Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The Snare Central collection subsystem is a robust group of services that are capable of retrieving data from a variety of different sources, and a range of protocols.

Info

Image RemovedImage Added


The following services listen on Snare Central network interfaces, and receive audit and event log data.

Snare Agent Logs: Port 6161, TCP & UDP

This is the default reception port for all Snare Agent log data.
Log data that is sent to this port, is generally assumed to be formatted in a certain way, in particular:

...

Tip
Although Snare Central operates a syslog collection capability, log data from Snare and Epilog agents should always be sent to this port. Sending the data to the Syslog port, will result in significant EPS rate drops, and may also result in logs that are not filed correctly in Snare's data store; leading to Windows event log data that are filed in the "Generic Log" group, and therefore cannot be used with Windows-related report templates.

Syslog: Port 514, TCP & UDP

Snare Central operates a syslog receiver on both TCP and UDP protocols. Many devices use syslog to distribute log data to a central collection point. Network devices such as routers and firewalls often choose this log distribution method.

It is rare that data arriving via syslog provides consistent information that identifies the log source. Usually, Snare will have to scan each incoming event, line-by-line, and pattern match against a series of potential log format templates in order to match a particular event to a log format such as PIX or perhaps Unix SUDO log data. As such, the speed of collection through syslog, is approximately 20% lower than that of the primary collection port.

TLS Syslog: Port 6514, TLS

A dedicated port for receiving syslog events over TLS protocol. 

SNMPTrap: Port 162, UDP

SNMP traps are used for logging in a number of older network-related appliances. Snare Central can receive snmptrap data, and make it available for analysis from within the Snare Central interface.

Tip
MIB (management information base) files are not supported by Snare Central. SNMPTrap messages that rely on MIB files for decoding content, will still be processed - but may be presented with the original numeric content included, rather than the translated/enhanced text-based content. FTOKENs, as described in the documentation above, can be implemented to provide translations for often-monitored events.

TLS Server: Port 6163

Several newer Snare agents Agents are capable of sending data over a TLS encrypted connection. The Snare Central TLS Server port can receive such data, and integrate the data into the normal Snare Central collection framework.

TLS_AUTH Server: Port 6164

Several newer Snare agents are capable of sending data over a TLS_AUTH encrypted connection. This TLS_AUTH is an extension of TLS protocol where an agent is authenticated before any log data is received from it. For authentication purposes, a same TLS Authentication Key must be configured in Snare Central and Snare agents. A default TLS Authentication Key is set to during installation and it is strongly recommended to update it. A valid TLS Authentication Key must be between 8-4096 characters and allowed characters include A-Za-z0-9~!@$%^*\()_+=`-

Performance

The EPS collection rates of Snare Central is significantly dependent on the underlying hardware. In particular, single-core CPU speed is a reliable indicator of the system's ability to collect data.

...