NAME

rwidsquery - invoke rwfilter to find flows matching Snort signatures

SYNOPSIS

 rwidsquery --intype=INPUT_TYPE
        [--output-file=OUTPUT_FILE]
        [--start-date=YYYY/MM/DD[:HH] [--end-date=YYYY/MM/DD[:HH]]]
        [--year=YEAR] [--tolerance=SECONDS]
        [--config-file=CONFIG_FILE]
        [--mask=PREDICATE_LIST]
        [--verbose] [--dry-run]
        [INPUT_FILE | -]
        [-- EXTRA_RWFILTER_ARGS...]

  rwidsquery --help

  rwidsquery --version

DESCRIPTION

rwidsquery facilitates selection of SiLK flow records that correspond to Snort IDS alerts and signatures. rwidsquery takes as input either a snort(8) alert log or rule file, analyzes the alert or rule contents, and invokes rwfilter(1) with the appropriate arguments to retrieve flow records that match attributes of the input file. rwidsquery will process the Snort rules or alerts from a single file named on the command line; if no file name is given, rwidsquery will attempt to read the Snort rules or alerts from the standard input, unless the standard input is connected to a terminal. An input file name of "-" or "stdin" will force rwidsquery to read from the standard input, even when the standard input is a terminal.

OPTIONS

In addition to the options listed below, you can pass extra options through to rwfilter(1) on the rwidsquery command line. The syntax for doing so is to place a double-hyphen (--) sequence after all valid rwidsquery options, and before all of the options you wish to pass through to rwfilter.

--intype=INPUT_TYPE: Specify the type of input contained in the input file. This switch is required. Two alert formats and one rule format are currently supported. Valid values for this option are:

"fast"

Input is a Snort "fast" log file entry. Alerts are written in this format when Snort is configured with the "snort_fast" output module enabled. "snort_fast" alerts resemble the following:

    Jan  1 01:23:45 hostname snort[1976]: [1:1416:11] ...

"full"

Input is a Snort "full" log file entry. Alerts are written in this format when Snort is configured with the "snort_full" output module enabled. "snort_full" alerts look like the following example:

    [**] [116:151:1] (snort decoder) Bad Traffic  ...

"rule"

Input is a Snort rule (signature). For example:

    alert tcp $EXTERNAL_NET any -> $HOME_NET any ...

--output-file=OUTPUT_FILE: Specify the output file that flows will be written to. If not specified, the default is to write to stdout. The argument to this option becomes the argument to rwfilter's --pass-destination switch.
--start-date=YYYY/MM/DD[:HH]
--end-date=YYYY/MM/DD[:HH]: Used in conjunction with rule file input only. The date predicates indicate which time to start and end the search. See the rwfilter(1) manual page for details of the date format.
--year=YEAR: Used in conjunction with alert file input only. Timestamps in Snort alert files do not contain year information. By default, the current calendar year is used, but this option can be used to override this default behavior.
--tolerance=SECONDS: Used in conjunction with alert file input only. This option is provided to compensate for timing differences between the timestamps in Snort alerts and the start/end time of the corresponding flows. The default --tolerance value is 3600 seconds, which means that flow records +/- one hour from the alert timestamp will be searched.
--config-file=CONFIG_FILE: Used in conjunction with rule file input only. Snort requires a configuration file which, among other things, contains variables that can be used in Snort rule definitions. This option allows you to specify the location of this configuration file so that IP addresses, port numbers, and other information from the snort configuration file can be used to find matching flows.
--mask=PREDICATE_LIST: Exclude the rwfilter predicates named in PREDICATE_LIST from the selection criteria. This option is provided to widen the scope of queries by making them more general than the Snort rule or alert provided. For instance, --mask=dport will return flows with any destination port, not just those which match the input Snort alert or rule.
--verbose: Print the resulting rwfilter(1) command to the standard error prior to executing it.
--dry-run: Print the resulting rwfilter(1) command to the standard error but do not execute it.
--help: Print the available options and exit.
--version: Print the version number and information about how SiLK was configured, then exit the application.

EXAMPLES

In the following examples, the dollar sign ("$") represents the shell prompt. The text after the dollar sign represents the command line. Lines have been wrapped for improved readability, and the back slash ("\") is used to indicate a wrapped line.

To find SiLK flows matching a Snort alert in snort_fast format:

 $ rwidsquery --intype fast --year 2007 --tolerance 300 alert.fast.txt

For the following Snort alert:

 Nov  15 00:00:58 hostname snort[5214]: [1:1416:11]
 SNMP broadcast trap [Classification: Attempted Information Leak]
 [Priority: 2]: {TCP}
 192.168.0.1:4161 -> 127.0.0.1:139

The resulting rwfilter(1) command would look similar to:

 $ rwfilter --start-date=2007/11/14:23 --end-date=2007/11/15:00     \
        --stime=2007/11/14:23:55:58-2007/11/15:00:05:58             \
        --saddress=192.168.0.1 --sport=4161 --daddress=127.0.0.1    \
        --dport=139 --protocol=6 --pass=stdout

If you want to find flows matching the same criteria, except you want UDP flows instead of TCP flows, use the following syntax:

 $ rwidsquery --intype fast --year 2007 --tolerance 300     \
        --mask protocol alert.fast.txt -- --protocol=17

which would yield the following rwfilter command line:

 $ rwfilter --start-date=2007/11/14:23 --end-date=2007/11/15:00     \
        --stime=2007/11/14:23:55:58-2007/11/15:00:05:58             \
        --saddress=192.168.0.1 --sport=4161 --daddress=127.0.0.1    \
        --dport=139 --protocol=17 --pass=stdout

To find SiLK flows matching a Snort rule:

 $ rwidsquery --intype rule --start 2008/02/20:00 --end 2008/02/20:02 \
        --config /opt/local/etc/snort/snort.conf --verbose rule.txt

For the following Snort rule:

 alert icmp $EXTERNAL_NET any -> $HOME_NET any
 (msg:"ICMP Parameter Problem Bad Length"; icode:2; itype:12;
 classtype:misc-activity; sid:425; rev:6;)

The resulting rwfilter(1) command would look similar to:

 $ rwfilter --start-date=2008/02/20:00 --end-date=2008/02/20:02     \
        --stime=2008/02/20:00-2008/02/20:02                         \
        --sipset=/tmp/tmpeKIPn2.set --icmp-code=2 --icmp-type=12    \
        --pass=stdout

ENVIRONMENT

SILK_CLOBBER: The SiLK tools normally refuse to overwrite existing files. Setting SILK_CLOBBER to a non-empty value removes this restriction.
SILK_CONFIG_FILE: This environment variable is used as the location for the site configuration file, silk.conf. When this environment variable is not set, rwfilter searches for the site configuration file in the locations specified in the "FILES" section.
SILK_DATA_ROOTDIR: This environment variable specifies the root directory of data repository for rwfilter. This value overrides the compiled-in value. In addition, rwfilter may use this value when searching for the SiLK site configuration files. See the "FILES" section for details.
SILK_RWFILTER_THREADS: The number of threads rwfilter uses when reading files from the data store.
SILK_PATH: This environment variable gives the root of the install tree. When searching for the site configuration file, rwfilter may use this environment variable. See the "FILES" section for details.
RWFILTER: Complete path to the rwfilter program. If not set, rwidsquery attempts to find rwfilter on your PATH.

FILES

${SILK_CONFIG_FILE}
${SILK_DATA_ROOTDIR}/silk.conf
/data/silk.conf
${SILK_PATH}/share/silk/silk.conf
${SILK_PATH}/share/silk.conf
/usr/local/share/silk/silk.conf
/usr/local/share/silk.conf: Possible locations for the SiLK site configuration file---for report types that use rwfilter.