[netsa-tools-discuss] rwidsquery in SiLK
Mark Thomas
mthomas at cert.org
Wed Sep 2 11:27:08 EDT 2015
The rwidsquery tool is designed to invoke rwfilter to find flow
records in your repository that match either a single Snort
signature or a single entry in a Snort log file.
When you specify "rwidsquery --intype=rule rule.txt", rwidsquery
uses a regular expression to find a Snort signature in the file
rule.txt and then invokes rwfilter to find flow records that match
the signature.
When you specify "rwidsquery --intype=full log.txt", rwidsquery uses
a regular expression to find a Snort full alert message in the file
log.txt and then invokes rwfilter to find flow records that match
the alert. The --intype=fast switch is similar, except it looks for
a line matching the the Snort fast log file format.
The option parsing and regular expression parts of rwidsquery are
written in Python, then it invokes rwfilter to find the matching
flow records. The regular expressions in rwidsquery may be out of
date.
Cheers,
-Mark
-----Original Message-----
From: Hosam Hittini <hosam.hittini at ies.etisalat.ae>
Date: Wed, 2 Sep 2015 15:28:38 +0400
To: <netsa-tools-discuss at cert.org>
Cc: 'Majid Qureshi' <mmajid at ies.etisalat.ae>
Subject: [netsa-tools-discuss] rwidsquery in SiLK
Hi,
I'm a bit confused and I need clarification regarding rwidsquery
1. Does it scan the repository to detect intrusion according to the
defined signatures?
2. Or what it does is basically read SNORT logs?
Thank you
Regards,
Hosam Hittini
More information about the netsa-tools-discuss
mailing list