Hello
where can i find a document that describe how to impliment Snort Rules in SA/NW? i know that is possible but i cant seem to find a document to describe the process.
Hello
where can i find a document that describe how to impliment Snort Rules in SA/NW? i know that is possible but i cant seem to find a document to describe the process.
https://sadocs.emc.com/0_en-us/098_10.3_SP1_User_Guide
You are likely looking for an App rule on the packet decoder.
I'd like to see a document on parsers and such.
mainly because im looking for a way to exctact more data from crash reports that SA see's.
I believe the directions for implementing snort rules existed on the 9.8 administration guide. I'll have to check if it is on the docs site.
Basically, what I did was add a snort folder to /etc/netwitness/ng. In that snort folder, I had a rules folder and a basic snort.conf file that pointed to the rules folder. Inside the rules folder, I kept my snort rules, which I grabbed from emerging threats. Then, I made sure the snort parser was enabled and restarted services.
Do you have an example of what the Snort Config file would look like and is there any special format for the snort rules?
This might be what you are looking for. Basically a vanilla snort.conf file and a rules folder with an emerging threats file in there.
If I mess this up what are the possible side effects?
possible side effects include headaches, drowzyness, blurred vision, and warts. J/K
Only side effect that I encountered, which wasn't really a side effect, was that I didn't get any meta generated. I started with some emerging threats rules that I knew would fire.
OK I am running Netwitness 9.8.5.1 and etc/netwitness/ng/snort does not appear to be right as my logs don't show the anything saying anything about snort. Any suggestions?
was the snort parser enabled?
Was the service restarted?
i followed the document and created a demo.rule file with the follwing rule
alert tcp any any -> $EXTERNAL_NET 80 (msg: "Hello Im Your New SNORT Rule"; reference: url,http://www.snort.org/snort-rules/; content: "snort"; flow:to_server; nocase; sid:9000547; rev:1)
when i reloaded the parsers i get this line in the log Snort info Loaded 0 snort rules, 0 small tokens, 0 with pcres, 0 partial
does anyone know why?
OK I restarted the decoder but I didn't see any documentation on how to enable the snort parser. I just assumed it was just waiting for the snort config.
So for your version you want to make a snort directory under /etc/netwitness/parsers
Ok that helped some what. I moved the snort directory to etc/netwitness/ng/parsers/snort. When I run the reload parsers command i at least now get the same thing adimenia is getting, which is "Snort Info Loaded 0 snort rules, 0 small tokens, 0 with pcre, 0 partial"
So what are we missing.
I'm guessing you need snort rules. It should be in the snort directory as a single text-based file with a .rules extension. Try to put one rule per line. Then reload parsers again and it should show that rules are loaded.
OK that worked!. I had mistakenly thought that the rules need to be in a subdirectory of the snort folder. Should all the rules be in one .rules file or can you have multiple rules files?
I think it needs to be a single file. Once it is uploaded you can actually edit the file directly via the files interface in Admin.
i still cant get this to work. i have the snort folder in /etc/netwitness/ng/parsers
in that directory i have two files snort.conf and demo.rules. and when i run parsers reload i get 1119303 2014-Jan-15 06:24:05 Snort info Loaded 0 snort rules, 0 small tokens, 0 with pcres, 0 parti
im using netwitness 9.8.5 any ideas?
Have a look at the snort.conf file and look for the location it expects the rules to be in. Usually a sub folder called rules in the same path as the conf file.
Sent from my iPhone
If you are running version 9.8, there should not be an NG subdirectory, unless one was already there? You are looking for the location where all of the LIVE parsers get deployed locally. That is where your snort directory should be.
ive noticed that alot of the better material from the 9x documentation has yet to make it in to the 10.3x docs or any of the Sa docs.
Here is an old doc I had on my laptop. As noted above, if there is an NG directory, the snort subdirectory goes there. I think the rest of the config is the same. Also, this will register meta into the Feed Name, Feed Cat and Feed Desc keys, so if you hope to open these keys quickly, you should set indexing to IndexValues on the concentrators and brokers.
Whoops, it populates into threat.source, threat cat and threat desc.
These instructions say to leave HOME_NET and EXTERNAL_NET as any. Is this required? I would like to make HOME_NET [10.0.0.0/8] and EXTERNAL_NET !$HOME_NET
my config is left as any. Like I said, a vanilla conf file. The snort parser is just parsing the content of the rules....there isn't a full blown snort engine on the decoder.
the NG subdir was already there its the only subdir under /etc/netwitness/ under NG i have the parsers subdir which is where i created the snort directory
I used your rule that you posted earlier in this discussion. If this is your demo rule then that might be your problem. I tried this rule and it failed to load after I ran a 'parsers reload' at the console.
Ok i got this to work now i see my demo.rules in the file section in administrator
alert tcp any any -> $EXTERNAL_NET 80 (msg: "Hello Im Your New SNORT Rule";reference:url,http://www.snort.org/snort-rules/;content:"snort";flow:to_server;nocase;sid:9000547;)
but when i test this (genereting some http traffic to www.snort.org/snort-rules/) i dont see any new meta generated
but i see the traffic in NW. am i missing something?
that's odd. i was able to upload it and i see it in the file folder on administrator. also when i checked the logs after parser reload it said 1 rule was uploaded.
so while this thread has helped with getting this working within th elegacy NW/NG environment, i cant seem to find anything that refers to how to implement within SA.
im reaching out to my account rep to see if they can provide anything...
NetWitness Administrator V9.8.pdf
SNORT® rules and configuration are added to the parsers/snort directory for
INVESTIGATOR and DECODER. DECODER supports the payload detection capabilities of
SNORT® rules.
right as i said legacy. nothing really about 10.x?
While it doesn’t say SA on the cover, under the cover, it is still core Netwitness functionality and the Admin guide is still a viable resource.
understood, but one would expect rsa to improve the interface(really build one) as they have done for making feeds 100% easier to implement. as it would have a value add to the product line, that alot more users could take advantage of. and not rely on documentation from the legacy fat clients.
I have successfully enabled it on SA/10.3, I have found bits of information, here's the complete
As some of you mention this are the steps:
In your decoder:
1. Create /etc/netwitness/ng/parsers/snort
2. Create the snort.conf file inside the snort directory
3. Create the rules file (this is a bit tricky because it is not all the snort functionality, you have to test your files by trial and error, to find out if they're working) inside the snort, must be with extension .rules
4. Make sure the snort parser is enabled on the decoder.
5. Restart the decoder services.
6. You should have a file in the GUI decoder->config->files for the rules file and one for the snort.conf
After every time you edit the (rules,config) file reload the parsers with this command:
Reload the parsers via the REST API: http://IPofYourDecoder:50104/decoder/parsers?msg=reload
Catch the messages for loaded rules --- > tail -f /var/log/messages | grep Snort
"[Snort] [info] Loaded 1 snort rules, 0 small tokens, 0 with pcres, 1 partial"
The hits should populate Risk Informational. meta.
This might be what you are looking for. Basically a vanilla snort.conf file and a rules folder with an emerging threats file in there.