[netsa-tools-discuss] rwidsquery Question on Operation
tonyc at cert.org
Wed Sep 24 15:03:47 EDT 2014
> I'm looking into working with rwidsquery to assist in pulling
> supporting flow data for firing events. I've run with a -in-type of
> rule, but the resulting rwfilter output doesn't seem to be substituting
> the $HOME_NET and $EXTERNAL_NET as I would have expected:
My guess is that you're defining HOME_NET and EXTERNAL_NET with the
snort "ipvar" command? If so, I'm afraid to report that rwidsquery was
written a while back, prior to the introduction of the "ipvar" command,
so it expects these to be defined with "var" instead.
> I only have a snort.conf present (snort is not installed on this
> host). Is it necessary to have the entire ../snort/etc configuration
> structure present?
No, only the snort.conf is necessary -- rwidsquery does not attempt to
pull in any included files or anything like that.
Hope this helps.
Tony Cebzanov * <tonyc at cert.org>
(M) +1 412 265-1240 * (W) +1 412 268-9149
CERT/CC * Engineering * Product Development
Software Engineering Institute * Carnegie Mellon University
More information about the netsa-tools-discuss