Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
rwidsquery(1)			SiLK Tool Suite			 rwidsquery(1)

NAME
       rwidsquery - invoke rwfilter to find flows matching Snort signatures

SYNOPSIS
	rwidsquery --intype=INPUT_TYPE
	       [--output-file=OUTPUT_FILE]
	       [--start-date=YYYY/MM/DD[:HH] [--end-date=YYYY/MM/DD[:HH]]]
	       [--year=YEAR] [--tolerance=SECONDS]
	       [--config-file=CONFIG_FILE]
	       [--mask=PREDICATE_LIST]
	       [--verbose] [--dry-run]
	       [INPUT_FILE | -]
	       [-- EXTRA_RWFILTER_ARGS...]

	 rwidsquery --help

	 rwidsquery --version

DESCRIPTION
       rwidsquery facilitates selection	of SiLK	flow records that correspond
       to Snort	IDS alerts and signatures.  rwidsquery takes as	input either a
       snort(8)	alert log or rule file,	analyzes the alert or rule contents,
       and invokes rwfilter(1) with the	appropriate arguments to retrieve flow
       records that match attributes of	the input file.	 rwidsquery will
       process the Snort rules or alerts from a	single file named on the
       command line; if	no file	name is	given, rwidsquery will attempt to read
       the Snort rules or alerts from the standard input, unless the standard
       input is	connected to a terminal.  An input file	name of	"-" or "stdin"
       will force rwidsquery to	read from the standard input, even when	the
       standard	input is a terminal.

OPTIONS
       In addition to the options listed below,	you can	pass extra options
       through to rwfilter(1) on the rwidsquery	command	line.  The syntax for
       doing so	is to place a double-hyphen (--) sequence after	all valid
       rwidsquery options, and before all of the options you wish to pass
       through to rwfilter.

       --intype=INPUT_TYPE
	   Specify the type of input contained in the input file.  This	switch
	   is required.	 Two alert formats and one rule	format are currently
	   supported.  Valid values for	this option are:

	   "fast"
	       Input is	a Snort	"fast" log file	entry.	Alerts are written in
	       this format when	Snort is configured with the "snort_fast"
	       output module enabled.  "snort_fast" alerts resemble the
	       following:

		   Jan	1 01:23:45 hostname snort[1976]: [1:1416:11] ...

	   "full"
	       Input is	a Snort	"full" log file	entry.	Alerts are written in
	       this format when	Snort is configured with the "snort_full"
	       output module enabled.  "snort_full" alerts look	like the
	       following example:

		   [**]	[116:151:1] (snort decoder) Bad	Traffic	 ...

	   "rule"
	       Input is	a Snort	rule (signature).  For example:

		   alert tcp $EXTERNAL_NET any -> $HOME_NET any	...

       --output-file=OUTPUT_FILE
	   Specify the output file that	flows will be written to.  If not
	   specified, the default is to	write to stdout.  The argument to this
	   option becomes the argument to rwfilter's --pass-destination
	   switch.

       --start-date=YYYY/MM/DD[:HH]
       --end-date=YYYY/MM/DD[:HH]
	   Used	in conjunction with rule file input only.  The date predicates
	   indicate which time to start	and end	the search. See	the
	   rwfilter(1) manual page for details of the date format.

       --year=YEAR
	   Used	in conjunction with alert file input only.  Timestamps in
	   Snort alert files do	not contain year information.  By default, the
	   current calendar year is used, but this option can be used to
	   override this default behavior.

       --tolerance=SECONDS
	   Used	in conjunction with alert file input only.  This option	is
	   provided to compensate for timing differences between the
	   timestamps in Snort alerts and the start/end	time of	the
	   corresponding flows.	 The default --tolerance value is 3600
	   seconds, which means	that flow records +/- one hour from the	alert
	   timestamp will be searched.

       --config-file=CONFIG_FILE
	   Used	in conjunction with rule file input only.  Snort requires a
	   configuration file which, among other things, contains variables
	   that	can be used in Snort rule definitions.	This option allows you
	   to specify the location of this configuration file so that IP
	   addresses, port numbers, and	other information from the snort
	   configuration file can be used to find matching flows.

       --mask=PREDICATE_LIST
	   Exclude the rwfilter	predicates named in PREDICATE_LIST from	the
	   selection criteria.	This option is provided	to widen the scope of
	   queries by making them more general than the	Snort rule or alert
	   provided.  For instance, --mask=dport will return flows with	any
	   destination port, not just those which match	the input Snort	alert
	   or rule.

       --verbose
	   Print the resulting rwfilter(1) command to the standard error prior
	   to executing	it.

       --dry-run
	   Print the resulting rwfilter(1) command to the standard error but
	   do not execute it.

       --help
	   Print the available options and exit.

       --version
	   Print the version number and	information about how SiLK was
	   configured, then exit the application.

EXAMPLES
       In the following	examples, the dollar sign ("$")	represents the shell
       prompt.	The text after the dollar sign represents the command line.
       Lines have been wrapped for improved readability, and the back slash
       ("\") is	used to	indicate a wrapped line.

       To find SiLK flows matching a Snort alert in snort_fast format:

	$ rwidsquery --intype fast --year 2007 --tolerance 300 alert.fast.txt

       For the following Snort alert:

	Nov  15	00:00:58 hostname snort[5214]: [1:1416:11]
	SNMP broadcast trap [Classification: Attempted Information Leak]
	[Priority: 2]: {TCP}
	192.168.0.1:4161 -> 127.0.0.1:139

       The resulting rwfilter(1) command would look similar to:

	$ rwfilter --start-date=2007/11/14:23 --end-date=2007/11/15:00	   \
	       --stime=2007/11/14:23:55:58-2007/11/15:00:05:58		   \
	       --saddress=192.168.0.1 --sport=4161 --daddress=127.0.0.1	   \
	       --dport=139 --protocol=6	--pass=stdout

       If you want to find flows matching the same criteria, except you	want
       UDP flows instead of TCP	flows, use the following syntax:

	$ rwidsquery --intype fast --year 2007 --tolerance 300	   \
	       --mask protocol alert.fast.txt -- --protocol=17

       which would yield the following rwfilter	command	line:

	$ rwfilter --start-date=2007/11/14:23 --end-date=2007/11/15:00	   \
	       --stime=2007/11/14:23:55:58-2007/11/15:00:05:58		   \
	       --saddress=192.168.0.1 --sport=4161 --daddress=127.0.0.1	   \
	       --dport=139 --protocol=17 --pass=stdout

       To find SiLK flows matching a Snort rule:

	$ rwidsquery --intype rule --start 2008/02/20:00 --end 2008/02/20:02 \
	       --config	/opt/local/etc/snort/snort.conf	--verbose rule.txt

       For the following Snort rule:

	alert icmp $EXTERNAL_NET any ->	$HOME_NET any
	(msg:"ICMP Parameter Problem Bad Length"; icode:2; itype:12;
	classtype:misc-activity; sid:425; rev:6;)

       The resulting rwfilter(1) command would look similar to:

	$ rwfilter --start-date=2008/02/20:00 --end-date=2008/02/20:02	   \
	       --stime=2008/02/20:00-2008/02/20:02			   \
	       --sipset=/tmp/tmpeKIPn2.set --icmp-code=2 --icmp-type=12	   \
	       --pass=stdout

ENVIRONMENT
       SILK_CLOBBER
	   The SiLK tools normally refuse to overwrite existing	files.
	   Setting SILK_CLOBBER	to a non-empty value removes this restriction.

       SILK_CONFIG_FILE
	   This	environment variable is	used as	the location for the site
	   configuration file, silk.conf.  When	this environment variable is
	   not set, rwfilter searches for the site configuration file in the
	   locations specified in the "FILES" section.

       SILK_DATA_ROOTDIR
	   This	environment variable specifies the root	directory of data
	   repository for rwfilter.  This value	overrides the compiled-in
	   value.  In addition,	rwfilter may use this value when searching for
	   the SiLK site configuration files.  See the "FILES" section for
	   details.

       SILK_RWFILTER_THREADS
	   The number of threads rwfilter uses when reading files from the
	   data	store.

       SILK_PATH
	   This	environment variable gives the root of the install tree.  When
	   searching for the site configuration	file, rwfilter may use this
	   environment variable.  See the "FILES" section for details.

       RWFILTER
	   Complete path to the	rwfilter program.  If not set, rwidsquery
	   attempts to find rwfilter on	your PATH.

FILES
       ${SILK_CONFIG_FILE}
       ${SILK_DATA_ROOTDIR}/silk.conf
       /data/silk.conf
       ${SILK_PATH}/share/silk/silk.conf
       ${SILK_PATH}/share/silk.conf
       /usr/local/share/silk/silk.conf
       /usr/local/share/silk.conf
	   Possible locations for the SiLK site	configuration file---for
	   report types	that use rwfilter.

SEE ALSO
       rwfilter(1), silk(7), snort(8)

SiLK 3.19.1			  2021-02-28			 rwidsquery(1)

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLES | ENVIRONMENT | FILES | SEE ALSO

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=rwidsquery&sektion=1&manpath=FreeBSD+13.0-RELEASE+and+Ports>

home | help