[netsa-tools-discuss] rwidsquery Question on Operation

[Scott Fringer]

Tony;

  I appreciate the quick reply and it did help. You are correct, ipvar
was used in the definition. Changing to be var corrected the issue
(though I note it doesn't appear that setting EXTERNAL_NET to !$HOME_NET
is supported either?).

Thanks,
 Scott

On 9/24/14, 3:03 PM, Tony Cebzanov wrote:
> Hi Scott,
> 
>>   I'm looking into working with rwidsquery to assist in pulling
>> supporting flow data for firing events. I've run with a -in-type of
>> rule, but the resulting rwfilter output doesn't seem to be substituting
>> the $HOME_NET and $EXTERNAL_NET as I would have expected:
> 
> My guess is that you're defining HOME_NET and EXTERNAL_NET with the
> snort "ipvar" command?  If so, I'm afraid to report that rwidsquery was
> written a while back, prior to the introduction of the "ipvar" command,
> so it expects these to be defined with "var" instead.
> 
>>   I only have a snort.conf present (snort is not installed on this
>> host). Is it necessary to have the entire ../snort/etc configuration
>> structure present?
> 
> No, only the snort.conf is necessary -- rwidsquery does not attempt to
> pull in any included files or anything like that.
> 
> Hope this helps.