[netsa-tools-discuss] rwidsquery Question on Operation

Tony Cebzanov tonyc at cert.org
Wed Sep 24 15:03:47 EDT 2014

Hi Scott,

>   I'm looking into working with rwidsquery to assist in pulling
> supporting flow data for firing events. I've run with a -in-type of
> rule, but the resulting rwfilter output doesn't seem to be substituting
> the $HOME_NET and $EXTERNAL_NET as I would have expected:

My guess is that you're defining HOME_NET and EXTERNAL_NET with the 
snort "ipvar" command?  If so, I'm afraid to report that rwidsquery was 
written a while back, prior to the introduction of the "ipvar" command, 
so it expects these to be defined with "var" instead.

>   I only have a snort.conf present (snort is not installed on this
> host). Is it necessary to have the entire ../snort/etc configuration
> structure present?

No, only the snort.conf is necessary -- rwidsquery does not attempt to 
pull in any included files or anything like that.

Hope this helps.

Tony Cebzanov * <tonyc at cert.org>
(M) +1 412 265-1240 * (W) +1 412 268-9149
CERT/CC * Engineering * Product Development
Software Engineering Institute * Carnegie Mellon University

More information about the netsa-tools-discuss mailing list