NetWitness Community

If I mess this up what are the possible side effects?

my config is left as any.  Like I said, a vanilla conf file.  The snort parser is just parsing the content of the rules....there isn't a full blown snort engine on the decoder.

possible side effects include headaches, drowzyness, blurred vision, and warts.  J/K

Only side effect that I encountered, which wasn't really a side effect, was that I didn't get any meta generated.  I started with some emerging threats rules that I knew would fire.

OK I am running Netwitness 9.8.5.1 and etc/netwitness/ng/snort does not appear to be right as my logs don't show the anything saying anything about snort.  Any suggestions?

was the snort parser enabled?

Was the service restarted?

i followed the document and created a demo.rule file with the follwing rule

alert tcp any any -> $EXTERNAL_NET 80 (msg: "Hello Im Your New SNORT Rule"; reference: url,http://www.snort.org/snort-rules/; content: "snort"; flow:to_server; nocase; sid:9000547; rev:1)

when i reloaded the parsers i get this line in the log Snort info Loaded 0 snort rules, 0 small tokens, 0 with pcres, 0 partial

does anyone know why?

OK I restarted the decoder but I didn't see any documentation on how to enable the snort parser.  I just assumed it was just waiting for the snort config.

Ok that helped some what.  I moved the snort directory to etc/netwitness/ng/parsers/snort.  When I run the reload parsers command i at least now get the same thing adimenia is getting, which is "Snort Info Loaded 0 snort rules, 0 small tokens, 0 with pcre, 0 partial"

So what are we missing.