Skip to content
  • There are no suggestions because the search field is empty.

Snort Integration Basics with NetWitness Platform

Issue

Snort Integration Basics with NetWitness Platform


Tasks

Two Prerequisites

1. Your Decoders need the following directory:  /etc/netwitness/ng/parsers/snort

  • Command to create snort folder if none exists:
mkdir /etc/netwitness/ng/parsers/snort
 

2. Next, you must create a snort.conf file and place it in the /etc/netwitness/ng/parsers/snort directory.

  • The snort.conf file should have the following parameters defined:
# Setup the network addresses you are protecting
ipvar HOME_NET any
# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET any
# Setup the network ports
portvar HTTP_PORTS any
 

Importing Rules into a Decoder

  • Snort rules should be copied to /etc/netwitness/ng/parsers/snort on the decoders.
  • To reload the parsers after new snort rules have been added,  go to Decoder -> View -> Explore in SA and right-click /decoder/parsers, click Properties, then select 'reload' from the drop-down menu and click 'Send'. 
  • To confirm that the load was successful, look for [Snort] in the log files:
Oct 31 07:48:27 decoder nw[25453]: [Snort] [info] Loaded bad-traffic.rules, full 0, parital 0, failures 0
Oct 31 07:48:27 decoder nw[25453]: [Snort] [info] Loaded blacklist.rules, full 0, parital 0, failures 0
  • Once created, the rules are accessible in SA via Decoder -> View -> Config via the Files tab.
​Note: Rules that do not define any content (via content or uricontent rule options) are not supported. Please use caution when loading Snort rules as it may have an adverse effect on the Decoder.
Note: If creating rules with multiple ports defined in a comma-delimited list, ensure they enclose the list in brackets or the system cannot process the rule. 


Meta for Snort Rule Processing

The following Meta values should already be in your /etc/netwitness/ng/index-concentrator.xml file for processing Snort rules.

Concentrator (index-concentrator.xml) / Broker (index-broker.xml):

<key description="Risk: Informational" format="Text" level="IndexValues" name="risk.info" valueMax="250000" defaultAction="Open" />
<key description="Risk: Suspicious" format="Text" level="IndexValues" name="risk.suspicious" valueMax="250000" defaultAction="Open" />
<key description="Risk: Warning" format="Text" level="IndexValues" name="risk.warning" valueMax="250000" defaultAction="Open" /> 
<key description="Threat Source" format="Text" level="IndexKeys" name="threat.source" /> 
<key description="Threat Category" format="Text" level="IndexKeys" name="threat.category" /> 
<key description="Threat Description" format="Text" level="IndexKeys" name="threat.desc" /> 
<key description="Alert ID" format="Text" level="IndexNone" name="alert.id" valueMax="100000" />


Note: Any time you change a value in index-concentrator-custom.xml or index-broker-custom.xml, you must restart that appliance's service respectively or the changes will not apply since those values are loaded into the engine at service startup.
 

Snort to RSA NetWitness Field Mappings

  • Snort option: msg
  • Aligned Key Mode: sig.name

  • Snort option: sid
  • Aligned Key Mode: sig.id

  • Snort option: classtype
  • Aligned Key Mode: threat.cat

  • Snort option: priority
  • Aligned Key Mode: risk.num

(Class types define a default priority for rules of that type, but can still be overridden by specifying priority in the rule.)
For more information about aligned meta key, please see the 'Meta Key Usage' section in 'Snort Parsers' document: https://community.rsa.com/docs/DOC-96852

Downloading Snort Rules

Snort VRT rules can be downloaded from the following location:  https://www.snort.org/downloads/#rule-downloads
*Note: Snort v3 rules are not supported.


Workaround

Two Prerequisites

1. Your Decoders need the following directory:  /etc/netwitness/ng/parsers/snort
  • Command to create snort folder if none exists:
mkdir /etc/netwitness/ng/parsers/snort
2. Next, you must create a  snort.conf file and place it in the /etc/netwitness/ng/parsers/snort directory.
  • The snort.conf file should have the following parameters defined:
# Setup the network addresses you are protecting
ipvar HOME_NET any
# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET any
# Setup the network ports
portvar HTTP_PORTS any

 

Importing Rules into a Decoder

  • Snort rules should be copied to /etc/netwitness/ng/parsers/snort on the decoders.
  • To reload the parsers after new snort rules have been added,  go to Decoder -> View -> Explore in NetWitness and right-click /decoder/parsers, click Properties, then select 'reload' from the drop-down menu and click 'Send'. 
  • To confirm that the load was successful, look for [Snort] in the log files:
Oct 31 07:48:27 decoder nw[25453]: [Snort] [info] Loaded bad-traffic.rules, full 0, parital 0, failures 0
Oct 31 07:48:27 decoder nw[25453]: [Snort] [info] Loaded blacklist.rules, full 0, parital 0, failures 0
  • Once created, the rules are accessible in NetWitness via Decoder -> View -> Config via the Files tab.
Note: Rules that do not define any content (via content or uricontent rule options) are not supported. Please use caution when loading Snort rules as it may have an adverse effect on the Decoder.
Note: If creating rules with multiple ports defined in a comma-delimited list, ensure they enclose the list in brackets or the system cannot process the rule. 


Meta for Snort Rule Processing

The following Meta values should already be in your  /etc/netwitness/ng/index-concentrator.xml file for processing Snort rules.

Concentrator (index-concentrator.xml) / Broker (index-broker.xml):

<key description="Risk: Informational" format="Text" level="IndexValues" name="risk.info" valueMax="250000" defaultAction="Open" />
<key description="Risk: Suspicious" format="Text" level="IndexValues" name="risk.suspicious" valueMax="250000" defaultAction="Open" />
<key description="Risk: Warning" format="Text" level="IndexValues" name="risk.warning" valueMax="250000" defaultAction="Open" /> 
<key description="Threat Source" format="Text" level="IndexKeys" name="threat.source" /> 
<key description="Threat Category" format="Text" level="IndexKeys" name="threat.category" /> 
<key description="Threat Description" format="Text" level="IndexKeys" name="threat.desc" /> 
<key description="Alert ID" format="Text" level="IndexNone" name="alert.id" valueMax="100000" />


Note: Any time you change a value in  index-concentrator-custom.xml or  index-broker-custom.xml, you must restart that appliance's service respectively or the changes will not apply since those values are loaded into the engine at service startup.

Snort to NetWitness Field Mappings

  • Snort option: msg
  • Aligned Key Mode: sig.name

  • Snort option: sid
  • Aligned Key Mode: sig.id

  • Snort option: classtype
  • Aligned Key Mode: threat.cat

  • Snort option: priority
  • Aligned Key Mode: risk.num

(Class types define a default priority for rules of that type, but can still be overridden by specifying priority in the rule.)
For more information about aligned meta key, please see the 'Meta Key Usage' section in 'Snort Parsers' document: https://community.netwitness.com/t5/netwitness-platform-online/snort-parsers/ta-p/669160
 

Downloading Snort Rules

Snort VRT rules can be downloaded from the following location:  https://www.snort.org/downloads/#rule-downloads
*Note: Snort v3 rules are not supported.


Product Details

RSA Product Set: NetWitness Platform (Security Analytics)
RSA Product/Service Type: Decoder, Concentrator, Hybrid, Broker

Approval Reviewer Queue

Technical approval queue