Versions Compared

Version Old Version 1 New Version 2
Changes made by

Anonymous

Leigh Purdie

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The Snare Central provides several layers of increasing flexibility. Although a majority of Snare Central customers will be fully comfortable with creating objectives in the user interface, there are also opportunities for advanced users to change the way that Snare reports data.

...

  • Change the colour of an entire row, based on the content of the row.
  • Change the colour of a particular field, based on the content of the field, or the content of a row element.
  • Change the content of a field, based on the previous content of a field, or the content of a row element.

 


Info
titleExample
  • For Windows Security logs, use the USERNAME field to scan for the user in question in the corporate personnel directory. If the user exists, append an image link, so that the user's personnel photo is displayed alongside the user name.
  • When an account is created on a Windows server, highlight the user name in green. When an account is removed, highlight the user name in red.
  • For PIX firewall events that indicate a packet has been blocked, highlight the entire row in red.

 
Output modification modules should share the same name as the field, or Token, for which they are designed to modify, but in uppercase characters, and appended with ".php".  So, for example, if you wished to create an output modification module for the 'USERNAME' field, you would create a file called 'USERNAME.php'.

...

  • Is stored in the WinSecurity directory (/data/SnareUI/Global/Modules/WinSecurity/DESTUSER.php).
  • Modifies the 'DESTUSER' field; a Token defined in several Windows Security related objectives.
  • Changes the colour of the entire row to RED, if the Windows EventID is '999'.
  • Changes the colour of the DESTUSER field to:
    • Green, if the event is related to user creation.
    • Red, if the event is related to user removal.
    • Blue, if the user has been modified or enabled.
    • Orange, if the user account has been disabled.
  • Modifies the contents of the DESTUSER field so that the text is surrounded by the HTML "strikeout" elements, if the event is related to user removal.

 


Code Block
languagephp
linenumberstrue
<?php
  class DESTUSER
  {
    function Colour($text,$row)
    {
      if(in_array($row["EVENTID"],array(624,4720))) {
        return("green"); # User Created
      }
      if(in_array($row["EVENTID"],array(630,4726))) {
        return("red"); # User Removed
      }
      if(in_array($row["EVENTID"],array(625,626,642,4720,4730))) {
        return("blue"); # User modified/enabled
      }
      if(in_array($row["EVENTID"],array(629,4725))) {
        return("orange"); # User account disabled
      }

      # Fallback.
      if(strstr($row["STRINGS"],"Created")) {
        return("green");
      } else if(strstr($row["STRINGS"],"Deleted")) {
        return("red");
      } else if(strstr($row["STRINGS"],"Changed")) {
        return("blue");
      }
    }

    function PrintData($text,$row)
    {
      if(in_array($row["EVENTID"],array(630,4726))) {
        $text="<strike>$text</strike>";
      }
      return($text);
    } 
 
    function RowColour($row)
    {
      if($row["EVENTID"]==999) {
        return("red");
      }
    }
  }
?>

...