NAME

rwidsquery - invoke rwfilter to find flows matching Snort signatures

SYNOPSIS

 rwidsquery --intype=INPUT_TYPE
        [--output-file=OUTPUT_FILE]
        [--start-date=YYYY/MM/DD[:HH] [--end-date=YYYY/MM/DD[:HH]]]
        [--year=YEAR] [--tolerance=SECONDS]
        [--config-file=CONFIG_FILE]
        [--mask=PREDICATE_LIST]
        [--verbose] [--dry-run]
        INPUT_FILE
        [-- EXTRA_RWFILTER_ARGS...]

DESCRIPTION

rwidsquery facilitates selection of SiLK flow records that correspond to Snort IDS alerts and signatures. rwidsquery takes as input either a snort alert log or rule file, analyzes the alert or rule contents, and invokes rwfilter(1) with the appropriate arguments to retrieve flow records that match attributes of the input file.

OPTIONS

In addition to the options listed below, you can pass extra options through to rwfilter(1) on the rwidsquery command line. The syntax for doing so is to place a double-hyphen (--) sequence after all valid rwidsquery options, and before all of the options you wish to pass through to rwfilter.

--output-file=OUTPUT_FILE

Specify the output file that flows will be written to. If not specified, the default is to write to stdout.

--intype=INPUT_TYPE

Specify the type of input contained in the input file. Two alert formats and one rule format are currently supported. Valid values for this option are:

fast

Input is a Snort ``fast'' log file entry. Alerts are written in this format when Snort is configured with the snort_fast output module enabled. snort_fast alerts resemble the following:

    Jan  1 01:23:45 hostname snort[1976]: [1:1416:11] ...

full

Input is a Snort ``full'' log file entry. Alerts are written in this format when Snort is configured with the snort_full output module enabled. snort_full alerts look like the following example:

    [**] [116:151:1] (snort decoder) Bad Traffic  ...

rule

Input is a Snort rule (signature.) For example:

    alert tcp $EXTERNAL_NET any -> $HOME_NET any ...

--start-date=YYYY/MM/DD[:HH]

--end-date=YYYY/MM/DD[:HH]

Used in conjunction with rule file input only. The date predicates indicate which time to start and end the search. See the rwfilter(1) manual page for details of the date format.

--year=YEAR

Used in conjunction with alert file input only. Timestamps in Snort alert files do not contain year information. By default, the current calendar year is used, but this option can be used to override this default behavior.

--tolerance=SECONDS

Used in conjunction with alert file input only. This option is provided to compensate for timing differences between the timestamps in Snort alerts and the start/end time of the corresponding flows. The default --tolerance value is 3600 seconds, which means that flow records +/- one hour from the alert timestamp will be searched.

--config-file=CONFIG_FILE

Used in conjunction with rule file input only. Snort requires a configuration file which, among other things, contains variables that can be used in Snort rule definitions. This option allows you to specify the location of this configuration file so that IP addresses, port numbers, and other information from the snort configuration file can be used to find matching flows.

--mask=PREDICATE_LIST

Exclude the rwfilter predicates named in PREDICATE_LIST from the selection criteria. This option is provided to widen the scope of queries by making them more general than the Snort rule or alert provided. For instance, --mask=dport will return flows with any destination port, not just those which match the input Snort alert or rule.

--verbose

Print the resulting rwfilter(1) command on stderr prior to invoking it.

--dry-run

Print the resulting rwfilter(1) command on stderr but do not actually run it.

EXAMPLES

To find SiLK flows matching a Snort alert in snort_fast format:

  $ rwidsquery --intype fast --year 2007 --tolerance 300 alert.fast.txt

For the following Snort alert:

    Nov  15 00:00:58 hostname snort[5214]: [1:1416:11]
    SNMP broadcast trap [Classification: Attempted Information Leak]
    [Priority: 2]: {TCP}
    192.168.0.1:4161 -> 127.0.0.1:139

The resulting rwfilter(1) command would look similar to:

  rwfilter --start-date=2007/11/14:23 --end-date=2007/11/15:00 \
    --stime=2007/11/14:23:55:58-2007/11/15:00:05:58 \
    --saddress=192.168.0.1 --sport=4161 --daddress=127.0.0.1 \
    --dport=139 --protocol=6 --pass=stdout

If you want to find flows matching the same criteria, except you want UDP flows instead of TCP flows, use the following syntax:

  $ rwidsquery --intype fast --year 2007 --tolerance 300 \
      --mask protocol alert.fast.txt -- --protocol=17

which would yield the following rwfilter command line:

  $ rwfilter --start-date=2007/11/14:23 --end-date=2007/11/15:00 \
      --stime=2007/11/14:23:55:58-2007/11/15:00:05:58 \
      --saddress=192.168.0.1 --sport=4161 --daddress=127.0.0.1 \
      --dport=139 --protocol=17 --pass=stdout

To find SiLK flows matching a Snort rule:

  $ rwidsquery --intype rule --start 2008/02/20:00 --end 2008/02/20:02 \
      -c /opt/local/etc/snort/snort.conf -v rule.txt

For the following Snort rule:

  alert icmp $EXTERNAL_NET any -> $HOME_NET any
  (msg:"ICMP Parameter Problem Bad Length"; icode:2; itype:12;
  classtype:misc-activity; sid:425; rev:6;)

The resulting rwfilter(1) command would look similar to:

  rwfilter --start-date=2008/02/20:00 --end-date=2008/02/20:02 \
    --stime=2008/02/20:00-2008/02/20:02 --sipset=/tmp/tmpeKIPn2.set
    --icmp-code=2 --icmp-type=12 --pass=stdout

SEE ALSO

snort(8), rwfilter(1)