[netsa-tools-discuss] rwidsquery Question on Operation

Scott Fringer scfringe at cisco.com
Wed Sep 24 13:52:52 EDT 2014


Hello;

  I'm looking into working with rwidsquery to assist in pulling
supporting flow data for firing events. I've run with a -in-type of
rule, but the resulting rwfilter output doesn't seem to be substituting
the $HOME_NET and $EXTERNAL_NET as I would have expected:

user$ rwidsquery --intype rule --start 2014/09/23 --end 2014/09/24
--config /home/user/snort.conf --verbose --dry-run rule.txt

rwfilter --start-date=2014/09/23 --end-date=2014/09/24
--stime=2014/09/23-2014/09/24 --saddress=$EXTERNAL_NET
--daddress=$HOME_NET --icmp-code=2 --icmp-type=12 --pass=stdout

  This is basically using the rule example given on the rwidsquery webpage.

  Within the snort.conf HOME_NET is defined as is EXTERNAL_NET.

  I only have a snort.conf present (snort is not installed on this
host). Is it necessary to have the entire ../snort/etc configuration
structure present?

Thanks,
 Scott


More information about the netsa-tools-discuss mailing list