000028902 - Snort Integration Basics with RSA NetWitness Logs And Packets

Document created by RSA Customer Support Employee on Apr 14, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000028902
Applies ToRSA Product Set: NetWitness Logs and Packets (Security Analytics)
RSA Product/Service Type: Decoder, Concentrator, Hybrid, Broker

Two Prerequisites

1. Your Decoders need the following directory:  /etc/netwitness/ng/parsers/snort

  • Command to create snort folder if none exists:
mkdir /etc/netwitness/ng/parsers/snort


2. Next you will need to create a snort.conf file and place it in the /etc/netwitness/ng/parsers/snort directory.

  • The snort.conf file should have the following parameters defined:
# Setup the network addresses you are protecting
var HOME_NET any
# Set up the external network addresses. Leave as "any" in most situations


Importing Rules into a Decoder

  • Snort rules should be copied to /etc/netwitness/ng/parsers/snort on the decoders.
  • To reload the parsers after new snort rules have been added,  go to Decoder -> View -> Explore in SA and right-click on /decoder/parsers, click Properties, then select 'reload' from the drop-down menu and click 'Send'. 
  • To confirm that the load was successful, look for [Snort] in the log files:
Oct 31 07:48:27 decoder nw[25453]: [Snort] [info] Loaded bad-traffic.rules, full 0, parital 0, failures 0
Oct 31 07:48:27 decoder nw[25453]: [Snort] [info] Loaded blacklist.rules, full 0, parital 0, failures 0

  • Once created, the rules will be accessible in SA via Decoder -> View -> Config via the Files tab.
Note: Rules that do not define any content (via content or uricontent rule options) are not supported. Please use caution when loading Snort rules as it may have an adverse affect on the Decoder.

Note: If creating rules with multiple ports defined in a comma-delimited list, make sure they enclose the list in brackets or the system will not be able to process the rule. 

Meta for Snort Rule Processing

The following Meta values should already be included in your /etc/netwitness/ng/index-concentrator.xml file for processing Snort rules.

Concentrator (index-concentrator.xml) / Broker (index-broker.xml):

<key description="Risk: Informational" format="Text" level="IndexValues" name="risk.info" valueMax="250000" defaultAction="Open" />
<key description="Risk: Suspicious" format="Text" level="IndexValues" name="risk.suspicious" valueMax="250000" defaultAction="Open" />
<key description="Risk: Warning" format="Text" level="IndexValues" name="risk.warning" valueMax="250000" defaultAction="Open" /> 
<key description="Threat Source" format="Text" level="IndexKeys" name="threat.source" /> 
<key description="Threat Category" format="Text" level="IndexKeys" name="threat.category" /> 
<key description="Threat Description" format="Text" level="IndexKeys" name="threat.desc" /> 
<key description="Alert ID" format="Text" level="IndexNone" name="alert.id" valueMax="100000" />

Note: Any time you change a value in index-concentrator-custom.xml or index-broker-custom.xml, you must restart that appliance's service respectively or the changes won't apply since those values are loaded into the engine at service startup.

Snort to RSA Security Analytics Field Mappings

Snort FieldNextGen Meta
"snort rule"threat.source
rule.priority/classtypeThese are used to decide which risk meta category is used for message:
1 - risk.warning
   2 - risk.suspicious
   3 - risk.info


(Class types define a default priority for rules of that type, but can still be overridden by specifying priority in the rule.)

Downloading Snort Rules

Snort VRT rules can be downloaded from the following location:  https://www.snort.org/downloads/#rule-downloads