Snort Parsers

Document created by RSA Information Design and Development on Sep 11, 2018Last modified by RSA Information Design and Development on Oct 3, 2019
Version 6Show Document
  • View in full screen mode
 

Snort rules and configuration are added to the parsers/snort directory for NetWitness Investigate and the Decoder. The Decoder supports the payload detection capabilities of Snort rules. The rules files must have the extension .rules and the configuration files must have the extension .conf. The Decoder implementation of Snort rules is centered on using the content strings defined in a Snort rule as a token. Once a token is matched, the rule header and additional rule options can be evaluated. Currently, rules that do not define any content (using content or uricontent rule options) are not supported.

Configuration

The configuration files are loaded prior to loading rules.

                                           

Configuration Options

Description

Variable Definitions

Description

ipvar The full language for defining IP address variables is supported, including lists, CIDR, and negation.
portvar The full language for defining IP address variables is supported, including lists, ranges, and negation.
var Not supported; use ipvar or portvar.

Action Definitions

Description

ruletype The definition of additional ruletypes is supported. However, only rules that have a base rule type of alert are supported.

General Configuration

Description

nopcre This configuration option disables all rules with pcre's.

Meta Key Usage

In version 11.3 or later, Snort parser meta key usage has been updated with a new option for the Snort parser. The new option, Snort="udm=true", uses the aligned Unified Data Model (UDM) key set. For information about UDM, see https://community.rsa.com/community/products/netwitness/rsa-content/udm.

By default the legacy key set, which contains keys that are consistent with previous releases, is used. Refer to General Options for a description of how the two key sets differ.

To use the aligned UDM key set for Snort parser meta keys:

  1. In the NetWitness Platform User Interface, go to ADMIN > Services.
  2. Select a Decoder and then click > View > Explore.
  3. In the left panel, select decoder > parsers > config.
  4. In the right panel, in parser.options, add Snort="udm=true".
    The following image shows an example of adding Snort="udm=true".

Note: To pass options to parsers, you must first give the name of the parser and then the options to be passed in this format: <ParserName>="<ParserOptions>"<Whitespace><ParserName2>="<Parser2Options>"
Each ParserName=Value option must be separated by whitespace. Normally, the Value must have double quotes around it. The Value itself can sometimes list multiple Option=Value pairs, each separated by whitespace, and if those values have whitespace, they must be in escaped double quotes. To escape a quote, place a backslash before it: \".
This is an example of defining options for Parser1, Parser2, and Parser3:
Parser1="Option1=\"Option1 Value With Space\" Option2=Option2ValueNoSpace" Parser2="Option1=Value" Parser3="op1=val1 op2=val2 op3=\"another value\""

Rules

Snort rules are parsed and loaded when PCS is loaded (any import or capture in Investigate, initial capture start and parser reload in a Decoder).

  • Any rule that does not properly parse is ignored.
  • Any valid Snort rule should successfully parse; however, there are rule options that are not supported by Decoders which are not fully parsed.
                                   

Section

Description

HeaderThe header conditions are evaluated when a rule receives the first token callback for a stream. The header is evaluated once per stream, and prevents any further consideration of a rule against a specific stream if the conditions are not met.
ActionsThe specified action or a rule must be defined (either one of the native Snort actions, or defined in the configuration using the ruletype statement) for the rule to be considered valid. The Decoder only uses rules with alert actions.
ProtocolsThe Decoder supports the current Snort protocol keywords (tcp, udp, icmp, ip).
IP AddressesThe full language for defining IP addresses is supported, including lists, CIDR, and negation.
Port NumbersThe full language for defining port numbers is supported, including lists, ranges and negation.
Direction OperatorThe directional operator supports the from-to (‘->’) and bidirectional (‘<>’) values. The to-from (‘<-’) value is invalid and causes the rule to fail to load.

General Options

General options for Snort rules can result in different meta keys being written, depending on whether the Snort parser is in Aligned Key mode or Legacy Key mode.

Aligned Key Mode

                           

Option

Description

msg

If the rule matches, the msg value is added as sig.name meta.

sid If the rule matches, the sig.id value is added as meta.

classtype

If the rule matches, the classtype name is added as threat.cat meta.

priority If the rule matches and it has a priority option, it is used to determine the type of the risk.num meta.

Legacy Key Mode

                           

Option

Description

msg

If the rule matches, the msg value is added as risk.info, risk.warning, or risk.suspicious meta, depending on rule priority.

sid If the rule matches, the sid value is added as meta.

classtype

If the rule matches, the classtype name is added as threat.cat meta.

priority If the rule matches and it has a priority option, it is used to determine the type of risk meta associated with the msg value.

Payload Options

The Decoder supports the following payload rule options.

                                               

Option

Description

content The content option creates a token for the Decoder to match. Only tokens of three or more bytes are accepted. It is also important to note that the Decoder differs from Snort in that rules are evaluated across the payload of the reconstructed stream and not just a single packet. This can result in differences in rules matches between Snort and a Decoder, especially when considering positional options.

nocase

Currently not supported. This option is ignored and case-sensitive matching is used.

depth This option is applied to the distance of the token from the beginning of the stream. If the token position is greater than this value, it is not a match.

offset

This option is applied to the distance of the token from the beginning of the stream. If the token position is less than this value, it is not a match.

distance This option is applied to the distance of the token from the end of the previous token match. If the relative token position is less than this value, it is not a match.

within

This option is applied to the distance of the token from the end of the previous token match. If the relative token position is greater than this value, it is not a match.

http_uri Any token that matches is verified to fall within an http_uri as indicated by the HTTP parser. No URI normalization is applied.

uricontent

There is no URI normalization applied. Otherwise, this is equivalent to the content option with the http_uri modifier.

pcre Currently, Perl Compatible Regular Expressions (PCREs) are only applied to URIs and must specify the U option.

Non-payload Options

                                                       

Option

Description

flow Verifies that the rule is only applied to the client or server stream.

to_client

Limits the rule to only matching on a stream that a Decoder has defined as Server.

from_server Synonym for to_client.

from_client

Limits the rule to only matching on a stream that a Decoder has defined as Client.

flowbits

Maintains state per session and is reset at the end of each session.

set When the rule matches, the specified flowbit is set.

unset

When the rule matches, the specified flowbit is cleared.

toggle When the rule matches, the specified flowbit is flipped.

isset

When the rule is evaluated, the specified flowbit state must be set for the rule to match.

isnotset When the rule is evaluated, the specified flowbit state must not be set for the rule to match.

noalert

Prevents the rule from generating metadata if it matches.

Previous Topic:Lua Parsers
Next Topic:Search Parser
You are here
Table of Contents > Feed and Parser References > Snort Parsers

Attachments

    Outcomes