2014-01-13 12:54 AM
Hello
where can i find a document that describe how to impliment Snort Rules in SA/NW? i know that is possible but i cant seem to find a document to describe the process.
2014-01-23 09:20 AM
so while this thread has helped with getting this working within th elegacy NW/NG environment, i cant seem to find anything that refers to how to implement within SA.
im reaching out to my account rep to see if they can provide anything...
2014-01-23 11:39 AM
NetWitness Administrator V9.8.pdf
SNORT® rules and configuration are added to the parsers/snort directory for
INVESTIGATOR and DECODER. DECODER supports the payload detection capabilities of
SNORT® rules.
2014-01-23 11:41 AM
right as i said legacy. nothing really about 10.x?
2014-01-23 11:52 AM
While it doesn’t say SA on the cover, under the cover, it is still core Netwitness functionality and the Admin guide is still a viable resource.
2014-01-23 12:35 PM
understood, but one would expect rsa to improve the interface(really build one) as they have done for making feeds 100% easier to implement. as it would have a value add to the product line, that alot more users could take advantage of. and not rely on documentation from the legacy fat clients.
2014-07-14 05:39 PM
I have successfully enabled it on SA/10.3, I have found bits of information, here's the complete
As some of you mention this are the steps:
In your decoder:
1. Create /etc/netwitness/ng/parsers/snort
2. Create the snort.conf file inside the snort directory
3. Create the rules file (this is a bit tricky because it is not all the snort functionality, you have to test your files by trial and error, to find out if they're working) inside the snort, must be with extension .rules
4. Make sure the snort parser is enabled on the decoder.
5. Restart the decoder services.
6. You should have a file in the GUI decoder->config->files for the rules file and one for the snort.conf
After every time you edit the (rules,config) file reload the parsers with this command:
Reload the parsers via the REST API: http://IPofYourDecoder:50104/decoder/parsers?msg=reload
Catch the messages for loaded rules --- > tail -f /var/log/messages | grep Snort
"[Snort] [info] Loaded 1 snort rules, 0 small tokens, 0 with pcres, 1 partial"
The hits should populate Risk Informational. meta.