Versions Compared

Version Old Version 1 New Version 2
Changes made by

Anonymous

Leigh Purdie (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Snare modular objectives begin life extremely simply. As you add more components, and more complex match settings, Snare will enable greater flexibility, and more configuration options.

Info
titleExample

The simple configuration dialog shown below scans the "Snare Central Log" data source, for any events produced over the course of the last 30 days, and displays a 15 minute 'Pattern Map' of the resulting data. A PDF has also been added to the output component list.

A reasonably simple modular configuration dialog

 

Info
titleExample

A more complex objective is introduced below, as an indication of how flexible and comprehensive the Snare Modular objective query and output builder can be. The objective:

  • Defines search criteria that looks for any events that match:
    • Dates between this time last month, and yesterday, non-inclusive.
    • Events related to login failures.
    • For EITHER the users DJSMITH, PTTHOMP, SJCOOK, KPWEIP, or LTROMA) OR from any source system starting with the word 'WORKSTATION', followed by a number that starts with 10,11,12,13 or 14.
  • Defines two additional 'tokens':
    • 'DESTUSER' scans the 'STRINGS' field of Windows Security logs, for a target account name, which is pulled out of the event using the following regular expression search:
      • (?<=:logon to account:| User Name:| Target Account Name:|Account For Which Logon Failed: Security ID: ....... Account Name:) *(.*?) *(?=: *by:| *Domain:| *Target Account ID:| *Account Domain:)
    • 'FAILREASON' also scans the 'STRINGS' field of Windows Security logs, for information on why a login failure occurred, using the following regular expression match:
      • (?<=:Reason:|User Account ) *(.*?) *(?=:Status:|User Name:|Domain:|: *Target Account Name:)
  • Outputs a standard 15 minute pattern map, using yellow and red to show parts of the day where low or high volumes (respectively) of event data have been discovered.
  • Outputs a pattern map highlighting occurrences of each destination user account name.
  • Sets the objective up as a real-time objective, sending the output to the email list defined in the 'Objective Schedule' area of the objective. The title of the email has been configured to be "Failed login on sensitive workstations, or by monitored users".
  • Outputs a Table of the first 500 results that match the criteria outlined above, 50 results per page, displaying only the fields Date, Time, System, EventID, DestUser, and FailReason. A CSV dump of the table will also be produced.
  • Outputs a horizontal graph of the top 20 systems that match the search criteria for the objective.
  • Outputs a line graph of events-per-day that match the search criteria for an objective.

Although the information above, and the image below, are likely to be quite overwhelming when first encountered, this document will explain each section in more detail.

A more complex modular objective configuration dialog

 

Objective HeaderImage Modified

The objective header displays:

  • The icon that is currently associated with the objective.
  • The objective title (Failed User Logins), the data source it currently interrogates (Windows Security), and the documentation assigned to the objective.
  • A modular objective configuration management panel, described below.

Criticality

An objective can be assigned a criticality level by clicking on the green, yellow, orange or red radio buttons.
If the objective has any information to report in any of the modular output components, the objective will be tagged with the appropriate colour in the objective navigation panel.
 

Tip
An objective tagged with a 'green' criticality will retain the default 'black' writing when it is displayed in the objective navigation panel.


Tip
The navigation panel will not refresh immediately in response to the change in criticality status for an objective. Generally, the updated status can be seen on next login, but it may be sooner if you, or another Snare Central user, modifies an objective or container name, or position, in the objective navigation panel.

Objective Type

Snare includes a range of 'templates' (often referred to as an 'Objective Type' in the Snare Central user interface) to make the job of a Snare administrator easier when crafting a new objective. These templates are hard-coded in the Snare Central, may pre-define custom search criteria for you, will sometimes include custom code to perform tasks, and may be updated and expanded on each release of the Snare Central.

...

  • Report whenever a user attempts to access a sensitive file on a Windows file server.
  • Notify administrators when a particular Solaris user attempts to run a command.
  • Show modifications to permission flags, for ACF2 accounts.
  • Show all attempts to gain access to the root account on AIX systems.
  • Compare the current CISCO PIX or Router configuration to an authorised version.
  • Display events related to electronic mail delivery, for Gauntlet firewalls.
  • Search syslog data for attempts to use the 'sudo' or 'su' commands to escalate privileges.
  • Search IPTables firewall logs for dropped packets that have a source address of a non-routable IP block.
  • Highlight attempts to port-scan a NetScreen firewall.
  • Show attempts to change the configuration of a Nortel VPN Router.
  • Monitor attempts to access RACF resources.
  • Highlight failed authentication attempts on a SOCKS server.
  • Display results from the Snort network intrusion detection system.
  • Report on inappropriate material accessed through the corporate proxy server.
  • Show out-of-hours login access for Windows systems.

...


Info
titleExample
A Windows failed login template, will pre-define a match setting that looks for events that contain an EventID of 529, 530, 531, 532, 533, 534, 535, 536, 537, 539, 644, 681 or 4625 - all of which indicate a failed login event. If Microsoft adds a new failed login event to Windows, a future version of the Snare Central will update the windows failed login template so that existing objectives also pick up the new information.

...

A checkbox is available at the bottom left hand side of the dialog window, which will hide categories for which there is no event data on your Snare Central.

Unlock Objective

Objectives that are based on a pre-defined objective template can be 'unlocked', in order to change the pre-defined match settings, but once they are unlocked, they may no longer include the custom tokens, or custom modular components, and will not have their components upgraded by the InterSect Alliance team with new releases.

Objectives that are 'locked' can still have additional match settings and tokens, added to the mix. Match settings and tokens are explored further below.

Field SettingsImage Modified

The field settings section displays a list of the 'fields' that are available to use in your search criteria, and also as input fields for modular output components.

Snare also allows you to 'break apart' an existing field, and place the resulting sub-string into a field with a new name; this is known as a 'Token'.

Tokens

If a small part of an existing field needs to be captured for further analysis, or reporting reasons, a new token can be defined by clicking on the green 'Add New' button.
A new dialog window will appear, which will allow you to configure your new token.

...

Info

"Field Name" defines the name that you wish to assign to the new field.

"Configure the Field" asks you to select the source field that contains the information you are looking for.

"Search Criteria" asks you to define the regular expression that will be used to pull the substring out of the field content.


Tip

A regular expression is a complex, but extremely powerful tool, that will facilitate flexible matching, and extraction of substrings. We will cover regular expressions in more detail below, but in Snare, they take the general form:

  • Text to match before substring (Substring match) Text to match after substring


So, for example, assume the DETAILS field of an event includes the following string:


Safend Protector File Logging Alter Details: User: george Computer: Machine1234 Client GMT: 8/10/2011 4:13:23 AM Client Local Time: 8/10/2011 3:13:23 PM Server Time: 8/10/2011 4:13:30 AM Group: Policy: policy Device Description: Disk drive Device Info: Kingston DataTraveler 2.0 USB Device Port: USB Device Type: Removable Storage Devices Vendor: 13FE Model: 1D00 Distinct ID: ID001 Details: File Name: file.pdf File Type: pdf File Size: 50945 Created: 8/10/2011 3:13:23 PM Modified: 8/10/2011 2:23:44 PM Action: Write

 In order to capture the user (highlighted in bold and red) from the above string, the regular expression would need to look for the word after the "User: " sub-string, that is composed of alphanumeric characters (with the addition of the '@' symbol).

The token required to achieve this looks like:

Field Name: USER
Source Field: STRINGS
Search Criteria: User:\s*([A-Za-z0-9@]+)*

This translates as: look for a "User:" sub-string, then 0 or more white spaces, then anything after that which contains 1 or more letters, numbers, or an @ symbol. This is then a valid token according to our search criteria.

Tokens, once created, are then treated as if they were a normal field, and can be filtered, grouped, sorted, or used as a target field in any modular output component that uses fields (eg: Graphs or Tables). This creates a powerful mechanism to effectively query sub-strings which are contained within a much larger string. Any number of tokens can be created which allows for a variety of choices when querying strings within strings.

A regular expression tester is also available, which can assist you with the process of creating a token; it can be accessed by clicking the 'Regular expression tester' link near the base of the token definition dialog.

Testing a regular expression match

If the expression you are using has a match somewhere in the sample log entry, it will be highlighted in yellow. Red text indicates the area of the sample that exactly matches your token expression, and a section highlighted in green shows the actual substring that will be pulled out by the token. 

Once you are happy that the regular expression meets your requirements, you can copy the expression back to your token with a click of a button, rather than copying/pasting the information from the dialog.


Info
titleExample

Regular expression samples:

  • from=<([^>]+)
    • search for the word 'from' followed by an equal sign, and a less than symbol. Retrieve any characters after that, until you encounter a greater-than symbol (>)
    • from=<john@somewhere.com>
  • (?<=Account Name: ) (.*?)(?= :New Account|New Domain|Target Domain|Account|Domain|Caller)
    • Retrieve any text between the strings "Account Name: " and one of either " New Account", " New Domain", " Target Domain", " Account", " Domain" or " Caller"
    • Account Name: DNI\UserLP Target Domain: DNI
  • open(([^)]+))
    • Search for the string "open(", and retrieve any characters after that until you encounter a close bracket.
    • open(O_RDONLY|O_RDWR)
  • ^.............(..........)
    • Ignore the first 13 characters of this field, and retrieve the next 10.
    • INFORMATION: SUCCESS USER: JABLOGGS
  • ^.{12}(.{9})
    • Same as the above example, but using the regular expression 'repeat' function: Ignore the first 13 characters of this field, and retrieve the next 10.
    • INFORMATION: SUCCESS USER: JABLOGGS
  • ^.{12}([a-zA-Z0-9]{9})
    • Same as the above example, but cuts out the extra spaces after "SUCCESS", by limiting the valid retrieved characters to alphanumerics only.
    • INFORMATION: SUCCESS USER: JABLOGGS


Tip
Tokens that you have created, or can modify, are highlighted in green. Tokens that are part of an underlying objective template, and are therefore locked, will be highlighted in red.

Configure Match Settings


Info

Snare's query builder is a flexible tool that allows you to create very complex search criteria, incorporating precedence, logical operations, and advanced matching capabilities.

Show Current Query

Although Snare does not utilise a database back-end for data storage, queries created with the Snare query builder are translated into SQL syntax, and passed through a database translation layer.

Selecting the '[Show Current Query]' link in the title panel, will pop up a new dialog that displays the SQL query that would be run against the Snare datastore, based on your current match settings.

Info

Adding a New Match

Selecting the 'Add New Match' button will append a new row to your existing match settings. By default, the new row will use 'Date' as the target field, ">" as the comparison operator, and the input field will be initially blank.

Match Row Components


Info

Drag and Drop grab bar 

Each match row can be moved up or down, and positioned before or after other match criteria. Click and hold the grab bar, and drag the match row, to rearrange. Snare evaluates matches from top to bottom.

Field to useImage Modified

Select the field to use for your search criteria, by clicking on this button. A drop-down menu will appear, that will detail the fields that you can choose from.

Snare breaks up event logs into a series of fields for you, when the event arrives at the Snare Central. As described in the section on 'Tokens' above, you can also choose to create meta-fields that represent a predictable portion of a larger field. These tokens will appear in the drop-down menu after you create them.

Comparison operator

The comparison operators available for selection depend on the field you have chosen. Numeric, date, and time values will have the following comparison operators available:

...

  • Equals (=)
  • Not equal to (!=)
  • Contains
    • This will search for a simple case insensitive substring
  • Like
    • Implements a SQL LIKE operator. LIKE uses the 'percent' sign for wildcards - so for example, a search for "%login%failed%" will match the string "attempted login for user 'fred' failed at 17:23:01"
  • Regexp
    • Implements a perlRE2-compatible regular expression search. As highlighted above, regular expressions are complex, but extremely powerful and flexible string search functions.
      • Tip: Snare co-opts the "start of string" and "end of string" characters ("^" and "$" respectively) to refer to the start of the contents of the field you are currently operating on, and the end of the field, rather than referencing the entire line.
  • Not Regexp
    • Excludes all fields that match the supplied regular expression.
  • Includes
    • You may include several comma-separated values in the input field - eg: fred,jim,tony
  • Excludes
    • You may include several comma-separated values in the input field - eg: fred,jim,tony

Input field

A flexible input field that allows you to specify search criteria based on your field and comparison operator.

...

These two '@' symbols, indicate to Snare that the contents of the input field refers to a "Field to use" as highlighted above, rather than a static comparison value. The '@' symbols will be removed, and processed by Snare. Tokens are supported, and the following comparison operations are valid:

  • =
  • !=
  • >
  • <
  • >=
  • <=

 

Tip

Some fields allow you to specify indirect values. The 'Date' field, for example, generally takes arguments of the format "YYYY-MM-DD", but values such as the following are also valid, and will be reinterpreted each time the objective runs:

  • last week
  • next thursday 
  • -7 weeks 
  • first day of next month 
  • last day of april 2012 
  • first day of last month 
  • 3rd april this year + 20 days


The 'Time' field generally prefers times in the format "HH:MM:DD", however it also accepts standard integer values. A number in the 'Time' field will be interpreted as "Now minus 'x' minutes", where 'x' is the value you entered, and 'Now' is the time at which the objective runs. For example:

  • TIME >= 120
    • This will be interpreted by Snare as: "TIME is greater or equal to NOW minus 120 minutes".
    • If the objective runs at 10:05am, Snare will calculate the value to be 08:05:00
    • The match term will then be extrapolated to "TIME IS greater or equal to 08:05:00"

  • Note that TIME >= 120, does NOT NECESSARILY equate to "in the last two hours". Since Snare extrapolates the value to TIME >= 08:05:00, then if you have set your objective to report on data from the last 30 days, it will mean your objective will display data from ANY DAY that matches your other match terms, between 08:05:00 and 23:59:59. Data between 00:00:00 and 08:04:59 will not be displayed by the objective. If you specifically need to ONLY show data within the last two hours, you would need to add a second match term: DATE = today, or alternatively, set your "Maximum Days to Search" slider to "1 day".
  • Note also that the logical sign direction is somewhat counter-intuitive if you do not understand how the Snare Central extrapolates the time value. It could be argued that "<= 120 (minutes)" would be better syntax for "in the last two hours"; however, that would assume that a value in the time field also automatically controls the date field; this is not the case. Please be cautious with your logical sign direction.

Contextual selection button

This button appears for some fields, and provides you with the ability to quickly select either:

...

Tip
Selecting multiple values will generally turn on the 'INCLUDES' comparison operator, if you have not already selected 'INCLUDES' or 'EXCLUDES'.


Examples of dialogs generated as a result of selecting the contextual selection buttonImage Modified
Examples of dialogs generated as a result of selecting the contextual selection buttonImage Modified
Examples of dialogs generated as a result of selecting the contextual selection buttonImage Modified

Decrease match row indentation

The Snare Central query builder is able to implement explicit operation precedence for your match terms, by using indentation of match and logic rows. In this way, groups of match terms can be joined using a variety of logical operations such as AND and OR.

...

Tip
The 'decrease row indentation' arrow will be enabled (green) or disabled (grey) depending on the current row indentation, and whether it is possible to decrease the indentation of the row any more.

Remove match and logic row

Removes the current match row, and the associated logic row, from the Snare query builder. Snare will ask you for confirmation that you wish to remove the row, and then remove the appropriate match from the configuration settings.

Increase match row indentation

Increases the indentation for the associated match row. An increase of indentation is analogous to opening a bracket.

Logical operators

Choose from "AND", "OR", or "NOT" (which translates to "AND NOT").

Decrease logic row indentation

A decrease of indentation in the logic row, like the match row, is analogous to closing a bracket.

Increase logic row indentation

An increase in indentation in the logic row, like the match row, is analogous to opening a bracket.

Output and Configuration ComponentImage Modified


Output and configuration components can be dragged from the top half of this section, into the bottom half, titled "Drop Components Here to add them to the objective output". This will result in either:

...

The number, and type of output components, depends significantly on the data source that is being interrogated.
  

Info
titleExample
  • Objectives that scan firewall or router related event log data may include a 'geolocation map' that attempts to draw a line from the approximate geographic location of a source IP address, to destination IP addresses, on a map of the world.
  • Objectives that scan proxy log data may include special output components that measure bandwidth by target site or user.
  • UNIX systems that use the concept of a 'home directory' may make a special output component available that highlights attempts by users other than the owner, to access a home directory.
  • Objectives focused on network intrusion detection system log data may introduce a 'target port map' output component, that can visually map attempts to port scan a corporate network.

Most components, when added to the objective, will also create a 'configuration panel' that allows you to control the output of each component. A '15 minute pattern map', for example, will provide the option of using a standard linear colour scale for the output, an exponential colour scale that highlights different ranges of data, or even a visual map of a particular target output field. Some of the more common output components are highlighted below.

 

Tip
Some components, when dragged to the drop area, will reveal a second version of the same component in the drag section (eg: Pattern Map, and Pattern Map 2). As such, an objective can have two copies of many components, with slightly different configuration settings applied to each.

Pattern MapImage Modified

The 15 minute pattern map provides a visual overview of event log data, displaying an indication of the volume, or contents of each separate 15 minute segment within the reporting period, as a colour selected from an appropriate area of graduated scale.

...

Each element of the pattern map can be clicked on, with your left mouse button, to search for the data that comprises that particular 15 minute segment. A new dialog will appear in the objective panel that shows the underlying data. The data can be sorted by clicking on a column header. 


Tip
Sorting on 'Date' will sort on both Date and Time. Selecting 'Time' will only sort on the Time column.


Info

Selecting a 15 minute segment - firewall log data


Clicking on a date, to the left of the pattern map, will attempt to generate a table listing all events for that particular day, that match the objective search criteria.

Tip
For high volume sites, this process may take a long time to complete.

Table

Info

To include a dump of event data that matches the search criteria specified for an objective, the 'Tabular Details' modular component can be dragged into the inclusion list.

...



By default, the table will display a subset of the data that matches the objective search criteria. The default settings are 500 rows, at 50 rows per page. 


Tip

The table width will be set to the size of your browser window, minus a small space around the border of the table. For small screens, this can mean that long lines 'squash up' into very narrow columns, and you see very few lines per page.

You can make your entire table bigger by scrolling up to the top-right corner of the table, grabbing the very top-right edge (click and hold your left mouse button), and dragging your mouse off to the right hand side, beyond the boundaries of your page (ie: to the right hand limit of your browser window, or beyond). This will increase the size of the table beyond the visible area of your browser window, and a new scroll-bar will appear at the bottom of your browser window. You can then rearrange the width of each column as appropriate, and each line will take up less vertical screen real-estate.

Results can be 'grouped' to produce a tally of events that contain common field values. In order to activate this, choose the fields that should participate in the 'group', and add them to the table field inclusion list. Select the checkbox next to "Produce a total of the unique values for the included fields", in the "Summary Information" section of the table configuration component. You may also choose to sort by the total unique values column, and potentially rename the column from the default "TOTAL" to something that better represents your data.

...

  • Who are the top 10 users of bandwidth, through our corporate proxy server or firewall? (ie: Produce a sum of 'Bytes' per-user or per-IP)

Tip
SUMMED column values will respect the sort criteria you have attached to the original field. If you ask Snare to produce a SUM of the 'Bytes' field, for example, and have chosen to sort Bytes in descending order, the SUMMED values will be sorted in descending order.


CSV (Tab delimited) and text dumps of the table data can also be produced. These will be available as an attachment to the objective.

Horizontal Graph

Horizontal graphs can be created by adding this element to your modular inclusion list. Select a field to use as a basis for the graph by choosing an option under "Produce a horizontal graph of the total event count for this element".

...

The number of graph 'rows' to be included can be defined, and you can also sort the graph by either the total count (descending), or by the actual field value (alphanumerically).

Info


Pie GraphImage Modified

Pie graphs can be created by adding this element to your modular inclusion list. Select a field to use as a basis for the graph by choosing an option under "Produce a pie graph of the total event count for this element".

You can specify the preferred number of segments to be shown in the pie graph. If these segments do not represent 100% of the returned results, an additional 'Other' segments will be displayed on the pie graph.

Info


Line GraphImage Modified

A line graph of total events can be created by adding this element to your modular inclusion list. You may specify that events should be graphed by Day, Week, Month or Year.

Info


PDF Output

To include a PDF of the objective output, add this component to the modular objective inclusion list. The PDF will be available from the 'Attachments' button in the top panel, and will be included with any electronic mail messages that are sent as a result of this objective being regenerated.

Annotations 

To make objective annotations add this component to the modular objective inclusion list. Once the objective is regenerated, the annotations form is available for editing. By default this content does not go out to end-users in email or when a PDF report is generated, however this can be changed by ticking the associated checkbox in the Annotations configuration.

 

Real-time AlertImage Modified

Activating real-time alerts for any objective activates a module in the collection subsystem, that scans incoming data for events that match your query terms. Real-time alerts can be sent out via email. 


Tip
Activating real-time alerts will significantly reduce your maximum potential event collection speeds. Each additional real-time alert that is activated, will also increase the amount of processing that your server needs to do, per-event, and will slightly decrease your maximum potential event collection speed.

Destination Port Map

This output component appears for data sources that include a destination IP address, and destination port - such as firewalls, or network intrusion detection systems.
The destination port map shows destination ports hit during the period specified in the objective match settings, as a clickable exponentially-scaled dot-map. Areas of higher activity are represented as colours towards the top end of the colour spectrum.

Info


Geolocation Map

This output component draws lines that represent the country of origin for source and destination IP addresses, for firewall/NIDS related data sources.

Info


Random Image Selection

For proxy-server related objectives, a random selection of images can be displayed to provide a general overview of image-related browsing habits.


Info


Bandwidth by User / Site

For proxy-server related objectives, the top sites by bandwidth, and/or top authenticated users by bandwidth utilisation can be displayed.

Info

...