, under the cover, it is still core Netwitness functionality and the Admin guide is still a viable resource.

0 Likes

Go to solution
Anonymous
Not applicable
In response to Anonymous

‎2014-01-23 12:35 PM

understood, but one would expect rsa to improve the interface(really build one) as they have done for making feeds 100% easier to implement. as it would have a value add to the product line, that alot more users could take advantage of.  and not rely on documentation from the legacy fat clients.

0 Likes

Go to solution
Anonymous
Not applicable

‎2014-07-14 05:39 PM

I have successfully enabled it on SA/10.3, I have found bits of information, here's the complete

As some of you mention this are the steps:

In your decoder:

1. Create /etc/netwitness/ng/parsers/snort

2. Create the snort.conf file inside the snort directory

3. Create the rules file (this is a bit tricky because it is not all the snort functionality, you have to test your files by trial and error, to find out if they're working) inside the snort, must be with extension .rules

4. Make sure the snort parser is enabled on the decoder.

5. Restart the decoder services.

6. You should have a file in the GUI decoder->config->files for the rules file and one for the snort.conf

 

After every time you edit the (rules,config) file reload the parsers with this command:

 

Reload the parsers via the REST API: http://IPofYourDecoder:50104/decoder/parsers?msg=reload

Catch the messages for loaded rules --- > tail -f /var/log/messages | grep Snort

"[Snort] [info] Loaded 1 snort rules, 0 small tokens, 0 with pcres, 1 partial"

 

The hits should populate Risk Informational. meta.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.