1. Your Decoders need the following directory: /etc/netwitness/ng/parsers/snort
Command to create snort folder if none exists:
2. Next, you must create a snort.conf file and place it in the /etc/netwitness/ng/parsers/snort directory.
The snort.conf file should have the following parameters defined:
# Setup the network addresses you are protecting
ipvar HOME_NET any
# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET any
# Setup the network ports
portvar HTTP_PORTS any
Importing Rules into a Decoder
Snort rules should be copied to /etc/netwitness/ng/parsers/snorton the decoders.
To reload the parsers after new snort rules have been added,go to Decoder -> View -> Explore in SA and right-click /decoder/parsers, click Properties, then select 'reload' from the drop-down menu and click 'Send'.
To confirm that the load was successful, look for [Snort] in the log files:
Oct 31 07:48:27 decoder nw: [Snort] [info] Loaded bad-traffic.rules, full 0, parital 0, failures 0
Oct 31 07:48:27 decoder nw: [Snort] [info] Loaded blacklist.rules, full 0, parital 0, failures 0
Once created, the rules are accessible in SA via Decoder -> View -> Config via the Files tab.
Note: Rules that do not define any content (via content or uricontent rule options) are not supported. Please use caution when loading Snort rules as it may have an adverse effect on the Decoder.
Note: If creating rules with multiple ports defined in a comma-delimited list, ensure they enclose the list in brackets or the system cannot process the rule.
Meta for Snort Rule Processing
The following Meta values should already be in your /etc/netwitness/ng/index-concentrator.xml file for processing Snort rules.
Note: Any time you change a value in index-concentrator-custom.xml or index-broker-custom.xml, you must restart that appliance's service respectively or the changes will not apply since those values are loaded into the engine at service startup.
Snort to RSA NetWitness Field Mappings
Aligned Key Mode
Legacy Key Mode
risk.info, risk.warning, or risk.suspicious (depending on rule priority)
it is used to determine the type of risk meta associated with the msg value
(Class types define a default priority for rules of that type, but can still be overridden by specifying priority in the rule.) For more information about aligned meta key, please see the 'Meta Key Usage' section in 'Snort Parsers' document: https://community.rsa.com/docs/DOC-96852