SiLK

NAME

rwidsquery - invoke rwfilter to find flows matching Snort signatures

SYNOPSIS

 rwidsquery --intype=INPUT_TYPE
        [--output-file=OUTPUT_FILE]
        [--start-date=YYYY/MM/DD[:HH] [--end-date=YYYY/MM/DD[:HH]]]
        [--year=YEAR] [--tolerance=SECONDS]
        [--config-file=CONFIG_FILE]
        [--mask=PREDICATE_LIST]
        [--verbose] [--dry-run]
        [INPUT_FILE | -]
        [-- EXTRA_RWFILTER_ARGS...]

  rwidsquery --help

  rwidsquery --version

DESCRIPTION

rwidsquery facilitates selection of SiLK flow records that correspond to Snort IDS alerts and signatures. rwidsquery takes as input either a snort(8) alert log or rule file, analyzes the alert or rule contents, and invokes rwfilter(1) with the appropriate arguments to retrieve flow records that match attributes of the input file. rwidsquery will process the Snort rules or alerts from a single file named on the command line; if no file name is given, rwidsquery will attempt to read the Snort rules or alerts from the standard input, unless the standard input is connected to a terminal. An input file name of - or stdin will force rwidsquery to read from the standard input, even when the standard input is a terminal.

OPTIONS

In addition to the options listed below, you can pass extra options through to rwfilter(1) on the rwidsquery command line. The syntax for doing so is to place a double-hyphen (--) sequence after all valid rwidsquery options, and before all of the options you wish to pass through to rwfilter.

--intype=INPUT_TYPE

Specify the type of input contained in the input file. This switch is required. Two alert formats and one rule format are currently supported. Valid values for this option are:

fast

Input is a Snort "fast" log file entry. Alerts are written in this format when Snort is configured with the snort_fast output module enabled. snort_fast alerts resemble the following:

    Jan  1 01:23:45 hostname snort[1976]: [1:1416:11] ...

full

Input is a Snort "full" log file entry. Alerts are written in this format when Snort is configured with the snort_full output module enabled. snort_full alerts look like the following example:

    [**] [116:151:1] (snort decoder) Bad Traffic  ...

rule

Input is a Snort rule (signature). For example:

    alert tcp $EXTERNAL_NET any -> $HOME_NET any ...

--output-file=OUTPUT_FILE

Specify the output file that flows will be written to. If not specified, the default is to write to stdout. The argument to this option becomes the argument to rwfilter's --pass-destination switch.

--start-date=YYYY/MM/DD[:HH]

--end-date=YYYY/MM/DD[:HH]

Used in conjunction with rule file input only. The date predicates indicate which time to start and end the search. See the rwfilter(1) manual page for details of the date format.

--year=YEAR

Used in conjunction with alert file input only. Timestamps in Snort alert files do not contain year information. By default, the current calendar year is used, but this option can be used to override this default behavior.

--tolerance=SECONDS

Used in conjunction with alert file input only. This option is provided to compensate for timing differences between the timestamps in Snort alerts and the start/end time of the corresponding flows. The default --tolerance value is 3600 seconds, which means that flow records +/- one hour from the alert timestamp will be searched.

--config-file=CONFIG_FILE

Used in conjunction with rule file input only. Snort requires a configuration file which, among other things, contains variables that can be used in Snort rule definitions. This option allows you to specify the location of this configuration file so that IP addresses, port numbers, and other information from the snort configuration file can be used to find matching flows.

--mask=PREDICATE_LIST

Exclude the rwfilter predicates named in PREDICATE_LIST from the selection criteria. This option is provided to widen the scope of queries by making them more general than the Snort rule or alert provided. For instance, --mask=dport will return flows with any destination port, not just those which match the input Snort alert or rule.

--verbose

Print the resulting rwfilter(1) command to the standard error prior to executing it.

--dry-run

Print the resulting rwfilter(1) command to the standard error but do not execute it.

--help

Print the available options and exit.

--version

Print the version number and information about how SiLK was configured, then exit the application.

EXAMPLES

In the following examples, the dollar sign ($) represents the shell prompt. The text after the dollar sign represents the command line. Lines have been wrapped for improved readability, and the back slash (\) is used to indicate a wrapped line.

To find SiLK flows matching a Snort alert in snort_fast format:

 $ rwidsquery --intype fast --year 2007 --tolerance 300 alert.fast.txt

For the following Snort alert:

 Nov  15 00:00:58 hostname snort[5214]: [1:1416:11]
 SNMP broadcast trap [Classification: Attempted Information Leak]
 [Priority: 2]: {TCP}
 192.168.0.1:4161 -> 127.0.0.1:139

The resulting rwfilter(1) command would look similar to:

 $ rwfilter --start-date=2007/11/14:23 --end-date=2007/11/15:00     \
        --stime=2007/11/14:23:55:58-2007/11/15:00:05:58             \
        --saddress=192.168.0.1 --sport=4161 --daddress=127.0.0.1    \
        --dport=139 --protocol=6 --pass=stdout

If you want to find flows matching the same criteria, except you want UDP flows instead of TCP flows, use the following syntax:

 $ rwidsquery --intype fast --year 2007 --tolerance 300     \
        --mask protocol alert.fast.txt -- --protocol=17

which would yield the following rwfilter command line:

 $ rwfilter --start-date=2007/11/14:23 --end-date=2007/11/15:00     \
        --stime=2007/11/14:23:55:58-2007/11/15:00:05:58             \
        --saddress=192.168.0.1 --sport=4161 --daddress=127.0.0.1    \
        --dport=139 --protocol=17 --pass=stdout

To find SiLK flows matching a Snort rule:

 $ rwidsquery --intype rule --start 2008/02/20:00 --end 2008/02/20:02 \
        --config /opt/local/etc/snort/snort.conf --verbose rule.txt

For the following Snort rule:

 alert icmp $EXTERNAL_NET any -> $HOME_NET any
 (msg:"ICMP Parameter Problem Bad Length"; icode:2; itype:12;
 classtype:misc-activity; sid:425; rev:6;)

The resulting rwfilter(1) command would look similar to:

 $ rwfilter --start-date=2008/02/20:00 --end-date=2008/02/20:02     \
        --stime=2008/02/20:00-2008/02/20:02                         \
        --sipset=/tmp/tmpeKIPn2.set --icmp-code=2 --icmp-type=12    \
        --pass=stdout

ENVIRONMENT

SILK_CLOBBER

The SiLK tools normally refuse to overwrite existing files. Setting SILK_CLOBBER to a non-empty value removes this restriction.

SILK_CONFIG_FILE

This environment variable is used as the location for the site configuration file, silk.conf. When this environment variable is not set, rwfilter searches for the site configuration file in the locations specified in the "FILES" section.

SILK_DATA_ROOTDIR

This environment variable specifies the root directory of data repository for rwfilter. This value overrides the compiled-in value. In addition, rwfilter may use this value when searching for the SiLK site configuration files. See the "FILES" section for details.

SILK_RWFILTER_THREADS

The number of threads rwfilter uses when reading files from the data store.

SILK_PATH

This environment variable gives the root of the install tree. When searching for the site configuration file, rwfilter may use this environment variable. See the "FILES" section for details.

RWFILTER

Complete path to the rwfilter program. If not set, rwidsquery attempts to find rwfilter on your PATH.

FILES

${SILK_CONFIG_FILE}

${SILK_DATA_ROOTDIR}/silk.conf

/data/silk.conf

${SILK_PATH}/share/silk/silk.conf

${SILK_PATH}/share/silk.conf

/usr/share/silk/silk.conf

/usr/share/silk.conf

Possible locations for the SiLK site configuration file---for report types that use rwfilter.

SEE ALSO

rwfilter(1), silk(7), snort(8)