The purpose of this section is to discuss the parameter settings of the configuration file. The Snare configuration file is located at /etc/security/snare.conf, and this location may not be changed. If the configuration file does not exist, the audit daemon will not actively audit events until a correctly formatted configuration file is present.
Snare can be configured in several different ways, namely:
a. Via the Web UI (recommended for novice users), or
b. By manually editing the configuration file (recommended for advanced users only). Note care should be taken to ensure that it conforms to the required Snare format. Failure to specify a correct configuration may result in selected events not being able to be read and the agent not working as specified.
The format of the audit configuration file is discussed below.
...
[Network]
...
This section stores the general network configurations.
...
CacheSize
...
CacheSizeM
...
Determines the size of the in memory cache in MB. The value must be between 1 and 1024.
If this is set then
CacheSize
cannot be altered.
...
The purpose of this section is to discuss the parameter settings of the configuration file. The Snare configuration file is located at /etc/security/snare.conf, and this location may not be changed. If the configuration file does not exist, the audit daemon will not actively audit events until a correctly formatted configuration file is present.
Snare can be configured in several different ways, namely:
a. Via the Web UI (recommended for novice users), or
b. By manually editing the configuration file (recommended for advanced users only). Note care should be taken to ensure that it conforms to the required Snare format. Failure to specify a correct configuration may result in selected events not being able to be read and the agent not working as specified.
The format of the audit configuration file is discussed below.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Note: To use multiple destinations, duplicate this and the next 5 settings, and increment their index, i.e.
Destination2Delimiter,
Destination2Format, Destination2Host,
etc.
Destination1Format
Snare
|
|
|
|
|
|
|
|
|
|
|
|
DEVO (8), DEVO JSON (9).
Destination1Host
The IP or hostname of the destination server/SIEM.
Destination1mTLSCertID
This value is of type REG_SZ and is the ID of the client's certificate. Client will present the certificate in mutual TLS communication to prove its identity to the server in communication.
Destination1Port
Determines the Destination Port number. This value must be in 1-65535 range. Will default to 514 if a SYSLOG header has been specified.
Destination1SocketType
Determines the protocol used (0 for UDP, 1 for TCP, 2 for TLS/SSL, 3 for TLS_AUTH, 4 for mTLS
).
Destination1TLSAuthKey
This value is used when Destination1SocketType is 3 i.e. TLS_AUTH.
FileOutput1Delimiter
The delimiter to be used in the events written to this file destination, including, tab, comma, vertical bar and space. By default the delimiter is a tab character.
FileOutput1FileName
The path and location of the file the events are written to.
Note: only events that were sent to at least one network destination will be written to the file destination.
FileOutput1Format
The format to write to the log file. Available formats are:
Snare (0), SYSLOG
RFC3164 (1), SYSLOG Alt (2), CEF (3)
, LEEF (4),
SYSLOG RFC5424 (5), SNARE V2 (6), SYSLOG JSON (7), DEVO (8), DEVO JSON (9).
NotifyMsgLimit
Having a value 0 or 1, and determines whether to send or not the EPS notification to server (1 means send and 0 means not to send) whenever agent reaches EPS RateLimit.
NotifyMsgLimitFrequency
Determines the frequency of events per second notification. The value is treated in minutes and only one EPS notification message is sent to server regardless of how many times agent reaches EPS limit during these minutes.
RateLimit
Determines the upper limit for events per second (EPS) that the agent will send to server.
SyslogFacility
Represents the SYSLOG facility for SYSLOG format
[Config]
This section stores the general configuration values.
AgentLog
S
ets the level of tracing sent by the agent. Values include [0-5] where Fatal (0), Error (1), Warning (2), Info (3), Debug (8), Trace (9).
Audit
Determines whether Snare is to automatically set the system audit configuration. Set this value to 0 for no, or 1 for Yes. Will default to TRUE (1) if not set.
CachePath
This is the disk backup path where the agent will temporarily save all unsent events from its memory cache if the
agent needs to restart. Agent will read and send the events on next start.
Checksum
Determines whether Snare includes an MD5 Checksum of the contents of each audit record, with the record in question. Set this value to 0 for no, or 1 for Yes. Will default to FALSE (0) if not set. Note that the checking application will need to strip the final delimiter, plus the MD5 Checksum, from the record before evaluating the record against the checksum.
Clientname
This is the Hostname of the client and if no value has been set, "hostname" command output will be displayed. Must be no more than 100 characters, otherwise will be truncated.
Delimiter
Stores the field delimiting character, ONLY if the destination format SYSLOG has been selected. If more than one char, only first char will be used. If none set, then TAB will be used. This is a HIDDEN field, and only available to those users that wish to set a different delimiter when using the SYSLOG header. This selection option will not be found in the Snare web pages.
EventSourceIdText
Stores the Event Source Id text/value. If the value in EventSourceIdType is 1 (Free Text), then this text/value is included in each event.
EventSourceIdType
Stores the option related to specifying Event Source Id: 0(NONE) and 1(Free Text)
FileSize
This is the maximum generated size of an output file receiving events. The file is rotated upon reaching this maximum.
HeartBeat
This value is the frequency with which a heartbeat is sent, set in minutes.
HeartBeatFileExport
This value determines whether heartbeats are logged to a file. 0 for no, or 1 for Yes.
HeartBeatOutputPath
This is the path where the heartbeat messages are exported to, if selected.
HostGUID
Set to the GUID of the specific network card.
HostIP
Set to the IP address of the specific network card.
TLS13Minimum
When disabled (0), Snare Agent supports TLS 1.2 and TLS 1.3 for web connections. When enabled (1), TLS 1.2 is explicitly disabled; browsers connecting to the agent website must support at least TLS 1.3 for ssl connections.
UpgradePath
The automatically generated path in which temporary upgrade files are stored.
UseHostIP
If checkbox is set it resolves the machine's IP address from the first wired adapter. It will not
resolve wireless IPs at present. Set this value to 0 for no, or 1 for Yes.
UseUTC
Determines whether Snare should use UTC timestamps instead of the local system time when sending events. Set this value to 0 for no, or 1 for Yes. Will default to FALSE (0) if not set.
[Remote]
This section stores all the web user interface/remote control parameters.
AccessKeyAuth
Stores the actual password to be used, in encrypted format.
Allow
Set to either 0 or 1 to allow the web user interface to be available. If not set or out of bounds, will default to 0/NO (ie; not able to be browsed to).
LockTime
This value is of type REG_DWORD and is used to determine the lock duration in minutes after maximum failed login attempts.
MaxFailAttempt
This value is of type REG_DWORD and is used to determine the maximum number of failed login attempts that will be accepted before the agent will be locked for a duration (Duration is defined in LockTime).
Restrict
Set to either 0 or 1 to signal whether the remote users should be restricted via IP address or not. 0 = no restrictions.
RestrictIP
The IP address that is used to remotely control the agent.
WebPort
This value is the web server port, if it has been set to something other than port 6161. If not set or out of bounds, it will default to port 6161.
[SAM]
This section stores the Snare Agent Manager settings.
SAM1AuthKey
Key used by the agent to communicate with the Snare Agent Manager.
SAM1IP
The IP/hostname of where SAM is installed, that will communicate with the agent.
SAM1Port
The port number the agent uses to communicate with SAM, port 6262.
[State]
This section stores data managed internally by the Agent.
SAMCToken
Token provided by SAM to the agent.
AgentLocked
This value is of type REG_DWORD and is set to either 0 or 1 to indicate whether the agent is locked or not due to reaching maximum failed login attempts.
AgentLockEndTime
This is of type REG_SZ and is used to store the time when the agent will be back to normal after it has been locked due to reaching maximum failed login attempts.
LoginAttempts
This value is of type REG_DWORD and is used to determine the number of consecutive failed login attempts.
[Objective]
This section stores all the filtering audit policies (formerly known as objectives) for filtering macOS audit events.
Objective#
(where # is a serial no.
starting with 1)
This section describes the format of the audit policies. For example:
criticality: Format for this string is [0-4],[0-7],[0-7],
[0-7],[0-10],[1-10],0,0,0,0
. First integer is between 0 and 4 that indicates the severity of the Snare format event. Critical = 4, Priority = 3, Warning = 2, Information = 1, Clear = 0. Next 3 values are Syslog for each RFC3164, RFC3164 Alt and RFC5424. Syslog values RFC3164 Alt and RFC5424 are copied from Syslog and not used separately. Values 0-7 denote Emergency, Alert, Critical, Error, Warning, Notice, Info, Debug. CEF is 0 - 10, 0 is least severe and 10 is most severe. LEEF is 1 - 10, 1 is least severe and 10 is most severe. Last 4 values 0,0,0,0 are reserved and not in useevent: comma-separated list of macOS audit events to collect, or * for all
return: filter by event return value: success, failure, or * for any
user: regular expression for filtering by user. Use = to include matching event, or != to exclude it.
match: regular expression to search for in the content of an event. Use = to include matching event, or != to exclude it.
[Filter
]
This subkey stores the Log Filter.
This section describes the format of the log filters. Filters are of type REG_SZ, of no greater than 1060 chars, and is composed of the following string (the figures in the brackets represent the maximum size of the strings that can be entered):
eg. criticality=2,5,5,5,7,9,0,0,0,0
match (General Match) - The General match term is the filter expression, and is defined to be any value which includes DOS wildcard characters. It can also include regular expressions if 'regex' box is checked.
eg match="*"
General Match Type - Include/Exclude. If checked Include then match or general match term is equated as [ = ] if checked exclude then it is [ != ].
Regex: =0 (Include general string term to match); =1 (Include regex string term to match)
eg. regex=0
[Log]
This section stores the Log Monitors.
Log# (where # is a serial number)
This section describes the format of the log monitors. Log monitors are of type REG_SZ, of no greater than 512 chars, and is composed of the following string:
Logtype | LogPath
LogType is optional and is used to inform the Snare server how to process the data stream.
The LogPath is the fully qualified path to the log file that needs to be monitored or the fully qualified path to the directory containing date stamped log files of the form "YYMMDD" (in this case a trailing backslash ('\') is required). Spaces are valid, except at the start of the term.
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Objective# (where # is a serial no. starting with 1) |
|
[Filter] |
|
Filter# (where # is a serial number) |
For example: "Filter1": "criticality=0,5,5,5,0,1,0,0,0,0match=\"*\"regex=0state=1uuid=7e90d723-219c-46a6-943e-55573532e05f" |
|
|
|
|
|
|
FIM#
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |