Versions Compared

Version Old Version 6 New Version Current
Changes made by

Leigh Purdie (Unlicensed)

Leigh Purdie (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Snare modular objectives begin life extremely simply. As you add more components, and more complex match settings, Snare will enable greater flexibility, and more configuration options.

Info
titleExample

The simple configuration dialog shown below scans the "Snare Central Log" data source, for any events produced over the course of the last 30 days, and displays a 15 minute 'Pattern Map' of the resulting data. A PDF has also been added to the output component list.

A reasonably simple modular configuration dialog

 

Info
titleExample

A more complex objective is introduced below, as an indication of how flexible and comprehensive the Snare Modular objective query and output builder can be. The objective:

  • Defines search criteria that looks for any events that match:
    • Dates between this time last month, and yesterday, non-inclusive.
    • Events related to login failures.
    • For EITHER the users DJSMITH, PTTHOMP, SJCOOK, KPWEIP, or LTROMA) OR from any source system starting with the word 'WORKSTATION', followed by a number that starts with 10,11,12,13 or 14.
  • Defines two additional 'tokens':
    • 'DESTUSER' scans the 'STRINGS' field of Windows Security logs, for a target account name, which is pulled out of the event using the following regular expression search:
      • (?<=logon to account:| User Name:| Target Account Name:|Account For Which Logon Failed: Security ID: ....... Account Name:) (.?) *(?=by:|Domain:|Target Account ID:|Account Domain:)
    • 'FAILREASON' also scans the 'STRINGS' field of Windows Security logs, for information on why a login failure occurred, using the following regular expression match:
      • (?<=Reason:|User Account ) (.?) *(?=Status:|User Name:|Domain:|: *Target Account Name:)
  • Outputs a standard 15 minute pattern map, using yellow and red to show parts of the day where low or high volumes (respectively) of event data have been discovered.
  • Outputs a pattern map highlighting occurrences of each destination user account name.
  • Sets the objective up as a real-time objective, sending the output to the email list defined in the 'Objective Schedule' area of the objective. The title of the email has been configured to be "Failed login on sensitive workstations, or by monitored users".
  • Outputs a Table of the first 500 results that match the criteria outlined above, 50 results per page, displaying only the fields Date, Time, System, EventID, DestUser, and FailReason. A CSV dump of the table will also be produced.
  • Outputs a horizontal graph of the top 20 systems that match the search criteria for the objective.
  • Outputs a line graph of events-per-day that match the search criteria for an objective.

Although the information above, and the image below, are likely to be quite overwhelming when first encountered, this document will explain each section in more detail.

A more complex modular objective configuration dialog

 

Objective Header

The objective header displays:

...

An objective can be assigned a criticality level by clicking on the green, yellow, orange or red radio buttons.
If the objective has any information to report in any of the modular output components, the objective will be tagged with the appropriate colour in the objective navigation panel.
 

Tip
An objective tagged with a 'green' criticality will retain the default 'black' writing when it is displayed in the objective navigation panel.


Tip
The navigation panel will not refresh immediately in response to the change in criticality status for an objective. Generally, the updated status can be seen on next login, but it may be sooner if you, or another Snare Central user, modifies an objective or container name, or position, in the objective navigation panel.

...

Snare includes a range of 'templates' (often referred to as an 'Objective Type' in the Snare Central user interface) to make the job of a Snare administrator easier when crafting a new objective. These templates are hard-coded in the Snare Central, may pre-define custom search criteria for you, will sometimes include custom code to perform tasks, and may be updated and expanded on each release of the Snare Central.

A list of the templates included in the Snare Central is available in the 'Modular Objective Templates' chapter, but here are some representative samples:

...

Info
titleExample
A Windows failed login template, will pre-define a match setting that looks for events that contain an EventID of 529, 530, 531, 532, 533, 534, 535, 536, 537, 539, 644, 681 or 4625 - all of which indicate a failed login event. If Microsoft adds a new failed login event to Windows, a future version of the Snare Central will update the windows failed login template so that existing objectives also pick up the new information.

...

Info

"Field Name" defines the name that you wish to assign to the new field.

"Configure the Field" asks you to select the source field that contains the information you are looking for.

"Search Criteria" asks you to define the regular expression that will be used to pull the substring out of the field content.


Tip

A regular expression is a complex, but extremely powerful tool, that will facilitate flexible matching, and extraction of substrings. We will cover regular expressions in more detail below, but in Snare, they take the general form:

  • Text to match before substring (Substring match) Text to match after substring


So, for example, assume the DETAILS field of an event includes the following string:


Safend Protector File Logging Alter Details: User: george Computer: Machine1234 Client GMT: 8/10/2011 4:13:23 AM Client Local Time: 8/10/2011 3:13:23 PM Server Time: 8/10/2011 4:13:30 AM Group: Policy: policy Device Description: Disk drive Device Info: Kingston DataTraveler 2.0 USB Device Port: USB Device Type: Removable Storage Devices Vendor: 13FE Model: 1D00 Distinct ID: ID001 Details: File Name: file.pdf File Type: pdf File Size: 50945 Created: 8/10/2011 3:13:23 PM Modified: 8/10/2011 2:23:44 PM Action: Write

 In order to capture the user (highlighted in bold and red) from the above string, the regular expression would need to look for the word after the "User: " sub-string, that is composed of alphanumeric characters (with the addition of the '@' symbol).

The token required to achieve this looks like:

Field Name: USER
Source Field: STRINGS
Search Criteria: User:\s*([A-Za-z0-9@]+)*

This translates as: look for a "User:" sub-string, then 0 or more white spaces, then anything after that which contains 1 or more letters, numbers, or an @ symbol. This is then a valid token according to our search criteria.

Tokens, once created, are then treated as if they were a normal field, and can be filtered, grouped, sorted, or used as a target field in any modular output component that uses fields (eg: Graphs or Tables). This creates a powerful mechanism to effectively query sub-strings which are contained within a much larger string. Any number of tokens can be created which allows for a variety of choices when querying strings within strings.

A regular expression tester is also available, which can assist you with the process of creating a token; it can be accessed by clicking the 'Regular expression tester' link near the base of the token definition dialog.

Testing a regular expression match

If the expression you are using has a match somewhere in the sample log entry, it will be highlighted in yellow. Red text indicates the area of the sample that exactly matches your token expression, and a section highlighted in green shows the actual substring that will be pulled out by the token. 

Once you are happy that the regular expression meets your requirements, you can copy the expression back to your token with a click of a button, rather than copying/pasting the information from the dialog.


Info
titleExample

Regular expression samples:

  • from=<([^>]+)
    • search for the word 'from' followed by an equal sign, and a less than symbol. Retrieve any characters after that, until you encounter a greater-than symbol (>)
    • from=<john@somewhere.com>
  • (?<=Account Name: )(.*?)(?= New Account| New Domain| Target Domain| Account| Domain| Caller)
    • Retrieve any text between the strings "Account Name: " and one of either " New Account", " New Domain", " Target Domain", " Account", " Domain" or " Caller"
    • Account Name: DNI\UserLP Target Domain: DNI
  • open(([^)]+))
    • Search for the string "open(", and retrieve any characters after that until you encounter a close bracket.
    • open(O_RDONLY|O_RDWR)
  • ^.............(..........)
    • Ignore the first 13 characters of this field, and retrieve the next 10.
    • INFORMATION: SUCCESS USER: JABLOGGS
  • ^.{12}(.{9})
    • Same as the above example, but using the regular expression 'repeat' function: Ignore the first 13 characters of this field, and retrieve the next 10.
    • INFORMATION: SUCCESS USER: JABLOGGS
  • ^.{12}([a-zA-Z0-9]{9})
    • Same as the above example, but cuts out the extra spaces after "SUCCESS", by limiting the valid retrieved characters to alphanumerics only.
    • INFORMATION: SUCCESS USER: JABLOGGS


Tip
Tokens that you have created, or can modify, are highlighted in green. Tokens that are part of an underlying objective template, and are therefore locked, will be highlighted in red.

Configure Match Settings


Info

...

Snare breaks up event logs into a series of fields for you, when the event arrives at the Snare Central. As described in the section on 'Tokens' above, you can also choose to create meta-fields that represent a predictable portion of a larger field. These tokens will appear in the drop-down menu after you create them.

...

  • Equals (=)
  • Not equal to (!=)
  • Contains
    • This will search for a simple case insensitive substring
  • Like
    • Implements a SQL LIKE operator. LIKE uses the 'percent' sign for wildcards - so for example, a search for "%login%failed%" will match the string "attempted login for user 'fred' failed at 17:23:01"
  • Regexp
    • Implements a perl-compatible regular expression search. As highlighted above, regular expressions are complex, but extremely powerful and flexible string search functions.
      • Tip: Snare co-opts the "start of string" and "end of string" characters ("^" and "$" respectively) to refer to the start of the contents of the field you are currently operating on, and the end of the field, rather than referencing the entire line.
  • Not Regexp
    • Excludes all fields that match the supplied regular expression.
  • Includes
    • You may include several comma-separated values in the input field - eg: fred,jim,tony
  • Excludes
    • You may include several comma-separated values in the input field - eg: fred,jim,tony

...

These two '@' symbols, indicate to Snare that the contents of the input field refers to a "Field to use" as highlighted above, rather than a static comparison value. The '@' symbols will be removed, and processed by Snare. Tokens are supported, and the following comparison operations are valid:

  • =
  • !=
  • >
  • <
  • >=
  • <=

 

Tip

Some fields allow you to specify indirect values. The 'Date' field, for example, generally takes arguments of the format "YYYY-MM-DD", but values such as the following are also valid, and will be reinterpreted each time the objective runs:

  • last week
  • next thursday 
  • -7 weeks 
  • first day of next month 
  • last day of april 2012 
  • first day of last month 
  • 3rd april this year + 20 days


The 'Time' field generally prefers times in the format "HH:MM:DD", however it also accepts standard integer values. A number in the 'Time' field will be interpreted as "Now minus 'x' minutes", where 'x' is the value you entered, and 'Now' is the time at which the objective runs. For example:

  • TIME >= 120
    • This will be interpreted by Snare as: "TIME is greater or equal to NOW minus 120 minutes".
    • If the objective runs at 10:05am, Snare will calculate the value to be 08:05:00
    • The match term will then be extrapolated to "TIME IS greater or equal to 08:05:00"

  • Note that TIME >= 120, does NOT NECESSARILY equate to "in the last two hours". Since Snare extrapolates the value to TIME >= 08:05:00, then if you have set your objective to report on data from the last 30 days, it will mean your objective will display data from ANY DAY that matches your other match terms, between 08:05:00 and 23:59:59. Data between 00:00:00 and 08:04:59 will not be displayed by the objective. If you specifically need to ONLY show data within the last two hours, you would need to add a second match term: DATE = today, or alternatively, set your "Maximum Days to Search" slider to "1 day".
  • Note also that the logical sign direction is somewhat counter-intuitive if you do not understand how the Snare Central extrapolates the time value. It could be argued that "<= 120 (minutes)" would be better syntax for "in the last two hours"; however, that would assume that a value in the time field also automatically controls the date field; this is not the case. Please be cautious with your logical sign direction.

Contextual selection button

...

The number, and type of output components, depends significantly on the data source that is being interrogated.
 

 

Info
titleExample
  • Objectives that scan firewall or router related event log data may include a 'geolocation map' that attempts to draw a line from the approximate geographic location of a source IP address, to destination IP addresses, on a map of the world.
  • Objectives that scan proxy log data may include special output components that measure bandwidth by target site or user.
  • UNIX systems that use the concept of a 'home directory' may make a special output component available that highlights attempts by users other than the owner, to access a home directory.
  • Objectives focused on network intrusion detection system log data may introduce a 'target port map' output component, that can visually map attempts to port scan a corporate network.

Most components, when added to the objective, will also create a 'configuration panel' that allows you to control the output of each component. A '15 minute pattern map', for example, will provide the option of using a standard linear colour scale for the output, an exponential colour scale that highlights different ranges of data, or even a visual map of a particular target output field. Some of the more common output components are highlighted below.

 

Tip
Some components, when dragged to the drop area, will reveal a second version of the same component in the drag section (eg: Pattern Map, and Pattern Map 2). As such, an objective can have two copies of many components, with slightly different configuration settings applied to each.

Pattern Map

The 15 minute pattern map provides a visual overview of event log data, displaying an indication of the volume, or contents of each separate 15 minute segment within the reporting period, as a colour selected from an appropriate area of graduated scale.

...

Each element of the pattern map can be clicked on, with your left mouse button, to search for the data that comprises that particular 15 minute segment. A new dialog will appear in the objective panel that shows the underlying data. The data can be sorted by clicking on a column header.


Tip
Sorting on 'Date' will sort on both Date and Time. Selecting 'Time' will only sort on the Time column.


Info

Selecting a 15 minute segment - firewall log data


Clicking on a date, to the left of the pattern map, will attempt to generate a table listing all events for that particular day, that match the objective search criteria.

Tip
For high volume sites, this process may take a long time to complete.

Table

Info

To include a dump of event data that matches the search criteria specified for an objective, the 'Tabular Details' modular component can be dragged into the inclusion list.

...



By default, the table will display a subset of the data that matches the objective search criteria. The default settings are 500 rows, at 50 rows per page.


Tip

The table width will be set to the size of your browser window, minus a small space around the border of the table. For small screens, this can mean that long lines 'squash up' into very narrow columns, and you see very few lines per page.

You can make your entire table bigger by scrolling up to the top-right corner of the table, grabbing the very top-right edge (click and hold your left mouse button), and dragging your mouse off to the right hand side, beyond the boundaries of your page (ie: to the right hand limit of your browser window, or beyond). This will increase the size of the table beyond the visible area of your browser window, and a new scroll-bar will appear at the bottom of your browser window. You can then rearrange the width of each column as appropriate, and each line will take up less vertical screen real-estate.

Results can be 'grouped' to produce a tally of events that contain common field values. In order to activate this, choose the fields that should participate in the 'group', and add them to the table field inclusion list. Select the checkbox next to "Produce a total of the unique values for the included fields", in the "Summary Information" section of the table configuration component. You may also choose to sort by the total unique values column, and potentially rename the column from the default "TOTAL" to something that better represents your data.

...

  • Who are the top 10 users of bandwidth, through our corporate proxy server or firewall? (ie: Produce a sum of 'Bytes' per-user or per-IP)

Tip
SUMMED column values will respect the sort criteria you have attached to the original field. If you ask Snare to produce a SUM of the 'Bytes' field, for example, and have chosen to sort Bytes in descending order, the SUMMED values will be sorted in descending order.


CSV (Tab delimited) and text dumps of the table data can also be produced. These will be available as an attachment to the objective.

...

Activating real-time alerts for any objective activates a module in the collection subsystem, that scans incoming data for events that match your query terms. Real-time alerts can be sent out via email.


Tip
Activating real-time alerts will reduce your maximum potential event collection speeds. Each additional real-time alert that is activated, will also increase the amount of processing that your server needs to do, per-event, and will slightly decrease your maximum potential event collection speed.

Destination Port Map

This output component appears for data sources that include a destination IP address, and destination port - such as firewalls, or network intrusion detection systems.
The destination port map shows destination ports hit during the period specified in the objective match settings, as a clickable exponentially-scaled dot-map. Areas of higher activity are represented as colours towards the top end of the colour spectrum.

...