This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Snort to NextGen Field Mappings overrides

RQuinn
New Contributor
New Contributor

‎2015-09-04 02:29 PM

We have been using the snort parsing in our environment with great success but one issue we are running into is the volume of rules we have running is clogging up our risk.info category. While we're working through some tuning, one of my analysts wanted to know if it was possible to put the rules into a dedicated category rather than in the risk categories. In looking through other discussions on these forums i saw the below mappings were in place. While I'm quite comfortable looking at the snort.config file and making adjustments, these options did not seem to be available.

 

Is it possible to over ride these mappings?

 

 

Snort to NextGen Field Mappings

Snort Field            NextGen Meta

"snort rule"      threat.source

sid           alert.id

classtype      threat.category

message risk.*

      1. rule.priority/classtype these are used to decide which risk meta category is used for message
        1 - risk.warning

            2 - risk.suspicious

            3 - risk.info

0 Likes
11 REPLIES 11

RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2015-09-15 04:34 AM

I'm getting the following when I try to load it..

 

 

Sep 15 08:29:40 rsadecoder nw[13934]: [Lua] [failure] LUA_ERRRUN: [string "snort.lua"]:1: '=' expected near 'lua_snort'

Sep 15 08:29:40 rsadecoder nw[13934]: [Lua] [failure] Throw in function static void nw::LuaPackage::require(lua_State*, const string&)Dynamic exception type: boost::exception_detail::clone_impl<nw::LuaError>std::exception::what: LUA_ERRRUN: [string "snort.lua"]:1: '=' expected near 'lua_snort'[boost::errinfo

Sep 15 08:29:51 rsadecoder nw[13934]: [Snort] [info] Loaded snort.rules, full 405, parital 12454, failures 962

 

Correction! - Helps if I copy your text correctly!

 

0 Likes

Anonymous
Not applicable
In response to RSAAdmin

‎2015-09-15 05:53 AM

Check to make sure the copy/paste was done correctly. It appears to be an error in the first line.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.