Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Overview

The Snare advanced events search capability allows you to build structured queries using the Snare Query Language (SnareQL) to search for events.

...

Note, SnareQL is not a database query language, even though it uses a subset and superset of SQL syntax.

SnareQL

SnareQL queries consist of query components, joined by logic operators.

...

In addition, some functions are available that can modify perform calculations based on field contents.

Code Block
USERNAME='AJSMITH' AND EVENTID LIKE '%login' AND MINUTE(TIME) < 15 AND DATE='today'

This query will search for logins by AJSmith, in the first 15 minutes of each hour of the current day.

Precedence and Grouping in Queries

Snare query components prioritise ANDs over NOTs, and NOTs over ORs - however precedence can be explicitly specified using brackets.

...

Multiple levels of brackets are supported - in this case, we are looking for login events by AJSmith from systems that start with AU, US or UK, on either the weekend, or out of normal work hours during the week.

Restricted words and characters

The range of characters you can use in your search values depends significantly on the operator you have chosen.

For all operators, the space, single quotes (') and double quotes (“) characters are considered special. If you wish to use these as part of your search, the following rules apply:

  • Content that includes space characters must be surrounded by EITHER single or double quotes.

    • EVENTID=login

    • EVENTID=”login failed”

  • If you wish to use single or double quotes as part of your search criteria, they must be escaped with the backslash character (\)

    • STRINGS CONTAINS “User: \”Fred\””

The INCLUDES operator uses commas to separate potential values. If you wish to use the comma as part of your search criteria, it is recommend that you use regular expressions instead.

The LIKE operator uses the percent sign “%” to represent an To search for some IP addresses you will need to use the advanced search and escape the dot in the IP address as per this example. make sure you have a space at the end of the IP address to get an exact match or you may see other IP addresses that start with the last octet.

Code Block
DATE='TODAY' AND ALLFIELDS REGEXI '(10\.1\.1\.1 |10\.1\.1\.2 ) '

Restricted words and characters

The range of characters you can use in your search values depends significantly on the operator you have chosen.

For all operators, the space, single quotes (') and double quotes (“) characters are considered special. If you wish to use these as part of your search, the following rules apply:

  • Content that includes space characters must be surrounded by EITHER single or double quotes.

    • EVENTID=login

    • EVENTID=”login failed”

  • If you wish to use single or double quotes as part of your search criteria, they must be escaped with the backslash character (\)

    • STRINGS CONTAINS “User: \”Fred\””

The INCLUDES operator uses commas to separate potential values. If you wish to use the comma as part of your search criteria, it is recommend that you use regular expressions instead.

The LIKE operator uses the percent sign “%” to represent an arbitrary number of characters.

The REGEX operators (REGEX, !REGEX, REGEXI, !REGEXI) have a range of reserved characters that represent particular features within a regular expression. These characters must be escaped with the backslash character (\) when used as a literal value, in most instances.

Special Case Values - DATE

Date recognition is flexible in SnareStore. The following date formats are recognised, using the associated operators text in italics is optional

Format

Valid Operators

Details

YYYY-MM-DD

All

eg: DATE = 2017-06-23

TODAY

=,<,<=,>,>=,!=

The date on which the query was run

NOW

=,<,<=,>,>=,!=

The date on which the query was run

YESTERDAY

=,<,<=,>,>=,!=

The day prior

TOMORROW

=,<,<=,>,>=,!=

The day after

N

=,<,<=,>,>=,!=

Translates to "Current date/time minus N days" (for DATE) or  "Current time minus N minutes" (for TIME).
This allows you to rerun a saved query, with an updated range, without changing the query.

THIS TIME LAST WEEK

=,<,<=,>,>=,!=

The week prior

THIS TIME NEXT WEEK

=,<,<=,>,>=,!=

The week after

THIS TIME LAST YEAR

=,<,<=,>,>=,!=

The same date as the current date, one year prior

THIS TIME NEXT YEAR

=,<,<=,>,>=,!=

The same date as the current date, one year after

THE DAY AFTER TOMORROW

=,<,<=,>,>=,!=

Today + 2 days

THE DAY BEFORE YESTERDAY

=,<,<=,>,>=,!=

Today - 2 days

1ST OF THIS MONTH
1ST DAY OF THIS MONTH
FIRST OF THIS MONTH
FIRST DAY OF THIS MONTH

=,<,<=,>,>=,!=

The first day of the month on which the query is run

LAST OF THIS MONTH
LAST DAY OF THIS MONTH

=,<,<=,>,>=,!=

The last day of the month on which the query is run

1ST OF LAST MONTH
1ST DAY OF LAST MONTH
FIRST OF LAST MONTH
FIRST DAY OF LAST MONTH

=,<,<=,>,>=,!=

The first day of the previous month

LAST OF LAST MONTH
LAST DAY OF LAST MONTH

=,<,<=,>,>=,!=

The last day of the previous month

FIRST OF THE MONTH
THE FIRST DAY OF THE MONTH

=,!=

The first day of ANY month

LAST MONDAY
LAST TUESDAY
LAST WEDNESDAY
LAST THURSDAY
LAST FRIDAY
LAST SATURDAY
LAST SUNDAY

=,<,<=,>,>=,!=

The date of the last supplied day
Note that if it is CURRENTLY monday, a request for LAST monday would be the equivalent of "THIS TIME LAST WEEK".

NEXT MONDAY
NEXT TUESDAY
NEXT WEDNESDAY
NEXT THURSDAY
NEXT FRIDAY
NEXT SATURDAY
NEXT SUNDAY

=,<,<=,>,>=,!=

The date of the next supplied day

MONDAY LAST WEEK
TUESDAY LAST WEEK
WEDNESDAY LAST WEEK
THURSDAY LAST WEEK
FRIDAY LAST WEEK
SATURDAY LAST WEEK
SUNDAY LAST WEEK

=,<,<=,>,>=,!=

The date associated with the supplied day.
If the current date is Monday, the statement is equivalent to the "LAST X" statement above.
If the current date is a Tuesday, the statement will return a date of 8 days ago.

MONDAY NEXT WEEK
TUESDAY NEXT WEEK
WEDNESDAY NEXT WEEK
THURSDAY NEXT WEEK
FRIDAY NEXT WEEK
SATURDAY NEXT WEEK
SUNDAY NEXT WEEK

=,<,<=,>,>=,!=

The date associated with the supplied day.

HH:MM:SS

=,<,<=,>,>=,!=

Take the number of hours, minutes and seconds supplied, add it to the local midnight (00:00:00) for the current date, and use the resulting date as a source.

eg: 03:00:00, 17:00:00, and 23:59:59 would all result in the equivalent of NOW or TODAY

eg: 25:00:00 would be the equivalent of TOMORROW

eg: -01:00:00 would be the equivalent of YESTERDAY

eg: 240:00:00 would be the equivalent of 10 days from now.

THIS WEEK

<,<=,>,>=,=,!=

If the date is within the current week.

Monday is assumed to be the first day of the week.

LAST WEEK

<,<=,>,>=,=,!=

If the date is within last weeks range.

Monday is assumed to be the first day of this week.

NEXT WEEK

<,<=,>,>=,=,!=

If the date is within next weeks range.

Monday is assumed to be the first day of next week.

THIS YEAR

<,<=,>,>=,=,!=

If the date is within the current year.

LAST YEAR

<,<=,>,>=,=,!=

If the date is in last years date range.

NEXT YEAR

<,<=,>,>=,=,!=

If the date is within next years date range

MONDAY
TUESDAY
WEDNESDAY
THURSDAY
FRIDAY
SATURDAY
SUNDAY

=,!=

If the date falls on the value supplied

WEEKDAY

=,!=

If the date is a weekday

WEEKEND

=,!=

If the date is a weekend

FIRST OF THE YEAR
FIRST DAY OF THE YEAR
THE FIRST DAY OF THE YEAR

=,!=

If the date is the first day of any year (ie: January 1)

JANUARY
FEBRUARY
MARCH
APRIL
MAY
JUNE
JULY
AUGUST
SEPTEMBER
OCTOBER
NOVEMBER
DECEMBER

=,!=

If the date is found within the specified month


Reference

Component

Description

Reference

Field

A field in SnareQL is a word that represents a field within a particular log type.

Events within each logtype log type are guaranteed by the Snare Central collection subsystem to include the following fields:

  • DATE

    • In the format YYYY-MM-DD, for example 2020-02-23

  • TIME

    • In the format: HH:MM:SS, for example: 16:23:49

  • SYSTEM

    • Upper case system name or IP Address.

  • TABLE

    • The source log type

Depending on the source log type, events may also include fields such as:

  • EventID (eg: “deny packet”, or “login - ssh”, or “512”.

  • SourceIP (eg: 193.32.113.12)

  • User (eg: AJSmith)

  • URL (eg: https://prophecyinternational.com/)

The fields See Log Types for information on fields that are available for each type of log are detailed in a table belowlog type. Note that new log types are added on a regular basis.

Operator

An operator in SnareQL is one or more symbols or words that compare the value of a field on its left with one or more values on its right. Some operators may use the negate symbol (!) to reverse the meaning - eg: !=, !REGEX

  • =

    • Standard equality. Case insensitive.

  • !=

    • Standard inequality. Case insensitive.

  • <

    • Less than. Case insensitive in strings.

    • Note: TIME is considered a unique value, and is not linked to date. ie: 15:00:00 < 15:00:01 is true - even if the first DATE is in 2019, and the second DATE is 1979

      • True date/time comparisons would require (DATE < X OR (DATE = X AND TIME < Y))

  • <=

    • Less than or equal to. Case insensitive in strings.

    • Note: TIME is considered a unique value, and is not linked to date. ie: 15:00:00 < 15:00:01 is true - even if the first DATE is in 2019, and the second DATE is 1979

      • True date/time comparisons would require (DATE < X OR (DATE = X AND TIME < Y))

  • >

    • Greater than. Case insensitive in strings.

    • Note: TIME is considered a unique value, and is not linked to date. ie: 15:00:00 < 15:00:01 is true - even if the first DATE is in 2019, and the second DATE is 1979

      • True date/time comparisons would require (DATE < X OR (DATE = X AND TIME < Y))

  • >=

    • Greater than or equal to. Case insensitive in strings.

    • Note: TIME is considered a unique value, and is not linked to date. ie: 15:00:00 < 15:00:01 is true - even if the first DATE is in 2019, and the second DATE is 1979

      • True date/time comparisons would require (DATE < X OR (DATE = X AND TIME < Y))

  • LIKE

    • SQL-style like criteria. "%" symbols are considered to be wildcards. Case insensitive.

  • !LIKE

    • SQL-style like criteria. "%" symbols are considered to be wildcards. Case insensitive.

  • CONTAINS

    • The target string, contains the supplied string. Case insensitive.

    • eg: STRINGS CONTAINS "userid" would be true for a STRINGS of "The following userID logged off: Fred"

  • !CONTAINS

    • The target string, does not contain the supplied string. Case insensitive.

    • eg: STRINGS !CONTAINS "userid" would be true for a STRINGS of "This string does not contain the string"

  • INCLUDES

    • The value is one of the supplied comma-separated values. Case insensitive.

    • eg: STRINGS INCLUDES "Fred,Barney,Wilma" would be true for the String "Fred", but not "Frederick"

    • The equivalent of (STRINGS = "FRED" OR STRINGS = "BARNEY" OR STRINGS = "WILMA")

  • !INCLUDES / EXCLUDES

    • That value contains NONE of the supplied comma-separated values. Case insensitive.

    • EXCLUDES is an alias for !INCLUDES

    • eg: STRINGS EXCLUDES "Fred,Barney,Wilma" would be true for the String "BamBam", and would also be true for "Frederick", but not "Fred"

    • The equivalent of (STRINGS != "FRED" AND STRINGS != "BARNEY" AND STRINGS != "WILMA")

  • REGEX

    • The value matches the supplied regular expression.

    • Regex is CASE SENSITIVE

    • Regex is assumed to be a valid RE2 expression.

  • !REGEX

    • The value does not match the supplied regular expression.

    • Regex is CASE SENSITIVE

    • Regex is assumed to be a valid RE2 expression (note that Snare Server version 7 uses PCRE).

  • REGEXI

    • The value matches the supplied regular expression.

    • Regex is NOT CASE SENSITIVE

    • Regex is assumed to be a valid RE2 expression.

  • !REGEXI

    • The value does not match the supplied regular expression.

    • Regex is NOT CASE SENSITIVE

    • Regex is assumed to be a valid RE2 expression.

  • HAS

    • Like CONTAINS, but assumes that the supplied match string, are entire words.

    • Significantly more friendly from an index-perspective; queries that use HAS may return significantly faster than queries that use CONTAINS.

    • Case insensitive.

    • eg: STRINGS HAS "Fred" would match: "The user Fred logged in", but not "The user Frederick logged in".

    • eg: STRINGS CONTAINS "Fred" would match: "The user Fred logged in" and "The user Frederick logged in".

Logical Element

A logical element in SnareQL is a word that joins two or more clauses together to forma form a complex SnareQL query

  • AND

  • OR

  • NOT

Value

A string designed to represent the contents of a field in an event within the Snare Central datastore. The value may be a simple string, or a complex regular expression, depending on the operator selected.

Quotations are optional for simple values comprising a single word. Single or double quotes are recommended for more complex values such as regular expressions, and are required for strings that contain whitespace.

  • AJSmith

  • “Tony Smith”

  • “^(AU|US|UK)-[0-9]”

  • “Tony%”

  • yesterday

Function

A function in SnareQL appears as a word followed by parentheses, which may contain a field.

A function performs a calculation on the contents of the field (the value) and returns the results.

  • 15MIN(TIME):

    • Return the number of 15 minute quadrant associated with the supplied time (0-95).

    • The day will be divided into 96 quadrants.

      00:12:03 will become 0
      00:15:01 will become 1
      12:01:00 will become 48
      12:14:59 will become 48
      12:15:01 will become 49
      14:45:00 will become 59

  • 15MINFLOOR(TIME)

    • Return the time to the nearest low 15 minute segment of the day

      12:01:00 will become 12:00:00
      12:14:59 will become 12:00:00
      12:15:01 will become 12:15:00
      14:45:00 will become 14:45:00
      15:59:00 will become 15:45:00

  • HOUR(TIME)

    • Returns just the hour associated with the supplied time

      12:01:12 will return 12

      17:23:34 will return 17

  • HOURMINUTE(TIME)

    • Returns the hour and the minute, with a colon deliminiter
      17:23:49 becomes 17:23

  • MINUTE(TIME)

    • Returns just the minute component of the supplied time

      12:01:12 will return 01
      17:23:34 will return 23

  • SECONDS(TIME)

    • Returns just the seconds component of the supplied time

      12:01:12 will return 12
      17:23:34 will return 34

  • DAYOFWEEK(DATE)

    • Returns the number of the day of the week for a particular date.

    • 1: Sunday

    • 2: Monday

    • 3: Tuesday

    • 4: Wednesday

    • 5: Thursday

    • 6: Friday

    • 7: Saturday

Field Reference

Each log type supported by the Snare Central collection subsystem has a range of fields available. Intelligent event recognition and segmentation software modules are capable of pulling useful content from a raw incoming event, into key/value pairs.

The Snare Central query language can use these fields and values to hunt for critical security data. See Log Types for information on fields that are available for each log type.

The following logtype/fields are not yet available in the Log Types area of the Snare Central user guide. Basic details are available below:

...

Log Type / Table

...

Fields

...

SnareServerLog

...

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • SOURCE

  • USERNAME

  • RESOURCE

  • ACTION

  • RETURN

  • DETAILS

...

SNMPTrap

...

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • STRINGS

...

Snort

...

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • EVENTID

  • PRIORITY

  • CLASSIFICATION

  • DESCRIPTION

  • SRCADDR

  • SRCPORT

  • DSTADDR

  • DSTPORT

  • PROTO

...

SOCKSLog

...

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • ACTION

  • MESSAGE

...

SolarisBSM

...

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • EVENTCOUNT

  • EVENTID

  • AUID

  • EUID

  • EGID

  • RUID

  • RGID

  • PID

  • RETURNCODE

  • STRINGS

  • TARGET

...

SonicWall

...

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • EVENTID

  • CATEGORY

  • PRIORITY

  • FWADDR

  • PROTO

  • SRCADDR

  • SRCPORT

  • DSTADDR

  • DSTPORT

  • MESSAGE

  • STRINGS

...

SonicWallSSLVPN

...

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • ACTION

  • PRIORITY

  • FWADDR

  • SRCADDR

  • DSTADDR

  • PORTAL

  • DOMAIN

  • USER

  • MESSAGE

  • AGENT

  • STRING

...

SophosDataControlLog

...

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • USERNAME

  • COMPUTER

  • SOURCEPATH

  • DESTINATIONPATH

  • FILENAME

  • DESTTYPE

  • STRINGS

...

SophosWeb

...

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • USERNAME

  • CRITICALITY

  • CATEGORY

  • RULE

  • REASON

  • THREAT

  • DOMAIN

  • METHOD

  • URL

  • PROTOCOL

  • SRCIP

  • DESTIP

  • AGENT

  • OS

  • BYTESIN

  • BYTESOUT

  • REFERRER

  • STRINGS

...

SquidProxyLog

...

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • HOSTNAME

  • USERNAME

  • URL

  • RETURNCODE

  • BYTES

  • REFERRER

  • AGENT

  • PROTOCOL

  • LOGTYPE

  • CATEGORY

  • STRINGS

...

TandemLog

...

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • PSGUSER

  • PSGUSERID

  • PCGUSER

  • POOBJECTTYPE

  • POOPERATION

  • POOWNUSER

  • POOWNUSERID

  • PSTERM

  • PCTERM

  • RETURN

...

TopicLog

...

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • CLIENT

  • USERNAME

  • OPERATION

  • QUERY

  • TITLE

  • COLLECTIONS

  • SERIAL

  • PATH

  • RULE

...

TrendDSM

...

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • CRITICALITY

  • EVENTNUMBER

  • TITLE

  • TARGET

  • ACTIONBY

  • DESCRIPTION

  • TAGS

...

Tru64Audit

...

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • EVENTID

  • USERID

  • AUID

  • RUID

  • EUID

  • PID

  • PPID

  • RETURNCODE

  • STRINGS

  • TARGET

...

VMSLog

...

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • EVENTID

  • EVENTTYPE

  • USERNAME

  • SYSTEMID

  • PID

  • TERMINALNAME

  • PROCESSNAME

  • PROCESSOWNER

  • REMOTEUSERNAME

  • REMOTENODENAME

  • IMAGENAME

  • COMMANDLINE

  • OBJECTCLASSNAME

  • AUDITINGFLAGS

  • ALARMFLAGS

  • STATUS

  • DATA

...

VWActionsLog

...

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • SEQUENCE

  • CLIENTID

  • METHODCODE

  • OFFICERCODE

  • FOLDERCODE

  • CLIENTTYPE

...

WebLog

...

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • HOSTNAME

  • USERNAME

  • URL

  • RETURNCODE

  • BYTES

  • REFERRER

  • AGENT

  • PROTOCOL

  • LOGTYPE

  • CATEGORY

  • STRINGS

...

WinDHCP

...

DATE

...

TIME

...

SYSTEM

...

TABLE

...

EVENTID

...

DESCRIPTION

...

IPADDRESS

...

HOSTNAME

...