Versions Compared

Version Old Version 24 New Version 25
Changes made by

Leigh Purdie (Unlicensed)

Svetlana Sheptiy

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

In addition, some functions are available that can modify perform calculations based on field contents.

Code Block
USERNAME='AJSMITH' AND EVENTID LIKE '%login' AND MINUTE(TIME) < 15 AND DATE='today'

...

To search for some IP addresses you will need to use the advanced search and escape the dot in the IP address as per this example. make sure you have a space at the end of the IP address to get an exact match or you may see other IP address addresses that start with the last octet.

Code Block
DATE='TODAY' AND ALLFIELDS REGEXI '(10\.1\.1\.1 |10\.1\.1\.2 ) '

Restricted words and characters

...

Component

Description

Reference

Field

A field in SnareQL is a word that represents a field within a particular log type.

Events within each logtype log type are guaranteed by the Snare Central collection subsystem to include the following fields:

  • DATE

    • In the format YYYY-MM-DD, for example 2020-02-23

  • TIME

    • In the format: HH:MM:SS, for example: 16:23:49

  • SYSTEM

    • Upper case system name or IP Address.

  • TABLE

    • The source log type

Depending on the source log type, events may also include fields such as:

  • EventID (eg: “deny packet”, or “login - ssh”, or “512”.

  • SourceIP (eg: 193.32.113.12)

  • User (eg: AJSmith)

  • URL (eg: https://prophecyinternational.com/)

The fields See Log Types for information on fields that are available for each type of log are detailed in a table belowlog type. Note that new log types are added on a regular basis.

Operator

An operator in SnareQL is one or more symbols or words that compare the value of a field on its left with one or more values on its right. Some operators may use the negate symbol (!) to reverse the meaning - eg: !=, !REGEX

  • =

    • Standard equality. Case insensitive.

  • !=

    • Standard inequality. Case insensitive.

  • <

    • Less than. Case insensitive in strings.

    • Note: TIME is considered a unique value, and is not linked to date. ie: 15:00:00 < 15:00:01 is true - even if the first DATE is in 2019, and the second DATE is 1979

      • True date/time comparisons would require (DATE < X OR (DATE = X AND TIME < Y))

  • <=

    • Less than or equal to. Case insensitive in strings.

    • Note: TIME is considered a unique value, and is not linked to date. ie: 15:00:00 < 15:00:01 is true - even if the first DATE is in 2019, and the second DATE is 1979

      • True date/time comparisons would require (DATE < X OR (DATE = X AND TIME < Y))

  • >

    • Greater than. Case insensitive in strings.

    • Note: TIME is considered a unique value, and is not linked to date. ie: 15:00:00 < 15:00:01 is true - even if the first DATE is in 2019, and the second DATE is 1979

      • True date/time comparisons would require (DATE < X OR (DATE = X AND TIME < Y))

  • >=

    • Greater than or equal to. Case insensitive in strings.

    • Note: TIME is considered a unique value, and is not linked to date. ie: 15:00:00 < 15:00:01 is true - even if the first DATE is in 2019, and the second DATE is 1979

      • True date/time comparisons would require (DATE < X OR (DATE = X AND TIME < Y))

  • LIKE

    • SQL-style like criteria. "%" symbols are considered to be wildcards. Case insensitive.

  • !LIKE

    • SQL-style like criteria. "%" symbols are considered to be wildcards. Case insensitive.

  • CONTAINS

    • The target string, contains the supplied string. Case insensitive.

    • eg: STRINGS CONTAINS "userid" would be true for a STRINGS of "The following userID logged off: Fred"

  • !CONTAINS

    • The target string, does not contain the supplied string. Case insensitive.

    • eg: STRINGS !CONTAINS "userid" would be true for a STRINGS of "This string does not contain the string"

  • INCLUDES

    • The value is one of the supplied comma-separated values. Case insensitive.

    • eg: STRINGS INCLUDES "Fred,Barney,Wilma" would be true for the String "Fred", but not "Frederick"

    • The equivalent of (STRINGS = "FRED" OR STRINGS = "BARNEY" OR STRINGS = "WILMA")

  • !INCLUDES / EXCLUDES

    • That value contains NONE of the supplied comma-separated values. Case insensitive.

    • EXCLUDES is an alias for !INCLUDES

    • eg: STRINGS EXCLUDES "Fred,Barney,Wilma" would be true for the String "BamBam", and would also be true for "Frederick", but not "Fred"

    • The equivalent of (STRINGS != "FRED" AND STRINGS != "BARNEY" AND STRINGS != "WILMA")

  • REGEX

    • The value matches the supplied regular expression.

    • Regex is CASE SENSITIVE

    • Regex is assumed to be a valid RE2 expression.

  • !REGEX

    • The value does not match the supplied regular expression.

    • Regex is CASE SENSITIVE

    • Regex is assumed to be a valid RE2 expression (note that Snare Server version 7 uses PCRE).

  • REGEXI

    • The value matches the supplied regular expression.

    • Regex is NOT CASE SENSITIVE

    • Regex is assumed to be a valid RE2 expression.

  • !REGEXI

    • The value does not match the supplied regular expression.

    • Regex is NOT CASE SENSITIVE

    • Regex is assumed to be a valid RE2 expression.

  • HAS

    • Like CONTAINS, but assumes that the supplied match string, are entire words.

    • Significantly more friendly from an index-perspective; queries that use HAS may return significantly faster than queries that use CONTAINS.

    • Case insensitive.

    • eg: STRINGS HAS "Fred" would match: "The user Fred logged in", but not "The user Frederick logged in".

    • eg: STRINGS CONTAINS "Fred" would match: "The user Fred logged in" and "The user Frederick logged in".

Logical Element

A logical element in SnareQL is a word that joins two or more clauses together to forma form a complex SnareQL query

  • AND

  • OR

  • NOT

Value

A string designed to represent the contents of a field in an event within the Snare Central datastore. The value may be a simple string, or a complex regular expression, depending on the operator selected.

Quotations are optional for simple values comprising a single word. Single or double quotes are recommended for more complex values such as regular expressions, and are required for strings that contain whitespace.

  • AJSmith

  • “Tony Smith”

  • “^(AU|US|UK)-[0-9]”

  • “Tony%”

  • yesterday

Function

A function in SnareQL appears as a word followed by parentheses, which may contain a field.

A function performs a calculation on the contents of the field (the value) and returns the results.

  • 15MIN(TIME):

    • Return the number of 15 minute quadrant associated with the supplied time (0-95).

    • The day will be divided into 96 quadrants.

      00:12:03 will become 0
      00:15:01 will become 1
      12:01:00 will become 48
      12:14:59 will become 48
      12:15:01 will become 49
      14:45:00 will become 59

  • 15MINFLOOR(TIME)

    • Return the time to the nearest low 15 minute segment of the day

      12:01:00 will become 12:00:00
      12:14:59 will become 12:00:00
      12:15:01 will become 12:15:00
      14:45:00 will become 14:45:00
      15:59:00 will become 15:45:00

  • HOUR(TIME)

    • Returns just the hour associated with the supplied time

      12:01:12 will return 12

      17:23:34 will return 17

  • HOURMINUTE(TIME)

    • Returns the hour and the minute, with a colon deliminiter
      17:23:49 becomes 17:23

  • MINUTE(TIME)

    • Returns just the minute component of the supplied time

      12:01:12 will return 01
      17:23:34 will return 23

  • SECONDS(TIME)

    • Returns just the seconds component of the supplied time

      12:01:12 will return 12
      17:23:34 will return 34

  • DAYOFWEEK(DATE)

    • Returns the number of the day of the week for a particular date.

    • 1: Sunday

    • 2: Monday

    • 3: Tuesday

    • 4: Wednesday

    • 5: Thursday

    • 6: Friday

    • 7: Saturday

...