Hello
where can i find a document that describe how to impliment Snort Rules in SA/NW? i know that is possible but i cant seem to find a document to describe the process.
Hello
where can i find a document that describe how to impliment Snort Rules in SA/NW? i know that is possible but i cant seem to find a document to describe the process.
https://sadocs.emc.com/0_en-us/098_10.3_SP1_User_Guide
You are likely looking for an App rule on the packet decoder.
I believe the directions for implementing snort rules existed on the 9.8 administration guide. I'll have to check if it is on the docs site.
Basically, what I did was add a snort folder to /etc/netwitness/ng. In that snort folder, I had a rules folder and a basic snort.conf file that pointed to the rules folder. Inside the rules folder, I kept my snort rules, which I grabbed from emerging threats. Then, I made sure the snort parser was enabled and restarted services.
Do you have an example of what the Snort Config file would look like and is there any special format for the snort rules?
This might be what you are looking for. Basically a vanilla snort.conf file and a rules folder with an emerging threats file in there.
possible side effects include headaches, drowzyness, blurred vision, and warts. J/K
Only side effect that I encountered, which wasn't really a side effect, was that I didn't get any meta generated. I started with some emerging threats rules that I knew would fire.
OK I am running Netwitness 9.8.5.1 and etc/netwitness/ng/snort does not appear to be right as my logs don't show the anything saying anything about snort. Any suggestions?
i followed the document and created a demo.rule file with the follwing rule
alert tcp any any -> $EXTERNAL_NET 80 (msg: "Hello Im Your New SNORT Rule"; reference: url,http://www.snort.org/snort-rules/; content: "snort"; flow:to_server; nocase; sid:9000547; rev:1)
when i reloaded the parsers i get this line in the log Snort info Loaded 0 snort rules, 0 small tokens, 0 with pcres, 0 partial
does anyone know why?
Ok that helped some what. I moved the snort directory to etc/netwitness/ng/parsers/snort. When I run the reload parsers command i at least now get the same thing adimenia is getting, which is "Snort Info Loaded 0 snort rules, 0 small tokens, 0 with pcre, 0 partial"
So what are we missing.
I'm guessing you need snort rules. It should be in the snort directory as a single text-based file with a .rules extension. Try to put one rule per line. Then reload parsers again and it should show that rules are loaded.
OK that worked!. I had mistakenly thought that the rules need to be in a subdirectory of the snort folder. Should all the rules be in one .rules file or can you have multiple rules files?
I think it needs to be a single file. Once it is uploaded you can actually edit the file directly via the files interface in Admin.
i still cant get this to work. i have the snort folder in /etc/netwitness/ng/parsers
in that directory i have two files snort.conf and demo.rules. and when i run parsers reload i get 1119303 2014-Jan-15 06:24:05 Snort info Loaded 0 snort rules, 0 small tokens, 0 with pcres, 0 parti
im using netwitness 9.8.5 any ideas?
ive noticed that alot of the better material from the 9x documentation has yet to make it in to the 10.3x docs or any of the Sa docs.
Here is an old doc I had on my laptop. As noted above, if there is an NG directory, the snort subdirectory goes there. I think the rest of the config is the same. Also, this will register meta into the Feed Name, Feed Cat and Feed Desc keys, so if you hope to open these keys quickly, you should set indexing to IndexValues on the concentrators and brokers.
the NG subdir was already there its the only subdir under /etc/netwitness/ under NG i have the parsers subdir which is where i created the snort directory
Ok i got this to work now i see my demo.rules in the file section in administrator
alert tcp any any -> $EXTERNAL_NET 80 (msg: "Hello Im Your New SNORT Rule";reference:url,http://www.snort.org/snort-rules/;content:"snort";flow:to_server;nocase;sid:9000547;)
but when i test this (genereting some http traffic to www.snort.org/snort-rules/) i dont see any new meta generated
but i see the traffic in NW. am i missing something?
so while this thread has helped with getting this working within th elegacy NW/NG environment, i cant seem to find anything that refers to how to implement within SA.
im reaching out to my account rep to see if they can provide anything...
I have successfully enabled it on SA/10.3, I have found bits of information, here's the complete
As some of you mention this are the steps:
In your decoder:
1. Create /etc/netwitness/ng/parsers/snort
2. Create the snort.conf file inside the snort directory
3. Create the rules file (this is a bit tricky because it is not all the snort functionality, you have to test your files by trial and error, to find out if they're working) inside the snort, must be with extension .rules
4. Make sure the snort parser is enabled on the decoder.
5. Restart the decoder services.
6. You should have a file in the GUI decoder->config->files for the rules file and one for the snort.conf
After every time you edit the (rules,config) file reload the parsers with this command:
Reload the parsers via the REST API: http://IPofYourDecoder:50104/decoder/parsers?msg=reload
Catch the messages for loaded rules --- > tail -f /var/log/messages | grep Snort
"[Snort] [info] Loaded 1 snort rules, 0 small tokens, 0 with pcres, 1 partial"
The hits should populate Risk Informational. meta.
This might be what you are looking for. Basically a vanilla snort.conf file and a rules folder with an emerging threats file in there.