Snare modular objectives begin life extremely simply. As you add more components, and more complex match settings, Snare will enable greater flexibility, and more configuration options.
| Info | ||
|---|---|---|
| ||
The simple configuration dialog shown below scans the "Snare Central Log" data source, for any events produced over the course of the last 30 days, and displays a 15 minute 'Pattern Map' of the resulting data. A PDF has also been added to the output component list.
|
| Info | ||
|---|---|---|
| ||
A more complex objective is introduced below, as an indication of how flexible and comprehensive the Snare Modular objective query and output builder can be. The objective:
Although the information above, and the image below, are likely to be quite overwhelming when first encountered, this document will explain each section in more detail.
|
Objective Header
The objective header displays:
...
An objective can be assigned a criticality level by clicking on the green, yellow, orange or red radio buttons.
If the objective has any information to report in any of the modular output components, the objective will be tagged with the appropriate colour in the objective navigation panel.
| Tip |
|---|
| An objective tagged with a 'green' criticality will retain the default 'black' writing when it is displayed in the objective navigation panel. |
| Tip |
|---|
| The navigation panel will not refresh immediately in response to the change in criticality status for an objective. Generally, the updated status can be seen on next login, but it may be sooner if you, or another Snare Central user, modifies an objective or container name, or position, in the objective navigation panel. |
...
Snare includes a range of 'templates' (often referred to as an 'Objective Type' in the Snare Central user interface) to make the job of a Snare administrator easier when crafting a new objective. These templates are hard-coded in the Snare Central, may pre-define custom search criteria for you, will sometimes include custom code to perform tasks, and may be updated and expanded on each release of the Snare Central.
A list of the templates included in the Snare Central is available in the 'Modular Objective Templates' chapter, but here are some representative samples:
...
| Info | ||
|---|---|---|
| ||
| A Windows failed login template, will pre-define a match setting that looks for events that contain an EventID of 529, 530, 531, 532, 533, 534, 535, 536, 537, 539, 644, 681 or 4625 - all of which indicate a failed login event. If Microsoft adds a new failed login event to Windows, a future version of the Snare Central will update the windows failed login template so that existing objectives also pick up the new information. |
...
Once the "Objective Type" button is selected, a new dialog will appear in the objective window.
| Info |
|---|
|
General objective template categories are displayed in the tree-menu to the left. Once an objective category is selected, a list of available objective types will be displayed in the right-hand section of the dialog. Click on the appropriate 'Select' button to choose a template.
...
Objectives that are 'locked' can still have additional match settings and tokens, added to the mix. Match settings and tokens are explored further below.
Field Settings
The field settings section displays a list of the 'fields' that are available to use in your search criteria, and also as input fields for modular output components.
...
If a small part of an existing field needs to be captured for further analysis, or reporting reasons, a new token can be defined by clicking on the green 'Add New' button.
A new dialog window will appear, which will allow you to configure your new token.
| Info |
|---|
|
| Info |
|---|
"Field Name" defines the name that you wish to assign to the new field. "Configure the Field" asks you to select the source field that contains the information you are looking for. "Search Criteria" asks you to define the regular expression that will be used to pull the substring out of the field content. |
| Tip |
|---|
A regular expression is a complex, but extremely powerful tool, that will facilitate flexible matching, and extraction of substrings. We will cover regular expressions in more detail below, but in Snare, they take the general form:
In order to capture the user (highlighted in bold and red) from the above string, the regular expression would need to look for the word after the "User: " sub-string, that is composed of alphanumeric characters (with the addition of the '@' symbol). The token required to achieve this looks like: Field Name: USER This translates as: look for a "User:" sub-string, then 0 or more white spaces, then anything after that which contains 1 or more letters, numbers, or an @ symbol. This is then a valid token according to our search criteria. Tokens, once created, are then treated as if they were a normal field, and can be filtered, grouped, sorted, or used as a target field in any modular output component that uses fields (eg: Graphs or Tables). This creates a powerful mechanism to effectively query sub-strings which are contained within a much larger string. Any number of tokens can be created which allows for a variety of choices when querying strings within strings. A regular expression tester is also available, which can assist you with the process of creating a token; it can be accessed by clicking the 'Regular expression tester' link near the base of the token definition dialog.
If the expression you are using has a match somewhere in the sample log entry, it will be highlighted in yellow. Red text indicates the area of the sample that exactly matches your token expression, and a section highlighted in green shows the actual substring that will be pulled out by the token. Once you are happy that the regular expression meets your requirements, you can copy the expression back to your token with a click of a button, rather than copying/pasting the information from the dialog. |
| Info | ||
|---|---|---|
| ||
Regular expression samples:
|
| Tip |
|---|
| Tokens that you have created, or can modify, are highlighted in green. Tokens that are part of an underlying objective template, and are therefore locked, will be highlighted in red. |
Configure Match Settings
| Info |
|---|
|
Snare's query builder is a flexible tool that allows you to create very complex search criteria, incorporating precedence, logical operations, and advanced matching capabilities.
...
Selecting the '[Show Current Query]' link in the title panel, will pop up a new dialog that displays the SQL query that would be run against the Snare datastore, based on your current match settings.
| Info |
|---|
|
Adding a New Match
Selecting the 'Add New Match' button will append a new row to your existing match settings. By default, the new row will use 'Date' as the target field, ">" as the comparison operator, and the input field will be initially blank.
Match Row Components
| Info |
|---|
|
Drag and Drop grab bar
Each match row can be moved up or down, and positioned before or after other match criteria. Click and hold the grab bar, and drag the match row, to rearrange. Snare evaluates matches from top to bottom.
Field to use
Select the field to use for your search criteria, by clicking on this button. A drop-down menu will appear, that will detail the fields that you can choose from.
Snare breaks up event logs into a series of fields for you, when the event arrives at the Snare Central. As described in the section on 'Tokens' above, you can also choose to create meta-fields that represent a predictable portion of a larger field. These tokens will appear in the drop-down menu after you create them.
Comparison operator
The comparison operators available for selection depend on the field you have chosen. Numeric, date, and time values will have the following comparison operators available:
...
String values will have the following comparison operators available:
- Equals (=)
- Not equal to (!=)
- Contains
- This will search for a simple case insensitive substring
- Like
- Implements a SQL LIKE operator. LIKE uses the 'percent' sign for wildcards - so for example, a search for "%login%failed%" will match the string "attempted login for user 'fred' failed at 17:23:01"
- Regexp
- Implements a RE2-compatible regular expression search. As highlighted above, regular expressions are complex, but extremely powerful and flexible string search functions.
- Tip: Snare co-opts the "start of string" and "end of string" characters ("^" and "$" respectively) to refer to the start of the contents of the field you are currently operating on, and the end of the field, rather than referencing the entire line.
- Implements a RE2-compatible regular expression search. As highlighted above, regular expressions are complex, but extremely powerful and flexible string search functions.
- Not Regexp
- Excludes all fields that match the supplied regular expression.
- Includes
- You may include several comma-separated values in the input field - eg: fred,jim,tony
- Excludes
- You may include several comma-separated values in the input field - eg: fred,jim,tony
...
These two '@' symbols, indicate to Snare that the contents of the input field refers to a "Field to use" as highlighted above, rather than a static comparison value. The '@' symbols will be removed, and processed by Snare. Tokens are supported, and the following comparison operations are valid:
- =
- !=
- >
- <
- >=
- <=
| Tip |
|---|
Some fields allow you to specify indirect values. The 'Date' field, for example, generally takes arguments of the format "YYYY-MM-DD", but values such as the following are also valid, and will be reinterpreted each time the objective runs:
|
Contextual selection button
...
| Tip |
|---|
| Selecting multiple values will generally turn on the 'INCLUDES' comparison operator, if you have not already selected 'INCLUDES' or 'EXCLUDES'. |
 |   |   |
Decrease match row indentation
...
In the Snare Central query builder, it would look like this:
| Info |
|---|
|
However, if we wanted to ONLY report on out-of-hours events that are tagged with the username "Fred", then we would need to do something a little more complex, and add in operational precedence / brackets. Our new string would look like this:
...
Recall that increasing our indentation factor for a particular row, is equivalent to opening a bracket. In this case, we would need to add the 'UserName = Fred' match row at the top of the match rows, and then increase the indentation of every row after the logic element associated with the UserName match:
| Info |
|---|
|
In effect, because all of the rows with the same indentation (as indicated by the number of exposed arrows to the left of the row) are 'grouped', they are enclosed within the same bracket group, as illustrated by the following image.
| Info |
|---|
|
By utilising the indentation of match and logic rows, complex logical precedence operations can be designed.
...
Output and Configuration Component
Output and configuration components can be dragged from the top half of this section, into the bottom half, titled "Drop Components Here to add them to the objective output". This will result in either:
...
The number, and type of output components, depends significantly on the data source that is being interrogated.
| Info | ||
|---|---|---|
| ||
|
Most components, when added to the objective, will also create a 'configuration panel' that allows you to control the output of each component. A '15 minute pattern map', for example, will provide the option of using a standard linear colour scale for the output, an exponential colour scale that highlights different ranges of data, or even a visual map of a particular target output field. Some of the more common output components are highlighted below.
| Tip |
|---|
| Some components, when dragged to the drop area, will reveal a second version of the same component in the drag section (eg: Pattern Map, and Pattern Map 2). As such, an objective can have two copies of many components, with slightly different configuration settings applied to each. |
Pattern Map
The 15 minute pattern map provides a visual overview of event log data, displaying an indication of the volume, or contents of each separate 15 minute segment within the reporting period, as a colour selected from an appropriate area of graduated scale.
The pattern map can be configured to use a standard scale, an exponential scale, or to map the contents of a particular field. Exponential mode can highlight particular patterns that are difficult to see in the standard colour mode.
| Info |
|---|
|
Each element of the pattern map can be clicked on, with your left mouse button, to search for the data that comprises that particular 15 minute segment. A new dialog will appear in the objective panel that shows the underlying data. The data can be sorted by clicking on a column header.
| Tip |
|---|
| Sorting on 'Date' will sort on both Date and Time. Selecting 'Time' will only sort on the Time column. |
| Info |
|---|
|
Clicking on a date, to the left of the pattern map, will attempt to generate a table listing all events for that particular day, that match the objective search criteria.
| Tip |
|---|
| For high volume sites, this process may take a long time to complete. |
Table
| Info |
|---|
|
To include a dump of event data that matches the search criteria specified for an objective, the 'Tabular Details' modular component can be dragged into the inclusion list.
...
When a field is dragged into the inclusion list, ascending and descending sort buttons will appear next to the field. Sort criteria is evaluated left to right. Fields can be reordered within the inclusion list in order to modify the sort output. The order of the fields in the inclusion list, will also define the order that they appear in the tabular output component.
| Info |
|---|
|
By default, the table will display a subset of the data that matches the objective search criteria. The default settings are 500 rows, at 50 rows per page.
| Tip |
|---|
The table width will be set to the size of your browser window, minus a small space around the border of the table. For small screens, this can mean that long lines 'squash up' into very narrow columns, and you see very few lines per page. You can make your entire table bigger by scrolling up to the top-right corner of the table, grabbing the very top-right edge (click and hold your left mouse button), and dragging your mouse off to the right hand side, beyond the boundaries of your page (ie: to the right hand limit of your browser window, or beyond). This will increase the size of the table beyond the visible area of your browser window, and a new scroll-bar will appear at the bottom of your browser window. You can then rearrange the width of each column as appropriate, and each line will take up less vertical screen real-estate. |
Results can be 'grouped' to produce a tally of events that contain common field values. In order to activate this, choose the fields that should participate in the 'group', and add them to the table field inclusion list. Select the checkbox next to "Produce a total of the unique values for the included fields", in the "Summary Information" section of the table configuration component. You may also choose to sort by the total unique values column, and potentially rename the column from the default "TOTAL" to something that better represents your data.
For example, based on the table output screenshot above, if you wanted to analyse the most common destination ports by date, you could add fields 'Date', 'Proto', 'Action' and 'DstPort' to the field inclusion list.
| Info |
|---|
|
After the objective regenerates, your table displays a new column, which shows how many events share the same Date, Protocol, Action and Destination port, out of all events that match the search criteria specified in the objective.
| Info |
|---|
|
Fields that are numeric, or tokens that are derived from a numeric field, will also be included as an option under the 'Produce a SUM of the values of the following integer field'. This feature is useful in situations where you wish to know information like:
- Who are the top 10 users of bandwidth, through our corporate proxy server or firewall? (ie: Produce a sum of 'Bytes' per-user or per-IP)
| Tip |
|---|
| SUMMED column values will respect the sort criteria you have attached to the original field. If you ask Snare to produce a SUM of the 'Bytes' field, for example, and have chosen to sort Bytes in descending order, the SUMMED values will be sorted in descending order. |
CSV (Tab delimited) and text dumps of the table data can also be produced. These will be available as an attachment to the objective.
...
The number of graph 'rows' to be included can be defined, and you can also sort the graph by either the total count (descending), or by the actual field value (alphanumerically).
| Info |
|---|
|
Pie Graph
Pie graphs can be created by adding this element to your modular inclusion list. Select a field to use as a basis for the graph by choosing an option under "Produce a pie graph of the total event count for this element".
You can specify the preferred number of segments to be shown in the pie graph. If these segments do not represent 100% of the returned results, an additional 'Other' segments will be displayed on the pie graph.
| Info |
|---|
|
Line Graph
A line graph of total events can be created by adding this element to your modular inclusion list. You may specify that events should be graphed by Day, Week, Month or Year.
| Info |
|---|
|
PDF Output
To include a PDF of the objective output, add this component to the modular objective inclusion list. The PDF will be available from the 'Attachments' button in the top panel, and will be included with any electronic mail messages that are sent as a result of this objective being regenerated.
...
To make objective annotations add this component to the modular objective inclusion list. Once the objective is regenerated, the annotations form is available for editing. By default this content does not go out to end-users in email or when a PDF report is generated, however this can be changed by ticking the associated checkbox in the Annotations configuration.
Real-time Alert
Activating real-time alerts for any objective activates a module in the collection subsystem, that scans incoming data for events that match your query terms. Real-time alerts can be sent out via email.
| Tip |
|---|
| Activating real-time alerts will significantly reduce your maximum potential event collection speeds. Each additional real-time alert that is activated, will also increase the amount of processing that your server needs to do, per-event, and will slightly decrease your maximum potential event collection speed. |
Destination Port Map
This output component appears for data sources that include a destination IP address, and destination port - such as firewalls, or network intrusion detection systems.
The destination port map shows destination ports hit during the period specified in the objective match settings, as a clickable exponentially-scaled dot-map. Areas of higher activity are represented as colours towards the top end of the colour spectrum.
| Info |
|---|
|
Geolocation Map
This output component draws lines that represent the country of origin for source and destination IP addresses, for firewall/NIDS related data sources.
| Info |
|---|
|
Random Image Selection
For proxy-server related objectives, a random selection of images can be displayed to provide a general overview of image-related browsing habits.
| Info |
|---|
|
Bandwidth by User / Site
For proxy-server related objectives, the top sites by bandwidth, and/or top authenticated users by bandwidth utilisation can be displayed.
| Info |
|---|
|
