GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages
rwidsquery(1) SiLK Tool Suite rwidsquery(1)

rwidsquery - invoke rwfilter to find flows matching Snort signatures

 rwidsquery --intype=INPUT_TYPE
        [--output-file=OUTPUT_FILE]
        [--start-date=YYYY/MM/DD[:HH] [--end-date=YYYY/MM/DD[:HH]]]
        [--year=YEAR] [--tolerance=SECONDS]
        [--config-file=CONFIG_FILE]
        [--mask=PREDICATE_LIST]
        [--verbose] [--dry-run]
        [INPUT_FILE | -]
        [-- EXTRA_RWFILTER_ARGS...]

  rwidsquery --help

  rwidsquery --version

rwidsquery facilitates selection of SiLK flow records that correspond to Snort IDS alerts and signatures. rwidsquery takes as input either a snort(8) alert log or rule file, analyzes the alert or rule contents, and invokes rwfilter(1) with the appropriate arguments to retrieve flow records that match attributes of the input file. rwidsquery will process the Snort rules or alerts from a single file named on the command line; if no file name is given, rwidsquery will attempt to read the Snort rules or alerts from the standard input, unless the standard input is connected to a terminal. An input file name of "-" or "stdin" will force rwidsquery to read from the standard input, even when the standard input is a terminal.

In addition to the options listed below, you can pass extra options through to rwfilter(1) on the rwidsquery command line. The syntax for doing so is to place a double-hyphen (--) sequence after all valid rwidsquery options, and before all of the options you wish to pass through to rwfilter.
--intype=INPUT_TYPE
Specify the type of input contained in the input file. This switch is required. Two alert formats and one rule format are currently supported. Valid values for this option are:
"fast"
Input is a Snort "fast" log file entry. Alerts are written in this format when Snort is configured with the "snort_fast" output module enabled. "snort_fast" alerts resemble the following:

    Jan  1 01:23:45 hostname snort[1976]: [1:1416:11] ...
    
"full"
Input is a Snort "full" log file entry. Alerts are written in this format when Snort is configured with the "snort_full" output module enabled. "snort_full" alerts look like the following example:

    [**] [116:151:1] (snort decoder) Bad Traffic  ...
    
"rule"
Input is a Snort rule (signature). For example:

    alert tcp $EXTERNAL_NET any -> $HOME_NET any ...
    
--output-file=OUTPUT_FILE
Specify the output file that flows will be written to. If not specified, the default is to write to stdout. The argument to this option becomes the argument to rwfilter's --pass-destination switch.
--start-date=YYYY/MM/DD[:HH]
--end-date=YYYY/MM/DD[:HH]
Used in conjunction with rule file input only. The date predicates indicate which time to start and end the search. See the rwfilter(1) manual page for details of the date format.
--year=YEAR
Used in conjunction with alert file input only. Timestamps in Snort alert files do not contain year information. By default, the current calendar year is used, but this option can be used to override this default behavior.
--tolerance=SECONDS
Used in conjunction with alert file input only. This option is provided to compensate for timing differences between the timestamps in Snort alerts and the start/end time of the corresponding flows. The default --tolerance value is 3600 seconds, which means that flow records +/- one hour from the alert timestamp will be searched.
--config-file=CONFIG_FILE
Used in conjunction with rule file input only. Snort requires a configuration file which, among other things, contains variables that can be used in Snort rule definitions. This option allows you to specify the location of this configuration file so that IP addresses, port numbers, and other information from the snort configuration file can be used to find matching flows.
--mask=PREDICATE_LIST
Exclude the rwfilter predicates named in PREDICATE_LIST from the selection criteria. This option is provided to widen the scope of queries by making them more general than the Snort rule or alert provided. For instance, --mask=dport will return flows with any destination port, not just those which match the input Snort alert or rule.
--verbose
Print the resulting rwfilter(1) command to the standard error prior to executing it.
--dry-run
Print the resulting rwfilter(1) command to the standard error but do not execute it.
--help
Print the available options and exit.
--version
Print the version number and information about how SiLK was configured, then exit the application.

In the following examples, the dollar sign ("$") represents the shell prompt. The text after the dollar sign represents the command line. Lines have been wrapped for improved readability, and the back slash ("\") is used to indicate a wrapped line.

To find SiLK flows matching a Snort alert in snort_fast format:

 $ rwidsquery --intype fast --year 2007 --tolerance 300 alert.fast.txt

For the following Snort alert:

 Nov  15 00:00:58 hostname snort[5214]: [1:1416:11]
 SNMP broadcast trap [Classification: Attempted Information Leak]
 [Priority: 2]: {TCP}
 192.168.0.1:4161 -> 127.0.0.1:139

The resulting rwfilter(1) command would look similar to:

 $ rwfilter --start-date=2007/11/14:23 --end-date=2007/11/15:00     \
        --stime=2007/11/14:23:55:58-2007/11/15:00:05:58             \
        --saddress=192.168.0.1 --sport=4161 --daddress=127.0.0.1    \
        --dport=139 --protocol=6 --pass=stdout

If you want to find flows matching the same criteria, except you want UDP flows instead of TCP flows, use the following syntax:

 $ rwidsquery --intype fast --year 2007 --tolerance 300     \
        --mask protocol alert.fast.txt -- --protocol=17

which would yield the following rwfilter command line:

 $ rwfilter --start-date=2007/11/14:23 --end-date=2007/11/15:00     \
        --stime=2007/11/14:23:55:58-2007/11/15:00:05:58             \
        --saddress=192.168.0.1 --sport=4161 --daddress=127.0.0.1    \
        --dport=139 --protocol=17 --pass=stdout

To find SiLK flows matching a Snort rule:

 $ rwidsquery --intype rule --start 2008/02/20:00 --end 2008/02/20:02 \
        --config /opt/local/etc/snort/snort.conf --verbose rule.txt

For the following Snort rule:

 alert icmp $EXTERNAL_NET any -> $HOME_NET any
 (msg:"ICMP Parameter Problem Bad Length"; icode:2; itype:12;
 classtype:misc-activity; sid:425; rev:6;)

The resulting rwfilter(1) command would look similar to:

 $ rwfilter --start-date=2008/02/20:00 --end-date=2008/02/20:02     \
        --stime=2008/02/20:00-2008/02/20:02                         \
        --sipset=/tmp/tmpeKIPn2.set --icmp-code=2 --icmp-type=12    \
        --pass=stdout

SILK_CLOBBER
The SiLK tools normally refuse to overwrite existing files. Setting SILK_CLOBBER to a non-empty value removes this restriction.
SILK_CONFIG_FILE
This environment variable is used as the location for the site configuration file, silk.conf. When this environment variable is not set, rwfilter searches for the site configuration file in the locations specified in the "FILES" section.
SILK_DATA_ROOTDIR
This environment variable specifies the root directory of data repository for rwfilter. This value overrides the compiled-in value. In addition, rwfilter may use this value when searching for the SiLK site configuration files. See the "FILES" section for details.
SILK_RWFILTER_THREADS
The number of threads rwfilter uses when reading files from the data store.
SILK_PATH
This environment variable gives the root of the install tree. When searching for the site configuration file, rwfilter may use this environment variable. See the "FILES" section for details.
RWFILTER
Complete path to the rwfilter program. If not set, rwidsquery attempts to find rwfilter on your PATH.

${SILK_CONFIG_FILE}
${SILK_DATA_ROOTDIR}/silk.conf
/data/silk.conf
${SILK_PATH}/share/silk/silk.conf
${SILK_PATH}/share/silk.conf
/usr/local/share/silk/silk.conf
/usr/local/share/silk.conf
Possible locations for the SiLK site configuration file---for report types that use rwfilter.

rwfilter(1), silk(7), snort (8)
2022-04-12 SiLK 3.19.1

Search for    or go to Top of page |  Section 1 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.