GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages


Manual Reference Pages  -  RWIDSQUERY (1)

.ds Aq ’

NAME

rwidsquery - invoke rwfilter to find flows matching Snort signatures

CONTENTS

SYNOPSIS



 rwidsquery --intype=INPUT_TYPE
        [--output-file=OUTPUT_FILE]
        [--start-date=YYYY/MM/DD[:HH] [--end-date=YYYY/MM/DD[:HH]]]
        [--year=YEAR] [--tolerance=SECONDS]
        [--config-file=CONFIG_FILE]
        [--mask=PREDICATE_LIST]
        [--verbose] [--dry-run]
        [INPUT_FILE | -]
        [-- EXTRA_RWFILTER_ARGS...]

  rwidsquery --help

  rwidsquery --version



DESCRIPTION

rwidsquery facilitates selection of SiLK flow records that correspond to Snort IDS alerts and signatures. rwidsquery takes as input either a snort(8) alert log or rule file, analyzes the alert or rule contents, and invokes rwfilter(1) with the appropriate arguments to retrieve flow records that match attributes of the input file. rwidsquery will process the Snort rules or alerts from a single file named on the command line; if no file name is given, rwidsquery will attempt to read the Snort rules or alerts from the standard input, unless the standard input is connected to a terminal. An input file name of - or stdin will force rwidsquery to read from the standard input, even when the standard input is a terminal.

OPTIONS

In addition to the options listed below, you can pass extra options through to rwfilter(1) on the rwidsquery command line. The syntax for doing so is to place a double-hyphen (--) sequence after all valid rwidsquery options, and before all of the options you wish to pass through to rwfilter.
--intype=INPUT_TYPE Specify the type of input contained in the input file. This switch is required. Two alert formats and one rule format are currently supported. Valid values for this option are:
fast Input is a Snort fast log file entry. Alerts are written in this format when Snort is configured with the snort_fast output module enabled. snort_fast alerts resemble the following:



    Jan  1 01:23:45 hostname snort[1976]: [1:1416:11] ...



full Input is a Snort full log file entry. Alerts are written in this format when Snort is configured with the snort_full output module enabled. snort_full alerts look like the following example:



    [**] [116:151:1] (snort decoder) Bad Traffic  ...



rule Input is a Snort rule (signature). For example:



    alert tcp $EXTERNAL_NET any -> $HOME_NET any ...



--output-file=OUTPUT_FILE Specify the output file that flows will be written to. If not specified, the default is to write to stdout. The argument to this option becomes the argument to rwfilter’s --pass-destination switch.
--start-date=YYYY/MM/DD[:HH]
--end-date=YYYY/MM/DD[:HH] Used in conjunction with rule file input only. The date predicates indicate which time to start and end the search. See the rwfilter(1) manual page for details of the date format.
--year=YEAR Used in conjunction with alert file input only. Timestamps in Snort alert files do not contain year information. By default, the current calendar year is used, but this option can be used to override this default behavior.
--tolerance=SECONDS Used in conjunction with alert file input only. This option is provided to compensate for timing differences between the timestamps in Snort alerts and the start/end time of the corresponding flows. The default --tolerance value is 3600 seconds, which means that flow records +/- one hour from the alert timestamp will be searched.
--config-file=CONFIG_FILE Used in conjunction with rule file input only. Snort requires a configuration file which, among other things, contains variables that can be used in Snort rule definitions. This option allows you to specify the location of this configuration file so that IP addresses, port numbers, and other information from the snort configuration file can be used to find matching flows.
--mask=PREDICATE_LIST Exclude the rwfilter predicates named in PREDICATE_LIST from the selection criteria. This option is provided to widen the scope of queries by making them more general than the Snort rule or alert provided. For instance, --mask=dport will return flows with any destination port, not just those which match the input Snort alert or rule.
--verbose Print the resulting rwfilter(1) command to the standard error prior to executing it.
--dry-run Print the resulting rwfilter(1) command to the standard error but do not execute it.
--help Print the available options and exit.
--version Print the version number and information about how SiLK was configured, then exit the application.

EXAMPLES

In the following examples, the dollar sign ($) represents the shell prompt. The text after the dollar sign represents the command line. Lines have been wrapped for improved readability, and the back slash (\) is used to indicate a wrapped line.

To find SiLK flows matching a Snort alert in snort_fast format:



 $ rwidsquery --intype fast --year 2007 --tolerance 300 alert.fast.txt



For the following Snort alert:



 Nov  15 00:00:58 hostname snort[5214]: [1:1416:11]
 SNMP broadcast trap [Classification: Attempted Information Leak]
 [Priority: 2]: {TCP}
 192.168.0.1:4161 -> 127.0.0.1:139



The resulting rwfilter(1) command would look similar to:



 $ rwfilter --start-date=2007/11/14:23 --end-date=2007/11/15:00     \
        --stime=2007/11/14:23:55:58-2007/11/15:00:05:58             \
        --saddress=192.168.0.1 --sport=4161 --daddress=127.0.0.1    \
        --dport=139 --protocol=6 --pass=stdout



If you want to find flows matching the same criteria, except you want UDP flows instead of TCP flows, use the following syntax:



 $ rwidsquery --intype fast --year 2007 --tolerance 300     \
        --mask protocol alert.fast.txt -- --protocol=17



which would yield the following rwfilter command line:



 $ rwfilter --start-date=2007/11/14:23 --end-date=2007/11/15:00     \
        --stime=2007/11/14:23:55:58-2007/11/15:00:05:58             \
        --saddress=192.168.0.1 --sport=4161 --daddress=127.0.0.1    \
        --dport=139 --protocol=17 --pass=stdout



To find SiLK flows matching a Snort rule:



 $ rwidsquery --intype rule --start 2008/02/20:00 --end 2008/02/20:02 \
        --config /opt/local/etc/snort/snort.conf --verbose rule.txt



For the following Snort rule:



 alert icmp $EXTERNAL_NET any -> $HOME_NET any
 (msg:"ICMP Parameter Problem Bad Length"; icode:2; itype:12;
 classtype:misc-activity; sid:425; rev:6;)



The resulting rwfilter(1) command would look similar to:



 $ rwfilter --start-date=2008/02/20:00 --end-date=2008/02/20:02     \
        --stime=2008/02/20:00-2008/02/20:02                         \
        --sipset=/tmp/tmpeKIPn2.set --icmp-code=2 --icmp-type=12    \
        --pass=stdout



ENVIRONMENT

SILK_CLOBBER The SiLK tools normally refuse to overwrite existing files. Setting SILK_CLOBBER to a non-empty value removes this restriction.
SILK_CONFIG_FILE This environment variable is used as the location for the site configuration file, silk.conf. When this environment variable is not set, rwfilter searches for the site configuration file in the locations specified in the FILES section.
SILK_DATA_ROOTDIR This environment variable specifies the root directory of data repository for rwfilter. This value overrides the compiled-in value. In addition, rwfilter may use this value when searching for the SiLK site configuration files. See the FILES section for details.
SILK_RWFILTER_THREADS The number of threads rwfilter uses when reading files from the data store.
SILK_PATH This environment variable gives the root of the install tree. When searching for the site configuration file, rwfilter may use this environment variable. See the FILES section for details.
RWFILTER Complete path to the rwfilter program. If not set, rwscanquery attempts to find rwfilter on your PATH.

FILES

${SILK_CONFIG_FILE}
${SILK_DATA_ROOTDIR}/silk.conf
/data/silk.conf
${SILK_PATH}/share/silk/silk.conf
${SILK_PATH}/share/silk.conf
/usr/local/share/silk/silk.conf
/usr/local/share/silk.conf Possible locations for the SiLK site configuration file---for report types that use rwfilter.

SEE ALSO

rwfilter(1), silk.conf(5), silk(7), snort(8)
Search for    or go to Top of page |  Section 1 |  Main Index


SiLK 3.11.0.1 RWIDSQUERY (1) 2016-04-05

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.