Versions Compared

Old Version 1

changes.mady.by.user Gerard Tuguigui

Saved on

compared with

New Version Current

changes.mady.by.user Andrew Madge

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Snare Central can process a reasonably wide range of source data types. The Snare Central data acquisition software is generally tuned for particular versions of operating system or device logs, so if you encounter problems importing particular types of data, please contact your Snare Central support team, and be prepared to supply (sanitised if required) log samples.

Snort Sensor

Organisations that use the Snort network intrusion detection system can send data to Snare Central via the syslog protocol. Snare will be able to collect, interpret, and report on the events. The following information provides an overview of the steps required to configure the Snort sensor to send eventlog data back to Snare Central. Note that there is no configuration required on Snare Central.

...

Tip
titleHow to..

On the host that is acting as a Snort collection sensor:

  • In the file /etc/syslog.conf, add the following two lines:

# Send all SYSLOG events to Snare Central
*.*@12.23.34.45

  • Please substitute the IP address, or the DNS name, of Snare Central for the string "12.23.34.45"
  • Modify the file /etc/snort/snort.conf to include the following line:

output alert_syslog: LOG_AUTH LOG_ALERT

  • An existing (or possibly, multiple) 'output' line may already exist in the file - that is acceptable. Snort will be able to send output to both targets.
  • Restart your snort network intrusion detection system and syslog daemon. Depending on your distribution this may be one of:
    • /etc/init.d/snortd; /etc/init.d/syslog restart
    • service snortd restart; service syslog restart

Troubleshooting Snort

Checking for Snort Sensor errors:

  • Look in /var/log/messages for errors.
  • Run manually:
    • /usr/sbin/snort -D -i "ppp0" -c /etc/snort/snort.conf
  • ..then look in /var/log/messages for errors

Collecting ACF2 Data

Snare Central is able to collect ACF2 processed reports, via FTP transfer. The processed reports need to be transferred to a particular directory on Snare Central, which will then be uploaded by Snare Central processes, on a daily basis.

...

Code Block
titleCSCSNR01
linenumberstrue
********************************** Top of Data **********************************
//CSCSNR01 JOB (P,SCF81),ACT.SECURITY,CLASS=C,MSGCLASS=J
/*JOBPARM SYSAFF=PROD
//-----------------------------------------------------------------
//*
//* JOB TO PRODUCE ACF2 LIDMOD REPORT FOR XFER TO SNARE SERVER
//*
//*---------- DELETE TEMP XFER LIB ---------------------------------
//*
//STEP1 EXEC PGM=IKJEFT01,REGION=8192K
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSTERM DD SYSOUT=*
//SYSUDUMP DD SYSOUT=*
//SYSTSIN DD *
DELETE 'CSC.SNARE01.LIDMODS.XFER'
//*
//*---------- ACF2 LID DB MODIFICATION LOG REPORT ------------------
//*
//STEP2 EXEC PGM=ACFRPTLL
//SYSPRINT DD DSN=CSC.SNARE01.LIDMODS.REPORT(+1),
//
DISP=(,CATLG),
//
VOL=SER=BTCH52,
//
UNIT=SYSDA,
//
SPACE=(TRK,(60,5),RLSE),
//
DCB=(GDGMODEL,RECFM=FB,LRECL=142,BLKSIZE=27974)
//SYSUDUMP DD SYSOUT=*
//REC01 DD DSN=CTF.SMFJR,DISP=SHR
//SYSIN DD *
MASK(********)
DETAIL
NOUPDATE
SYSID(****)
//*
//*---------- COPY REPORT FROM GDG TO XFER LIB ---------------------
//*
//COPY
EXEC PGM=IEBGENER
//SYSPRINT DD SYSOUT=*
//SYSUT1
DD DSN=CSC.SNARE01.LIDMODS.REPORT(+1),
DISP=SHR
//SYSUT2
DD DSN=CSC.SNARE01.LIDMODS.XFER,
//
DISP=(NEW,CATLG,DELETE),
//
VOL=SER=BTCH52,
//
UNIT=SYSDA,
//
SPACE=(TRK,(60,5),RLSE),
//
DCB=*.SYSUT1
//*
DCB=(RECFM=FB,LRECL=142,BLKSIZE=27974)
//SYSIN
DD DUMMY
//*
//*---------- FTP XFER FILE TO SNARE SERVER ------------------------
//*
//STEP4 EXEC FTP,
//
SERVER='CSCSNARE',
//
FTPUSER='SNAREXFER',
//
FTPCMDS='CSCSNR01',
//
ENV='PROD',
//
SOUT='*'
//*
//*---------- Notify Security Monitoring Team if job fails ---------
//*
//*JOBFAIL IF ((RC > 4) | (ABEND)) THEN
//*
//SENDMEMO EXEC PGM=IEBGENER
//SYSPRINT DD SYSOUT=*
//SYSUT1 DD *
HELO NCC
MAIL FROM:<PSC0SCHD@AGENCY.COM>
RCPT TO:<ITSECMON@AGENCY.COM>
DATA
TO:ITSECMON<ITSECMON@AGENCY.COM>
SUBJECT:SNARE REPORT FTP JOB FAILURE: JOB CSCSNR01
PLEASE CHECK SDSF OUTPUT FOR THIS JOB ASAP AND DETERMINE WHY.
>> THIS E-MAIL IS GENERATED BY A BATCH JOB RUNNING ON THE
>> AGENCY'S MAINFRAME ENVIRONMENT.
.
QUIT
/*
//SYSUT2 DD SYSOUT=(B,SMTP)
//SYSIN DD DUMMY
//*
//JOBFAIL ENDIF
//*===================================================================

RACF Violation Logs

RACF resource violation logs can be batch-imported to Snare Central. In particular, ACCESS, DELRES, and JOBINIT logs are supported directly, .

...

Info
titleLog format

RACF logs are fixed-column logs. Snare Central assumes the following format:

  • EVENT TYPE: Characters 1-8
  • EVENT QUALIFIER: Characters 10-17 (Eg; SUCCESS, INVPSWD, RACINITD)
  • TIME: Characters 19-26
  • DATE: Characters 28-37
  • SYSTEM: Characters 39-42 (SYSTEM ID)
  • USER ID: Characters 59-66
  • GROUP ID: Characters 68-75
  • TERMINAL (HOSTNAME): Characters 171-178
  • JOB NAME: Characters 180-187
  • USER NAME: Characters 556-575
  • ATTRIBUTES: (True/False)
    • VIOLATION: 44-47
    • BYPASS: 107-110
    • SPECIAL USER: 602-605
    • PRIV: 646-649 

Tandem Logs

Tandom systems supply logs with the following fields:

...

Logs should be transferred to the directory /data/SnareCollect/TandemLog via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.

Sidewinder Firewall Logs

Sidewinder firewall logs can be exported to CSV, and transferred to Snare Central for processing.

...

Logs should be transferred to the directory /data/SnareCollect/SidewinderLog via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.

Content Keeper Logs

Content keeper logs can be transferred to the directory /data/SnareCollect/CKeeperLog via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.

...

  • Date/Time
  • Ignored field
  • Source IP Address
  • User Name
  • Bytes
  • Status Code
  • Content
  • URL
  • Policy
  • Category

Checkpoint Firewall1 Logs

Checkpoint Firewall 1 firewalls can export log data to a CSV file. Snare is capable of coping with a range of formats, as long as the header line, specifying the log format, is included as the first line in each exported file.

...

Checkpoint Firewall logs can be transferred to the directory /data/SnareCollect/Firewall1Log via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.

Gauntlet Firewall Logs

Gauntlet Firewall logs can be transferred to the directory /data/SnareCollect/GauntletFirewallLog/ via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.

Content is assumed to be in ASCII format, and values are space separated.

OS400 Logs

OS400 logs can be transferred to the directory /data/SnareCollect/OS400Log via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.

...

  • Journal Code (JournalCode)
  • Journal Entry Code (JournalEntryCode)
  • Journal Entry Date (Date)
  • Journal Entry Time (Time)
  • System name (System)
  • Job Name (JobName)
  • User Name (JobUser)
  • Job Number (JobNumber)
  • Program Accessing Object (Program)
  • Object Failure Object Name (OFName)
  • Object Failure Library Name (OFLibrary)
  • Object Failure Object Type (OFType)
  • Failed Login User (Strings)
  • Failed Login Job (Strings)
  • System Value name (Strings)
  • Changed Value (Strings)

Squid Proxy Logs

Squid proxy logs (in the default squid log format) can be transferred to the directory /data/SnareCollect/SquidProxyLog via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.

Apache Logs

Apache web server logs (in the default apache 'combined' format) can be transferred to the directory /data/SnareCollect/ApacheLog via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.

Internet Information Server (IIS) Logs

IIS web server logs can be transferred to the directory /data/SnareCollect/IISWebLog via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.

...

  • date
  • time
  • s-ip
  • cs-method
  • cs-uri-stem
  • cs-uri-query
  • s-port
  • cs-username
  • c-ip
  • cs(User-Agent)
  • sc-status
  • sc-substatus
  • sc-win32-status

Windows Event Logs (Exported from Snare Agents)

Snare for Windows agents are capable of exporting log data to a file on disk, rather than pushing the events back to a central server.

...

Logs should be in standard Snare Agent tab-delimited text format, and can be transferred to the directory /data/SnareCollect/MSWinEventLog via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.

Windows Event Logs (EVTX files)

Note: Only available in Snare Central version 7.1 or newer

...

Info
titleTime Zones

The following Time Zones are supported:

Africa:Abidjan

Africa:AccraAfrica:Addis_AbabaAfrica:AlgiersAfrica:Asmara
Africa:AsmeraAfrica:BamakoAfrica:BanguiAfrica:BanjulAfrica:Bissau
Africa:BlantyreAfrica:BrazzavilleAfrica:BujumburaAfrica:CairoAfrica:Casablanca
Africa:CeutaAfrica:ConakryAfrica:DakarAfrica:Dar_es_SalaamAfrica:Djibouti
Africa:DoualaAfrica:El_AaiunAfrica:FreetownAfrica:GaboroneAfrica:Harare
Africa:JohannesburgAfrica:JubaAfrica:KampalaAfrica:KhartoumAfrica:Kigali
Africa:KinshasaAfrica:LagosAfrica:LibrevilleAfrica:LomeAfrica:Luanda
Africa:LubumbashiAfrica:LusakaAfrica:MalaboAfrica:MaputoAfrica:Maseru
Africa:MbabaneAfrica:MogadishuAfrica:MonroviaAfrica:NairobiAfrica:Ndjamena
Africa:NiameyAfrica:NouakchottAfrica:OuagadougouAfrica:Porto-NovoAfrica:Sao_Tome
Africa:TimbuktuAfrica:TripoliAfrica:TunisAfrica:Windhoek
America:AdakAmerica:AnchorageAmerica:AnguillaAmerica:AntiguaAmerica:Araguaina
America:Argentina:Buenos_AiresAmerica:Argentina:CatamarcaAmerica:Argentina:ComodRivadaviaAmerica:Argentina:CordobaAmerica:Argentina:Jujuy
America:Argentina:La_RiojaAmerica:Argentina:MendozaAmerica:Argentina:Rio_GallegosAmerica:Argentina:SaltaAmerica:Argentina:San_Juan
America:Argentina:San_LuisAmerica:Argentina:TucumanAmerica:Argentina:UshuaiaAmerica:ArubaAmerica:Asuncion
America:AtikokanAmerica:AtkaAmerica:BahiaAmerica:Bahia_BanderasAmerica:Barbados
America:BelemAmerica:BelizeAmerica:Blanc-SablonAmerica:Boa_VistaAmerica:Bogota
America:BoiseAmerica:Buenos_AiresAmerica:Cambridge_BayAmerica:Campo_GrandeAmerica:Cancun
America:CaracasAmerica:CatamarcaAmerica:CayenneAmerica:CaymanAmerica:Chicago
America:ChihuahuaAmerica:Coral_HarbourAmerica:CordobaAmerica:Costa_RicaAmerica:Creston
America:CuiabaAmerica:CuracaoAmerica:DanmarkshavnAmerica:DawsonAmerica:Dawson_Creek
America:DenverAmerica:DetroitAmerica:DominicaAmerica:EdmontonAmerica:Eirunepe
America:El_SalvadorAmerica:EnsenadaAmerica:Fort_WayneAmerica:FortalezaAmerica:Glace_Bay
America:GodthabAmerica:Goose_BayAmerica:Grand_TurkAmerica:GrenadaAmerica:Guadeloupe
America:GuatemalaAmerica:GuayaquilAmerica:GuyanaAmerica:HalifaxAmerica:Havana
America:HermosilloAmerica:Indiana:IndianapolisAmerica:Indiana:KnoxAmerica:Indiana:MarengoAmerica:Indiana:Petersburg
America:Indiana:Tell_CityAmerica:Indiana:VevayAmerica:Indiana:VincennesAmerica:Indiana:WinamacAmerica:Indianapolis
America:InuvikAmerica:IqaluitAmerica:JamaicaAmerica:JujuyAmerica:Juneau
America:Kentucky:LouisvilleAmerica:Kentucky:MonticelloAmerica:Knox_INAmerica:KralendijkAmerica:La_Paz
America:LimaAmerica:Los_AngelesAmerica:LouisvilleAmerica:Lower_PrincesAmerica:Maceio
America:ManaguaAmerica:ManausAmerica:MarigotAmerica:MartiniqueAmerica:Matamoros
America:MazatlanAmerica:MendozaAmerica:MenomineeAmerica:MeridaAmerica:Metlakatla
America:Mexico_CityAmerica:MiquelonAmerica:MonctonAmerica:MonterreyAmerica:Montevideo
America:MontrealAmerica:MontserratAmerica:NassauAmerica:New_YorkAmerica:Nipigon
America:NomeAmerica:NoronhaAmerica:North_Dakota:BeulahAmerica:North_Dakota:CenterAmerica:North_Dakota:New_Salem
America:OjinagaAmerica:PanamaAmerica:PangnirtungAmerica:ParamariboAmerica:Phoenix
America:Port-au-PrinceAmerica:Port_of_SpainAmerica:Porto_AcreAmerica:Porto_VelhoAmerica:Puerto_Rico
America:Rainy_RiverAmerica:Rankin_InletAmerica:RecifeAmerica:ReginaAmerica:Resolute
America:Rio_BrancoAmerica:RosarioAmerica:Santa_IsabelAmerica:SantaremAmerica:Santiago
America:Santo_DomingoAmerica:Sao_PauloAmerica:ScoresbysundAmerica:ShiprockAmerica:Sitka
America:St_BarthelemyAmerica:St_JohnsAmerica:St_KittsAmerica:St_LuciaAmerica:St_Thomas
America:St_VincentAmerica:Swift_CurrentAmerica:TegucigalpaAmerica:ThuleAmerica:Thunder_Bay
America:TijuanaAmerica:TorontoAmerica:TortolaAmerica:VancouverAmerica:Virgin
America:WhitehorseAmerica:WinnipegAmerica:YakutatAmerica:Yellowknife
Antarctica:CaseyAntarctica:DavisAntarctica:DumontDUrvilleAntarctica:MacquarieAntarctica:Mawson
Antarctica:McMurdoAntarctica:PalmerAntarctica:RotheraAntarctica:South_PoleAntarctica:Syowa
Antarctica:TrollAntarctica:Vostok


Arctic:Longyearbyen



Asia:AdenAsia:AlmatyAsia:AmmanAsia:AnadyrAsia:Aqtau
Asia:AqtobeAsia:AshgabatAsia:AshkhabadAsia:BaghdadAsia:Bahrain
Asia:BakuAsia:BangkokAsia:BeirutAsia:BishkekAsia:Brunei
Asia:CalcuttaAsia:ChitaAsia:ChoibalsanAsia:ChongqingAsia:Chungking
Asia:ColomboAsia:DaccaAsia:DamascusAsia:DhakaAsia:Dili
Asia:DubaiAsia:DushanbeAsia:GazaAsia:HarbinAsia:Hebron
Asia:Ho_Chi_MinhAsia:Hong_KongAsia:HovdAsia:IrkutskAsia:Istanbul
Asia:JakartaAsia:JayapuraAsia:JerusalemAsia:KabulAsia:Kamchatka
Asia:KarachiAsia:KashgarAsia:KathmanduAsia:KatmanduAsia:Khandyga
Asia:KolkataAsia:KrasnoyarskAsia:Kuala_LumpurAsia:KuchingAsia:Kuwait
Asia:MacaoAsia:MacauAsia:MagadanAsia:MakassarAsia:Manila
Asia:MuscatAsia:NicosiaAsia:NovokuznetskAsia:NovosibirskAsia:Omsk
Asia:OralAsia:Phnom_PenhAsia:PontianakAsia:PyongyangAsia:Qatar
Asia:QyzylordaAsia:RangoonAsia:RiyadhAsia:SaigonAsia:Sakhalin
Asia:SamarkandAsia:SeoulAsia:ShanghaiAsia:SingaporeAsia:Srednekolymsk
Asia:TaipeiAsia:TashkentAsia:TbilisiAsia:TehranAsia:Tel_Aviv
Asia:ThimbuAsia:ThimphuAsia:TokyoAsia:Ujung_PandangAsia:Ulaanbaatar
Asia:Ulan_BatorAsia:UrumqiAsia:Ust-NeraAsia:VientianeAsia:Vladivostok
Asia:YakutskAsia:YekaterinburgAsia:Yerevan

Atlantic:AzoresAtlantic:BermudaAtlantic:CanaryAtlantic:Cape_VerdeAtlantic:Faeroe
Atlantic:FaroeAtlantic:Jan_MayenAtlantic:MadeiraAtlantic:ReykjavikAtlantic:South_Georgia
Atlantic:St_HelenaAtlantic:Stanley


Australia:ACTAustralia:AdelaideAustralia:BrisbaneAustralia:Broken_HillAustralia:Canberra
Australia:CurrieAustralia:DarwinAustralia:EuclaAustralia:HobartAustralia:LHI
Australia:LindemanAustralia:Lord_HoweAustralia:MelbourneAustralia:NorthAustralia:NSW
Australia:PerthAustralia:QueenslandAustralia:SouthAustralia:SydneyAustralia:Tasmania
Australia:VictoriaAustralia:WestAustralia:Yancowinna

Europe:AmsterdamEurope:AndorraEurope:AthensEurope:BelfastEurope:Belgrade
Europe:BerlinEurope:BratislavaEurope:BrusselsEurope:BucharestEurope:Budapest
Europe:BusingenEurope:ChisinauEurope:CopenhagenEurope:DublinEurope:Gibraltar
Europe:GuernseyEurope:HelsinkiEurope:Isle_of_ManEurope:IstanbulEurope:Jersey
Europe:KaliningradEurope:KievEurope:LisbonEurope:LjubljanaEurope:London
Europe:LuxembourgEurope:MadridEurope:MaltaEurope:MariehamnEurope:Minsk
Europe:MonacoEurope:MoscowEurope:NicosiaEurope:OsloEurope:Paris
Europe:PodgoricaEurope:PragueEurope:RigaEurope:RomeEurope:Samara
Europe:San_MarinoEurope:SarajevoEurope:SimferopolEurope:SkopjeEurope:Sofia
Europe:StockholmEurope:TallinnEurope:TiraneEurope:TiraspolEurope:Uzhgorod
Europe:VaduzEurope:VaticanEurope:ViennaEurope:VilniusEurope:Volgograd
Europe:WarsawEurope:ZagrebEurope:ZaporozhyeEurope:Zurich
Indian:AntananarivoIndian:ChagosIndian:ChristmasIndian:CocosIndian:Comoro
Indian:KerguelenIndian:MaheIndian:MaldivesIndian:MauritiusIndian:Mayotte
Indian:Reunion



Pacific:ApiaPacific:AucklandPacific:BougainvillePacific:ChathamPacific:Chuuk
Pacific:EasterPacific:EfatePacific:EnderburyPacific:FakaofoPacific:Fiji
Pacific:FunafutiPacific:GalapagosPacific:GambierPacific:GuadalcanalPacific:Guam
Pacific:HonoluluPacific:JohnstonPacific:KiritimatiPacific:KosraePacific:Kwajalein
Pacific:MajuroPacific:MarquesasPacific:MidwayPacific:NauruPacific:Niue
Pacific:NorfolkPacific:NoumeaPacific:Pago_PagoPacific:PalauPacific:Pitcairn
Pacific:PohnpeiPacific:PonapePacific:Port_MoresbyPacific:RarotongaPacific:Saipan
Pacific:SamoaPacific:TahitiPacific:TarawaPacific:TongatapuPacific:Truk
Pacific:WakePacific:WallisPacific:Yap


Lotus Notes / Domino

Snare Central is able to connect to a Domino server to retrieve eventlog data from log.nsf. It can also retrieve user and group information, plus access controls. However, some of the default settings in Lotus Domino can cause problems with the Snare Agent; please modify the server as follows: From the Domino Administrator page, click the Configuration tab, expand the Web section and click Internet Sites.

...