Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort 3 - Figuring out RNA

From: Y M via Snort-devel <snort-devel () lists snort org>
Date: Wed, 29 Apr 2020 17:42:13 +0000
Hello,

I am trying to figure out how to configure RNA to add it to the Snort 3 guide on CentOS. There does not appear to be an 
rna.text documentation except for the dev notes, which does not provide configuration information. So I have a couple 
of questions.


  1.  What is the expected format of the RNA configuration file specified by the rna_conf_path?
  2.  What is the expected fields and format of the fingerprints? Do these not matter since they will be processed by 
the fingerprint decoder under util_lib_path?
  3.  Using the defaults from rna_config.h while setting the enable_logger = true in snort.lua, there are no generated 
logs. I am guessing that fingerprint decoder and fingerprints must exist?
  4.  In rna_config.h, there is a default option to grab banners enable_banner_grab, which appears to be set to false. 
However, the documentation does not state any to configure it otherwise.
  5.  I experimented with the following configuration, using nmap-os-db fingerprints:

           rna =
     {
         rna_util_lib_path = '/usr/local/snort/rna/decoder/nmap',
         fingerprint_dir = '/usr/local/snort/rna/fingerprints',
         custom_fingerprint_dir = '/usr/local/snort/rna/fingerprints',
         enable_logger = true
     }

          The "rna" directory contains the "fingerprint_db.json". I did not receive any errors, but I also did not 
observe any logs. Looking at Snort exit stats indicates that RNA is performing as expected?

         --------------------------------------------------
    rna
           icmp_new: 213
           udp_bidirectional: 548401
           udp_new: 406044
           tcp_syn: 860955
           tcp_syn_ack: 488610
           tcp_midstream: 2033
           other_packets: 1014
    --------------------------------------------------

Is there an example on how to configure and use RNA?

Thank you.
YM

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: