[netsa-tools-discuss] rwidsquery in SiLK
Hosam Hittini
hosam.hittini at ies.etisalat.ae
Wed Sep 2 14:41:10 EDT 2015
Thank you Mark
I¹m interested in matching the signature
Just to confirm this
Rule.txt can¹t have more than one signature right? I¹ll have to create
different rule files and do different queries
Regards,
Hosam Hittini
System Security, Security Operations Centre
On 9/2/15, 7:27 PM, "Mark Thomas" <mthomas at cert.org> wrote:
>The rwidsquery tool is designed to invoke rwfilter to find flow
>records in your repository that match either a single Snort
>signature or a single entry in a Snort log file.
>
>When you specify "rwidsquery --intype=rule rule.txt", rwidsquery
>uses a regular expression to find a Snort signature in the file
>rule.txt and then invokes rwfilter to find flow records that match
>the signature.
>
>When you specify "rwidsquery --intype=full log.txt", rwidsquery uses
>a regular expression to find a Snort full alert message in the file
>log.txt and then invokes rwfilter to find flow records that match
>the alert. The --intype=fast switch is similar, except it looks for
>a line matching the the Snort fast log file format.
>
>The option parsing and regular expression parts of rwidsquery are
>written in Python, then it invokes rwfilter to find the matching
>flow records. The regular expressions in rwidsquery may be out of
>date.
>
>Cheers,
>
>-Mark
>
>
>-----Original Message-----
>From: Hosam Hittini <hosam.hittini at ies.etisalat.ae>
>Date: Wed, 2 Sep 2015 15:28:38 +0400
>To: <netsa-tools-discuss at cert.org>
>Cc: 'Majid Qureshi' <mmajid at ies.etisalat.ae>
>Subject: [netsa-tools-discuss] rwidsquery in SiLK
>
>Hi,
>
>
>
>I'm a bit confused and I need clarification regarding rwidsquery
>
>1. Does it scan the repository to detect intrusion according to the
>defined signatures?
>
>2. Or what it does is basically read SNORT logs?
>
>Thank you
>
>
>
>Regards,
>
>Hosam Hittini
More information about the netsa-tools-discuss
mailing list