Page Comparison

...

DATE

TIME

SYSTEM

TABLE

CRITICALITY

EVENTID

ACTION

PROTO

SRCADDR

SRCPORT

DSTADDR

DSTPORT

STRING

Component	Description	Reference
Field	A field in SnareQL is a word that represents a field within a particular log type.	Events within each logtype are guaranteed by the Snare Central collection subsystem to include the following fields: DATE In the format YYYY-MM-DD, for example 2020-02-23 TIME In the format: HH:MM:SS, for example: 16:23:49 SYSTEM Upper case system name or IP Address. TABLE The source log type Depending on the source log type, events may also include fields such as: EventID (eg: “deny packet”, or “login - ssh”, or “512”. SourceIP (eg: 193.32.113.12) User (eg: AJSmith) URL (eg: https://prophecyinternational.com/) The fields available for each type of log are detailed in a table below. Note that new log types are added on a regular basis.
Operator	An operator in SnareQL is one or more symbols or words that compare the value of a field on its left with one or more values on its right. Some operators may use the negate symbol (!) to reverse the meaning - eg: !=, !REGEX	= Standard equality. Case insensitive. != Standard inequality. Case insensitive. < Less than. Case insensitive in strings. Note: TIME is considered a unique value, and is not linked to date. ie: 15:00:00 < 15:00:01 is true - even if the first DATE is in 2019, and the second DATE is 1979 True date/time comparisons would require (DATE < X OR (DATE = X AND TIME < Y)) <= Less than or equal to. Case insensitive in strings. Note: TIME is considered a unique value, and is not linked to date. ie: 15:00:00 < 15:00:01 is true - even if the first DATE is in 2019, and the second DATE is 1979 True date/time comparisons would require (DATE < X OR (DATE = X AND TIME < Y)) > Greater than. Case insensitive in strings. Note: TIME is considered a unique value, and is not linked to date. ie: 15:00:00 < 15:00:01 is true - even if the first DATE is in 2019, and the second DATE is 1979 True date/time comparisons would require (DATE < X OR (DATE = X AND TIME < Y)) >= Greater than or equal to. Case insensitive in strings. Note: TIME is considered a unique value, and is not linked to date. ie: 15:00:00 < 15:00:01 is true - even if the first DATE is in 2019, and the second DATE is 1979 True date/time comparisons would require (DATE < X OR (DATE = X AND TIME < Y)) LIKE SQL-style like criteria. "%" symbols are considered to be wildcards. Case insensitive. !LIKE SQL-style like criteria. "%" symbols are considered to be wildcards. Case insensitive. CONTAINS The target string, contains the supplied string. Case insensitive. eg: STRINGS CONTAINS "userid" would be true for a STRINGS of "The following userID logged off: Fred" !CONTAINS The target string, does not contain the supplied string. Case insensitive. eg: STRINGS !CONTAINS "userid" would be true for a STRINGS of "This string does not contain the string" INCLUDES The value is one of the supplied comma-separated values. Case insensitive. eg: STRINGS INCLUDES "Fred,Barney,Wilma" would be true for the String "Fred", but not "Frederick" The equivalent of (STRINGS = "FRED" OR STRINGS = "BARNEY" OR STRINGS = "WILMA") !INCLUDES / EXCLUDES That value contains NONE of the supplied comma-separated values. Case insensitive. EXCLUDES is an alias for !INCLUDES eg: STRINGS EXCLUDES "Fred,Barney,Wilma" would be true for the String "BamBam", and would also be true for "Frederick", but not "Fred" The equivalent of (STRINGS != "FRED" AND STRINGS != "BARNEY" AND STRINGS != "WILMA") REGEX The value matches the supplied regular expression. Regex is CASE SENSITIVE Regex is assumed to be a valid RE2 expression. !REGEX The value does not match the supplied regular expression. Regex is CASE SENSITIVE Regex is assumed to be a valid RE2 expression (note that Snare Server version 7 uses PCRE). REGEXI The value matches the supplied regular expression. Regex is NOT CASE SENSITIVE Regex is assumed to be a valid RE2 expression. !REGEXI The value does not match the supplied regular expression. Regex is NOT CASE SENSITIVE Regex is assumed to be a valid RE2 expression. HAS Like CONTAINS, but assumes that the supplied match string, are entire words. Significantly more friendly from an index-perspective; queries that use HAS may return significantly faster than queries that use CONTAINS. Case insensitive. eg: STRINGS HAS "Fred" would match: "The user Fred logged in", but not "The user Frederick logged in". eg: STRINGS CONTAINS "Fred" would match: "The user Fred logged in" and "The user Frederick logged in".
Logical Element	A logical element in SnareQL is a word that joins two or more clauses together to forma a complex SnareQL query	AND OR NOT
Value	A string designed to represent the contents of a field in an event within the Snare Central datastore. The value may be a simple string, or a complex regular expression, depending on the operator selected. Quotations are optional for simple values comprising a single word. Single or double quotes are recommended for more complex values such as regular expressions, and are required for strings that contain whitespace.	AJSmith “Tony Smith” “^(AU\|US\|UK)-[0-9]” “Tony%” yesterday
Function	A function in SnareQL appears as a word followed by parentheses, which may contain a field. A function performs a calculation on the contents of the field (the value) and returns the results.	15MIN(TIME): Return the number of 15 minute quadrant associated with the supplied time (0-95). The day will be divided into 96 quadrants. 00:12:03 will become 0 00:15:01 will become 1 12:01:00 will become 48 12:14:59 will become 48 12:15:01 will become 49 14:45:00 will become 59 15MINFLOOR(TIME) Return the time to the nearest low 15 minute segment of the day 12:01:00 will become 12:00:00 12:14:59 will become 12:00:00 12:15:01 will become 12:15:00 14:45:00 will become 14:45:00 15:59:00 will become 15:45:00 HOUR(TIME) Returns just the hour associated with the supplied time 12:01:12 will return 12 17:23:34 will return 17 HOURMINUTE(TIME) Returns the hour and the minute, with a colon deliminiter 17:23:49 becomes 17:23 MINUTE(TIME) Returns just the minute component of the supplied time 12:01:12 will return 01 17:23:34 will return 23 SECONDS(TIME) Returns just the seconds component of the supplied time 12:01:12 will return 12 17:23:34 will return 34 DAYOFWEEK(DATE) Returns the number of the day of the week for a particular date. 1: Sunday 2: Monday 3: Tuesday 4: Wednesday 5: Thursday 6: Friday 7: Saturday
Log Type / Table	Fields
ACF2Log	DATE TIME SYSTEM TABLE USERNAME RESOURCE LOGTYPE EVENTID RETURN DATA
AgentHeartBeat	DATE TIME SYSTEM TABLE AGENTTYPE VERSION ACTION STRINGS
AIXAudit	DATE TIME SYSTEM TABLE EVENTID EVENTCOUNT RUID EUID PROCESS PID PPID RETURNCODE STRINGS TARGET
ApacheLog	DATE TIME SYSTEM TABLE HOSTNAME USERNAME URL RETURNCODE BYTES REFERRER AGENT PROTOCOL LOGTYPE CATEGORY STRINGS
AppleBSM	DATE TIME SYSTEM TABLE EVENTCOUNT EVENTID AUID EUID EGID RUID RGID PID RETURNCODE STRINGS TARGET
Browser	DATE TIME SYSTEM TABLE SOURCE USERNAME EVENT MESSAGE REFERRER LENGTH RESPONSE
CarbonBlack	DATE TIME SYSTEM TABLE TYPE STRINGS
CISCORouterLog	DATE TIME SYSTEM TABLE CRITICALITY ACTION PROTO SRCADDR SRCPORT DSTADDR DSTPORT STRING
CuramAuthenticationLog	DATE TIME SYSTEM TABLE USERNAME LOGINFAILURES LASTLOGIN LOGINSTATUS LOGID VERSIONNO LASTWRITTEN
CuramAuthorisationLog	DATE TIME SYSTEM TABLE USERNAME LOGID IDENTIFIERNAME LASTWRITTEN
CuramOpAuditLog	DATE TIME SYSTEM TABLE USERID PROGRAMNAME TRANTYPE LASTWRITTEN
CyberGuardFirewallLog	DATE TIME SYSTEM TABLE ACTION PROTO SRCINT SRCADDR SRCPORT DSTINT DSTADDR DSTPORT
DhcpSrvLog	DATE TIME SYSTEM TABLE TYPE ID MACADDR IPADDR HOSTNAME DESCRIPTION
Exch2008MTLog	DATE TIME SYSTEM TABLE SOURCE EVENTID USER SOURCEADDR DESTADDR SOURCESYSTEM DESTSYSTEM MESSAGEID BYTES STATUS STRING
ExchMTLog	DATE TIME SYSTEM TABLE SOURCE EVENTID USER SOURCEADDR DESTADDR SOURCESYSTEM DESTSYSTEM MESSAGEID BYTES STATUS STRING
F5Violations	DATE TIME SYSTEM TABLE MANAGEMENTIPADDRESS HTTPCLASSNAME WEBAPPLICATIONNAME POLICYNAME POLICYAPPLYDATE VIOLATIONS SUPPORTID REQUESTSTATUS RESPONSECODE ROUTEDOMAIN METHOD HTTPPROTOCOL QUERYSTRING XFORWARDEDFORHEADERVALUE SIGIDS SIGNAMES SEVERITY ATTACKTYPE GEOLOCATION IPADDRESSINTELLIGENCE USERNAME SESSIONID SRCADDR SRCPORT DSTADDR DSTPORT PROTO SUBVIOLATIONS VIRUSNAME URI REQUEST STRINGS
Firewall1Log	DATE TIME SYSTEM TABLE ACTION INTERFACE SRCADDR SRCPORT DSTADDR DSTPORT PROTO RULE MESSAGE
Fortigate	DATE TIME SYSTEM TABLE VERSION ACTION CATEGORY TYPE SUBTYPE RULENAME PROTO USRNAME SERIALNUMBER NATSRCIP NATDSTIP SOURCEUSER DESTINATIONUSER APPLICATION VIRTUALSYSTEM SRCADDR SRCPORT DSTADDR DSTPORT SOURCEZONE DESTINATIONZONE INGRESSINTERFACE EGRESSINTERFACE LOGFORWARDINGPROFILE SESSIONID REPEATCOUNT NATSOURCEPORT NATDESTPORT FLAGS BYTES PACKETS ELAPSEDTIME URLCATEGORY BYTESIN BYTESOUT SEVERITY STRING
FWOBJActionsLog	DATE TIME SYSTEM TABLE APPLICATION TRANSID RECTYPE FOLDERCODE USER COMMENT ACTION
FWOBJActionsRawLog	DATE TIME SYSTEM TABLE SEQUENCE FILENUMBER CLIENTID CLIENTTYPE ACTIONMETHOD OFFICER OBJNAME OBJMETHOD COMMENTS OBJNAMEMETHOD
GauntletFirewallLog	DATE TIME SYSTEM TABLE CRITICALITY PROXY ACTION SRCADDR SRCPORT DSTADDR DSTPORT PROTO STRING
GenericLog	DATE TIME SYSTEM TABLE CRITICALITY SOURCE DETAILS
IISWebLog	DATE TIME SYSTEM TABLE HOSTNAME USERNAME URL RETURNCODE BYTES REFERRER AGENT PROTOCOL LOGTYPE CATEGORY STRINGS
IPTablesFirewall	DATE TIME SYSTEM TABLE ACTION INTERFACE SRCADDR SRCPORT DSTADDR DSTPORT PROTO STRINGS
IrixSAT	DATE TIME SYSTEM TABLE EVENTID EVENTTYPE COMMAND AUID EUID EGID TARGET RETURNCODE EVENTCOUNT STRINGS
ISAFWSLog	DATE TIME SYSTEM TABLE PROTO ACTION SRCADDR SRCPORT DSTADDR DSTPORT STATUS RULE APPLICATION STRINGS
ISAWebLogDVA	DATE TIME SYSTEM TABLE HOSTNAME USERNAME URL RETURNCODE BYTES REFERRER AGENT PROTOCOL LOGTYPE CATEGORY STRINGS
ISAWebLog	DATE TIME SYSTEM TABLE HOSTNAME USERNAME URL RETURNCODE BYTES REFERRER AGENT PROTOCOL LOGTYPE CATEGORY STRINGS
ISAWebLogImport	DATE TIME SYSTEM TABLE HOSTNAME USERNAME URL RETURNCODE BYTES REFERRER AGENT PROTOCOL LOGTYPE CATEGORY STRINGS
LinuxAudit	DATE TIME SYSTEM TABLE EVENTCOUNT EVENTID RUID RGID EUID EGID PROCESS RETURNCODE SUCCESS TARGET STRINGS
LinuxKAudit	DATE TIME SYSTEM TABLE EVENTCOUNT EVENTID RUID RGID EUID EGID PROCESS RETURNCODE SUCCESS TARGET STRINGS
LotusNotesLog	DATE TIME SYSTEM TABLE SOURCE EVENT
MailLog	DATE TIME SYSTEM TABLE SOURCE EVENTID USER SOURCEADDR DESTADDR SOURCESYSTEM DESTSYSTEM MESSAGEID BYTES STATUS STRING
MSDNSServer	DATE TIME SYSTEM TABLE STRING DNSNAME
MSProxySvr	DATE TIME SYSTEM TABLE HOSTNAME USERNAME URL RETURNCODE BYTES REFERRER AGENT PROTOCOL LOGTYPE CATEGORY STRINGS
MSSQLLog	DATE TIME SYSTEM TABLE EVENTID CLASS SPID DBNAME USERNAME OBJECTNAME ROLENAME TARGETUSERNAME DBUSERNAME TARGETLOGINNAME STRINGS
MSWinEventLog	DATE TIME DATETIME SYSTEM TABLE EVENTCOUNT EVENTID SOURCE USER SOURCETYPE RETURN DATA STRINGS
MSWinEventLog	DATE TIME SYSTEM TABLE EVENTCOUNT EVENTID SOURCE USER SOURCETYPE RETURN DATA STRINGS
NCRATMLog	DATE TIME SYSTEM TABLE CRITICALITY EVENTID UID SEQNUM STRINGS
NetgearFirewallLog	DATE TIME SYSTEM TABLE ACTION MODULE SRCADDR SRCPORT DSTADDR DSTPORT PROTO MESSAGE
NetgearRouterLog	DATE TIME SYSTEM TABLE ACTION SRCADDR SRCPORT DSTADDR DSTPORT PROTO MESSAGE
NetscalerLog	DATE TIME SYSTEM TABLE CRITICALITY SOURCE EVENTID USER CLIENTIP EVENTCOUNT EVENT
NetScreenFirewall	DATE TIME SYSTEM TABLE ACTION PROTO SRCADDR SRCPORT DSTADDR DSTPORT DURATION SENT RECEIVED DIRECTION DETAILS
NortelVPNRouter	DATE TIME SYSTEM TABLE CRITICALITY LOGSOURCE USERID CPU LOGTYPE DETAILS
ObjectAccess	DATE TIME SYSTEM TABLE OBJECT OWNER OWNERTYPE ACCESS CAPABILITIES SOURCE
ObjectStarLog	DATE TIME SYSTEM TABLE IDGEN_KEY USER USER_CLEARANCE OBJECT OBJECT_CLASSFCTN ACCESS_ALLOWED MESSAGE_NO PARAM1 PARAM2 ACTIVITY OBJECT_TYPE
OracleLog	DATE TIME SYSTEM TABLE NODE INSTANCE SESSIONID ENTRYID STATEMENT USERID USERHOST TERMINAL ACTION RETURNCODE COMMENTS OSUSERID PRIV STRINGS
OS400Log	DATE TIME SYSTEM TABLE JOURNALCODE JOURNALENTRYCODE JOBNAME JOBUSER JOBNUMBER PROGRAM OFNAME OFLIBRARY OFTYPE STRINGS
PIXLog

Field Reference

Each log type supported by the Snare Central collection subsystem has a range of fields available. Intelligent event recognition and segmentation software modules are capable of pulling useful content from a raw incoming event, into key/value pairs.

The Snare Central query language can use these fields and values to hunt for critical security data. See Log Types for information on fields that are available for each log type.

The following logtype/fields are not yet available in the Log Types area of the Snare Central user guide. Basic details are available below:

Log Type / Table	Fields
QUASARSAudit	DATE TIME SYSTEM TABLE IDENTITY ACTION IDTYPE IDVALUE AUDITTABLE FIELD OLDVALUE NEWVALUE
RACFLog	DATE TIME SYSTEM TABLE EVENTID JOBNAME SOURCE RESOURCE ACTION USERID USERNAME USERFLAGS GROUPID RETURN RESULT DATA
SidewinderFirewallLog	DATE TIME SYSTEM TABLE ACTION PROTO SRCINT SRCADDR SRCPORT DSTINT DSTADDR DSTPORT FAC AREA TYPE PRIORITY PID RUID EUID PGID LOGID COMMAND DOMAIN EDOMAIN CATEGORY ATTACKADDR ATTACKINT SERVICENAME USERNAME AUTHMETHOD ACLID CACHEHIT REASON
SidewinderLog	DATE TIME SYSTEM TABLE USERNAME AUTHMETHOD SRCADDR SRCPORT DSTADDR DSTPORT PROTO EVENT TYPE REASON STRINGS
SMTPSvcLog	DATE TIME SYSTEM TABLE SOURCE EVENTID USER SOURCEADDR DESTADDR SOURCESYSTEM DESTSYSTEM MESSAGEID BYTES STATUS STRING
SnareServerLog	DATE TIME SYSTEM TABLE SOURCE USERNAME RESOURCE ACTION RETURN DETAILS
SNMPTrap	DATE TIME SYSTEM TABLE STRINGS
Snort	DATE TIME SYSTEM TABLE EVENTID PRIORITY CLASSIFICATION DESCRIPTION SRCADDR SRCPORT DSTADDR DSTPORT PROTO
SOCKSLog	DATE TIME SYSTEM TABLE ACTION MESSAGE
SolarisBSM	DATE TIME SYSTEM TABLE EVENTCOUNT EVENTID AUID EUID EGID RUID RGID PID RETURNCODE STRINGS TARGET
SonicWall	DATE TIME SYSTEM TABLE EVENTID CATEGORY PRIORITY FWADDR PROTO SRCADDR SRCPORT DSTADDR DSTPORT MESSAGE STRINGS
SonicWallSSLVPN	DATE TIME SYSTEM TABLE ACTION PRIORITY FWADDR SRCADDR DSTADDR PORTAL DOMAIN USER MESSAGE AGENT STRING
SophosDataControlLog	DATE TIME SYSTEM TABLE USERNAME COMPUTER SOURCEPATH DESTINATIONPATH FILENAME DESTTYPE STRINGS
SophosWeb	DATE TIME SYSTEM TABLE USERNAME CRITICALITY CATEGORY RULE REASON THREAT DOMAIN METHOD URL PROTOCOL SRCIP DESTIP AGENT OS BYTESIN BYTESOUT REFERRER STRINGS
SquidProxyLog	DATE TIME SYSTEM TABLE HOSTNAME USERNAME URL RETURNCODE BYTES REFERRER AGENT PROTOCOL LOGTYPE CATEGORY STRINGS
TandemLog	DATE TIME SYSTEM TABLE PSGUSER PSGUSERID PCGUSER POOBJECTTYPE POOPERATION POOWNUSER POOWNUSERID PSTERM PCTERM RETURN
TopicLog	DATE TIME SYSTEM TABLE CLIENT USERNAME OPERATION QUERY TITLE COLLECTIONS SERIAL PATH RULE
TrendDSM	DATE TIME SYSTEM TABLE CRITICALITY EVENTNUMBER TITLE TARGET ACTIONBY DESCRIPTION TAGS
Tru64Audit	DATE TIME SYSTEM TABLE EVENTID USERID AUID RUID EUID PID PPID RETURNCODE STRINGS TARGET
VMSLog	DATE TIME SYSTEM TABLE EVENTID EVENTTYPE USERNAME SYSTEMID PID TERMINALNAME PROCESSNAME PROCESSOWNER REMOTEUSERNAME REMOTENODENAME IMAGENAME COMMANDLINE OBJECTCLASSNAME AUDITINGFLAGS ALARMFLAGS STATUS DATA
VWActionsLog	DATE TIME SYSTEM TABLE SEQUENCE CLIENTID METHODCODE OFFICERCODE FOLDERCODE CLIENTTYPE
WebLog	DATE TIME SYSTEM TABLE HOSTNAME USERNAME URL RETURNCODE BYTES REFERRER AGENT PROTOCOL LOGTYPE CATEGORY STRINGS
WinDHCP	DATE TIME SYSTEM TABLE EVENTID DESCRIPTION IPADDRESS HOSTNAME MACADDRESS

Version	Old Version 14	New Version 15
Changes made by	Leigh Purdie (Unlicensed)	Leigh Purdie (Unlicensed)
Saved on	Sept 15, 2020	Sept 16, 2020

Versions Compared

Key

Field Reference