William Hart

Expanded Coverage of Snort Rules

Blog Post created by William Hart Employee on Oct 23, 2020

RSA NetWitness Platform 11.5 has expanded support for Snort rules (also known as signatures) that can be imported into the network Decoders. Some of the newly supported rule parameters are:

  • nocase
  • byte-extract
  • byte-jump
  • threshold
  • depth
  • offset

This additional coverage enables administrators to use more commonly available detection rules that were not previously supported. The ability to use further Snort rules arms administrators with another mechanism, in addition to application rules and Lua parsers, to extend the detection of known threats. 


To expand your knowledge on what is and is not supported, along with a much more detailed initial setup guide, check out Decoder Snort Detection 


Once configured, to Investigate the threats that Snort rules have triggered, examine the Events pivoting in the metadata (sig.id, sig.name) populated from the rules themselves or query for threat.source = "snort rule" to find all Snort events. The Signature Identifier (sig.id) corresponds to the sid attribute in the Snort rule while the Signature Name (sig.name) corresponds to the msg attribute of the rule options.

Snort rules found

As always, we welcome your feedback!


Please leave any feedback or suggestion on how to make this experience even better. To see what else may be in store for future releases, go to the RSA Ideas portal for the RSA NetWitness Platform to see enhancements that have been suggested, vote on them, and submit you own.