[netsa-tools-discuss] rwidsquery in SiLK

Mark Thomas mthomas at cert.org
Thu Sep 3 11:36:49 EDT 2015 

Yes, the input file needs to contain a single signature.  When it
does not, the options to rwfilter are repeated.  For example, the
following input

 alert icmp $EXTERNAL_NET any -> $HOME_NET any
 (msg:"ICMP Parameter Problem Bad Length"; icode:2; itype:12;
 classtype:misc-activity; sid:425; rev:6;)
 alert icmp $EXTERNAL_NET any -> $HOME_NET any
 (msg:"ICMP Parameter Problem Bad Length"; icode:3; itype:13;
 classtype:misc-activity; sid:425; rev:6;)

produces the following output:

 rwfilter --start-date=2009/01/11 --end-date=2009/01/11      \
     --stime=2009/01/11-2009/01/11 --saddress=$EXTERNAL_NET  \
     --daddress=$HOME_NET --icmp-code=2 --icmp-type=12       \
     --icmp-code=3 --icmp-type=13 --pass=stdout

Note how the --icmp-type and --icmp-code switches are repeated.

-Mark


On Wed, 2 Sep 2015 22:41:10 +0400, Hosam Hittini wrote:

> Thank you Mark
> I¹m interested in matching the signature
> Just to confirm this
> Rule.txt can¹t have more than one signature right? I¹ll have to create
> different rule files and do different queries
>
> Regards,
> Hosam Hittini
> System Security, Security Operations Centre
>
>
>
>
> On 9/2/15, 7:27 PM, "Mark Thomas" <mthomas at cert.org> wrote:
>
>>The rwidsquery tool is designed to invoke rwfilter to find flow
>>records in your repository that match either a single Snort
>>signature or a single entry in a Snort log file.
>>
>>When you specify "rwidsquery --intype=rule rule.txt", rwidsquery
>>uses a regular expression to find a Snort signature in the file
>>rule.txt and then invokes rwfilter to find flow records that match
>>the signature.
>>
>>When you specify "rwidsquery --intype=full log.txt", rwidsquery uses
>>a regular expression to find a Snort full alert message in the file
>>log.txt and then invokes rwfilter to find flow records that match
>>the alert.  The --intype=fast switch is similar, except it looks for
>>a line matching the the Snort fast log file format.
>>
>>The option parsing and regular expression parts of rwidsquery are
>>written in Python, then it invokes rwfilter to find the matching
>>flow records.  The regular expressions in rwidsquery may be out of
>>date.
>>
>>Cheers,
>>
>>-Mark
>>
>>
>>-----Original Message-----
>>From: Hosam Hittini <hosam.hittini at ies.etisalat.ae>
>>Date: Wed, 2 Sep 2015 15:28:38 +0400
>>To: <netsa-tools-discuss at cert.org>
>>Cc: 'Majid Qureshi' <mmajid at ies.etisalat.ae>
>>Subject: [netsa-tools-discuss] rwidsquery in SiLK
>>
>>Hi,
>>
>> 
>>
>>I'm a bit confused and I need clarification regarding rwidsquery
>>
>>1.       Does it scan the repository to detect intrusion according to the
>>defined signatures?
>>
>>2.       Or what it does is basically read SNORT logs?
>>
>>Thank you
>>
>> 
>>
>>Regards,
>>
>>Hosam Hittini

More information about the netsa-tools-discuss mailing list