000028902 - Snort Integration Basics with RSA NetWitness Platform

Document created by RSA Customer Support Employee on Apr 14, 2017Last modified by RSA Customer Support on Mar 24, 2020
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000028902
Applies ToRSA Product Set: NetWitness Platform (Security Analytics)
RSA Product/Service Type: Decoder, Concentrator, Hybrid, Broker

Two Prerequisites

1. Your Decoders need the following directory:  /etc/netwitness/ng/parsers/snort

  • Command to create snort folder if none exists:

mkdir /etc/netwitness/ng/parsers/snort


2. Next, you must create a snort.conf file and place it in the /etc/netwitness/ng/parsers/snort directory.

  • The snort.conf file should have the following parameters defined:

# Setup the network addresses you are protecting
ipvar HOME_NET any
# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET any
# Setup the network ports
portvar HTTP_PORTS any


Importing Rules into a Decoder

  • Snort rules should be copied to /etc/netwitness/ng/parsers/snort on the decoders.
  • To reload the parsers after new snort rules have been added,  go to Decoder -> View -> Explore in SA and right-click /decoder/parsers, click Properties, then select 'reload' from the drop-down menu and click 'Send'. 
  • To confirm that the load was successful, look for [Snort] in the log files:

Oct 31 07:48:27 decoder nw[25453]: [Snort] [info] Loaded bad-traffic.rules, full 0, parital 0, failures 0
Oct 31 07:48:27 decoder nw[25453]: [Snort] [info] Loaded blacklist.rules, full 0, parital 0, failures 0

  • Once created, the rules are accessible in SA via Decoder -> View -> Config via the Files tab.

Note: Rules that do not define any content (via content or uricontent rule options) are not supported. Please use caution when loading Snort rules as it may have an adverse effect on the Decoder.

Note: If creating rules with multiple ports defined in a comma-delimited list, ensure they enclose the list in brackets or the system cannot process the rule. 

Meta for Snort Rule Processing

The following Meta values should already be in your /etc/netwitness/ng/index-concentrator.xml file for processing Snort rules.

Concentrator (index-concentrator.xml) / Broker (index-broker.xml):

<key description="Risk: Informational" format="Text" level="IndexValues" name="risk.info" valueMax="250000" defaultAction="Open" />
<key description="Risk: Suspicious" format="Text" level="IndexValues" name="risk.suspicious" valueMax="250000" defaultAction="Open" />
<key description="Risk: Warning" format="Text" level="IndexValues" name="risk.warning" valueMax="250000" defaultAction="Open" /> 
<key description="Threat Source" format="Text" level="IndexKeys" name="threat.source" /> 
<key description="Threat Category" format="Text" level="IndexKeys" name="threat.category" /> 
<key description="Threat Description" format="Text" level="IndexKeys" name="threat.desc" /> 
<key description="Alert ID" format="Text" level="IndexNone" name="alert.id" valueMax="100000" />

Note: Any time you change a value in index-concentrator-custom.xml or index-broker-custom.xml, you must restart that appliance's service respectively or the changes will not apply since those values are loaded into the engine at service startup.

Snort to RSA NetWitness Field Mappings

Snort optionAligned Key ModeLegacy Key Mode
msgsig.namerisk.info, risk.warning, or risk.suspicious (depending on rule priority)
priorityrisk.numit is used to determine the type of risk meta associated with the msg value

(Class types define a default priority for rules of that type, but can still be overridden by specifying priority in the rule.)
For more information about aligned meta key, please see the 'Meta Key Usage' section in 'Snort Parsers' document: https://community.rsa.com/docs/DOC-96852

Downloading Snort Rules

Snort VRT rules can be downloaded from the following location:  https://www.snort.org/downloads/#rule-downloads
*Note: Snort v3 rules are not supported.