Overview
Snare Central provides close to 150 pre-configured reports to meet common security and compliance needs of our customers.
On top of these, custom reports can be created.
The reports are organised in containers that can be nested. The reports and containers are ordered alphabetically, with containers on top.
By default, the reports will contain objectives relating to:
Active Scanning
- Example: Scan the local network, and report on hosts and open ports that are found.
- Example: Connect to the organisational border router and download the current configuration settings. Compare these settings to an authorised baseline configuration, and highlight any changes that have been made.
...
- Example: Display a list of inappropriate material that has been accessed through the organisational proxy server.
- Example: List users who have utilised the UNIX 'SUDO' command.
...
- Example: Display a geographic map of IP addresses that have been denied access by the organisational Checkpoint Firewall.
- Example: Report on the top ten hosts that have initiated a port scan against the organisation, as reported by the gateway network intrusion detection system.
...
- Example: Generate a real-time alert when a user outside an authorised list, attempts to access a sensitive file on a Windows file server.
- Example: Send a daily email to security administrators, if the list of users in the Domain Administrators group changes.
...
- Example: Display a report that shows users who have modified the configuration of any Snare Central objectives.
...
- Example: Based on the information provided by the Snare Agent for Solaris, produce a report showing any unauthorised members of the 'sensitivedata' UNIX group.
The reports page offers the ability to:
...
...
Search reports and containers by their name
Use Back to Search Results link in the Reports breadcrumbs area to return to your search results.
...
...
Add new container
Container can only be created at the root level of the Reports, and then can be dragged and dropped to another location.
| Tip |
|---|
| A new container is a temporary item that only exists for the duration of the session of the current logged in user (ie: two hours by default), and will not be visible to other users of Snare Central. It will not become permanent, or visible to other users, until you add an objective to the container. |
...
...
By default, the new objective will be configured with very simple settings. You can then select the objective and proceed with changing the configuration, access controls, or schedule settings to your requirements.
Drag and drop containers and reports
| Info |
|---|
Rearranging the location of an objective, or container, will change the location for all users of Snare - not just your account. |
...
...
Clone, rename or delete a report (objective) by clicking the ellipsis (...) in the report line and selecting from the actions list.
| Tip |
|---|
| Snare Central does not enforce uniqueness of the objective name, you can potentially have two objectives with exactly the same name, that have different configurations, access controls, and scheduling. However, in order to limit confusion, it is advisable to give an objective unique and descriptive name. |
When you choose the Delete option, a dialog will appear, notifying you that the objective will be removed for ALL USERS of Snare Central. You will be asked for confirmation before proceeding.
Selecting the Delete button from the dialog, will remove the objective, and associated objective configuration settings.
...
...
Search for events using a search-engine style interface across multiple log sources, with 'Dynamic Search'.
| Tip | ||
|---|---|---|
| ||
Dynamic Search may be used to quickly sift through information across multiple log sources, at the expense of completeness. The following filters are available for this tool:
Note that data that arrives at the Snare Server may take up to fifteen minutes to process and become available for this objective. |
Custom reports can be generated using Modular objectives mechanism (also known as 'Dynamic Query objectives')
They will generally include the following components:
- A query builder that allows you to create very complex search criteria, incorporating precedence, logical operations, and advanced matching capabilities.
- A 'Token' definition system that can pull fields contained within particular consistent patterns, out of an event of interest.
- A range of potential output modules, such as 15-minute pattern maps, tabular event data, graphs, and so on.
- The ability to be scheduled to run on a regular, defined basis, and the potential to send output via electronic mail to data owners, system administrators, network administrators, and security administrators.
- Real-time reporting capabilities for events that match the search criteria.
Objective Templates
Snare includes a range of 'templates' (often referred to as an 'Objective Type' in the Snare Central user interface) to make the job of a security administrator easier when crafting a new objective.
...
Overview
The Snare advanced events search capability allows you to build structured queries using the Snare Query Language (SnareQL) to search for events.
With SnareQL, you can specify advanced criteria using tools such as:
Operators such as =, !=, >, LIKE, CONTAINS or regular expressions,
Specific field comparisons, such as USERNAME=AJSmith
Advanced date limitations such as DATE='last monday'
Precedence using parentheses, such as EVENTID='login' AND (TIME < 08:00:00 OR TIME > 17:00:00)
Advanced regular expressions using RE2 syntax: https://github.com/google/re2/wiki/Syntax
Note, SnareQL is not a database query language, even though it uses a subset and superset of SQL syntax.
SnareQL
SnareQL queries consist of query components, joined by logic operators.
Each query component consists of a field, an operator, and a value. For example:
| Code Block |
|---|
USERNAME='AJSMITH' |
This query will search for events that have a field called “USERNAME” that contains (=) the value “AJSMITH”.
| Info |
|---|
Snare Central is capable of storing massive amounts of forensic data. A simple search like this one, without date/time range limitations could potentially take a very long time to run, since it will attempt to search the entire Snare Central data store. The Snare Central advanced query tool will impose a query timeout on queries by default, to help you narrow down your search criteria in a reasonable timeframe. |
A more complex query may look like this:
| Code Block |
|---|
USERNAME='AJSMITH' AND EVENTID LIKE '%login' AND SYSTEM REGEX '^(AU|US|UK)-' AND ((DATE='WEEKDAY' AND (TIME < '08:00:00' OR TIME > '17:00:00')) OR DATE='WEEKEND') |
This query will search for 'out of hours' logins by AJSmith, from systems with a hostname that identifies them as Australia, US or UK.
| Info |
|---|
Different log types will often contain different fields, and event fields with the same names may be formatted slightly differently. Windows uses numeric identifiers for the field EVENTID (eg: 512, 4593), whereas Solaris and Linux will use more descriptive terms such as “login - ftp”. DATE and TIME fields, though stored in the format YYYY-MM-DD and HH:MM:SS respectively within the Snare Central data store, can support indirect values such as “this time last week” or “the first day of this month”, or “last saturday”, or “5” (which translates to ‘now minus 5 days’, in the case of DATE, or ‘now minus 5 minutes’ in the case of TIME) . |
In addition, some functions are available that can perform calculations based on field contents.
| Code Block |
|---|
USERNAME='AJSMITH' AND EVENTID LIKE '%login' AND MINUTE(TIME) < 15 AND DATE='today' |
This query will search for logins by AJSmith, in the first 15 minutes of each hour of the current day.
Precedence and Grouping in Queries
Snare query components prioritise ANDs over NOTs, and NOTs over ORs - however precedence can be explicitly specified using brackets.
| Code Block |
|---|
SYSTEM=EMU OR SYSTEM=MAGPIE AND SYSTEM=FROGMOUTH |
In this case, the following query components will be evaluated first: SYSTEM=MAGPIE AND SYSTEM=FROGMOUTH
This will return no data (no systems can be both MAGPIE and FROGMOUTH), and the final query element (OR SYSTEM=EMU) will be evaluated, resulting in events that have a system name of EMU being returned.
| Code Block |
|---|
(SYSTEM=EMU OR SYSTEM=MAGPIE) AND SYSTEM=FROGMOUTH |
This will select any events that have a SYSTEM name of either EMU or MAGPIE, and then attempt to find events in that group that ALSO have a system name of FROGMOUTH
Since events cannot have a system name that is both FROGMOUTH and something else, no data will be returned.
| Code Block |
|---|
SYSTEM=EMU OR SYSTEM=MAGPIE AND TABLE=WinSecurity |
Since our AND will be evaluated first, this will look for Windows Security events for MAGPIE, and then ALSO introduce all events for EMU, regardless of whether the table was Windows, Solaris or Firewall logs.
| Code Block |
|---|
(SYSTEM=EMU OR SYSTEM=MAGPIE) AND TABLE=WinSecurity |
This will ONLY look for Windows security logs - from either EMU or MAGPIE
| Code Block |
|---|
USERNAME='AJSMITH' AND EVENTID LIKE '%login' AND SYSTEM REGEX '^(AU|US|UK)-' AND ((DATE='WEEKDAY' AND (TIME < '08:00:00' OR TIME > '17:00:00')) OR DATE='WEEKEND') |
Multiple levels of brackets are supported - in this case, we are looking for login events by AJSmith from systems that start with AU, US or UK, on either the weekend, or out of normal work hours during the week.
To search for some IP addresses you will need to use the advanced search and escape the dot in the IP address as per this example. make sure you have a space at the end of the IP address to get an exact match or you may see other IP addresses that start with the last octet.
| Code Block |
|---|
DATE='TODAY' AND ALLFIELDS REGEXI '(10\.1\.1\.1 |10\.1\.1\.2 ) ' |
Restricted words and characters
The range of characters you can use in your search values depends significantly on the operator you have chosen.
For all operators, the space, single quotes (') and double quotes (“) characters are considered special. If you wish to use these as part of your search, the following rules apply:
Content that includes space characters must be surrounded by EITHER single or double quotes.
EVENTID=loginEVENTID=”login failed”
If you wish to use single or double quotes as part of your search criteria, they must be escaped with the backslash character (\)
STRINGS CONTAINS “User: \”Fred\””
The INCLUDES operator uses commas to separate potential values. If you wish to use the comma as part of your search criteria, it is recommend that you use regular expressions instead.
The LIKE operator uses the percent sign “%” to represent an arbitrary number of characters.
The REGEX operators (REGEX, !REGEX, REGEXI, !REGEXI) have a range of reserved characters that represent particular features within a regular expression. These characters must be escaped with the backslash character (\) when used as a literal value, in most instances.
Special Case Values - DATE
Date recognition is flexible in SnareStore. The following date formats are recognised, using the associated operators text in italics is optional
Format | Valid Operators | Details |
|---|---|---|
YYYY-MM-DD | All | eg: DATE = 2017-06-23 |
TODAY | =,<,<=,>,>=,!= | The date on which the query was run |
NOW | =,<,<=,>,>=,!= | The date on which the query was run |
YESTERDAY | =,<,<=,>,>=,!= | The day prior |
TOMORROW | =,<,<=,>,>=,!= | The day after |
N | =,<,<=,>,>=,!= | Translates to "Current date/time minus N days" (for DATE) or "Current time minus N minutes" (for TIME). |
THIS TIME LAST WEEK | =,<,<=,>,>=,!= | The week prior |
THIS TIME NEXT WEEK | =,<,<=,>,>=,!= | The week after |
THIS TIME LAST YEAR | =,<,<=,>,>=,!= | The same date as the current date, one year prior |
THIS TIME NEXT YEAR | =,<,<=,>,>=,!= | The same date as the current date, one year after |
THE DAY AFTER TOMORROW | =,<,<=,>,>=,!= | Today + 2 days |
THE DAY BEFORE YESTERDAY | =,<,<=,>,>=,!= | Today - 2 days |
1ST OF THIS MONTH | =,<,<=,>,>=,!= | The first day of the month on which the query is run |
LAST OF THIS MONTH | =,<,<=,>,>=,!= | The last day of the month on which the query is run |
1ST OF LAST MONTH | =,<,<=,>,>=,!= | The first day of the previous month |
LAST OF LAST MONTH | =,<,<=,>,>=,!= | The last day of the previous month |
FIRST OF THE MONTH | =,!= | The first day of ANY month |
LAST MONDAY | =,<,<=,>,>=,!= | The date of the last supplied day |
NEXT MONDAY | =,<,<=,>,>=,!= | The date of the next supplied day |
MONDAY LAST WEEK | =,<,<=,>,>=,!= | The date associated with the supplied day. |
MONDAY NEXT WEEK | =,<,<=,>,>=,!= | The date associated with the supplied day. |
HH:MM:SS | =,<,<=,>,>=,!= | Take the number of hours, minutes and seconds supplied, add it to the local midnight (00:00:00) for the current date, and use the resulting date as a source. eg: 03:00:00, 17:00:00, and 23:59:59 would all result in the equivalent of NOW or TODAY eg: 25:00:00 would be the equivalent of TOMORROW eg: -01:00:00 would be the equivalent of YESTERDAY eg: 240:00:00 would be the equivalent of 10 days from now. |
THIS WEEK | <,<=,>,>=,=,!= | If the date is within the current week. Monday is assumed to be the first day of the week. |
LAST WEEK | <,<=,>,>=,=,!= | If the date is within last weeks range. Monday is assumed to be the first day of this week. |
NEXT WEEK | <,<=,>,>=,=,!= | If the date is within next weeks range. Monday is assumed to be the first day of next week. |
THIS YEAR | <,<=,>,>=,=,!= | If the date is within the current year. |
LAST YEAR | <,<=,>,>=,=,!= | If the date is in last years date range. |
NEXT YEAR | <,<=,>,>=,=,!= | If the date is within next years date range |
MONDAY | =,!= | If the date falls on the value supplied |
WEEKDAY | =,!= | If the date is a weekday |
WEEKEND | =,!= | If the date is a weekend |
FIRST OF THE YEAR | =,!= | If the date is the first day of any year (ie: January 1) |
JANUARY | =,!= | If the date is found within the specified month |
Reference
Component | Description | Reference |
|---|---|---|
Field | A field in SnareQL is a word that represents a field within a particular log type. | Events within each log type are guaranteed by the Snare Central collection subsystem to include the following fields:
Depending on the source log type, events may also include fields such as:
See Log Types for information on fields that are available for each log type. Note that new log types are added on a regular basis. |
Operator | An operator in SnareQL is one or more symbols or words that compare the value of a field on its left with one or more values on its right. Some operators may use the negate symbol (!) to reverse the meaning - eg: !=, !REGEX |
|
Logical Element | A logical element in SnareQL is a word that joins two or more clauses together to form a complex SnareQL query |
|
Value | A string designed to represent the contents of a field in an event within the Snare Central datastore. The value may be a simple string, or a complex regular expression, depending on the operator selected. Quotations are optional for simple values comprising a single word. Single or double quotes are recommended for more complex values such as regular expressions, and are required for strings that contain whitespace. |
|
Function | A function in SnareQL appears as a word followed by parentheses, which may contain a field. A function performs a calculation on the contents of the field (the value) and returns the results. |
|
Field Reference
Each log type supported by the Snare Central collection subsystem has a range of fields available. Intelligent event recognition and segmentation software modules are capable of pulling useful content from a raw incoming event, into key/value pairs.
The Snare Central query language can use these fields and values to hunt for critical security data. See Log Types for information on fields that are available for each log type.