Versions Compared

Version Old Version 2 New Version Current
Changes made by

maria ieropoulos

Leigh Purdie (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The Snare Central can process a reasonably wide range of source data types. The Snare Central data acquisition software is generally tuned for particular versions of operating system or device logs, so if you encounter problems importing particular types of data, please contact your Snare Central support team, and be prepared to supply (sanitised if required) log samples.

...

Organisations that use the Snort network intrusion detection system can send data to the Snare Central via the syslog protocol. Snare will be able to collect, interpret, and report on the events. The following information provides an overview of the steps required to configure the Snort sensor to send eventlog data back to the Snare Central. Note that there is no configuration required on the Snare Central.

Note
titleWhat you need
The IP address or DNS name of the Snare Central server


Tip
titleHow to..

On the host that is acting as a Snort collection sensor:

  • In the file /etc/syslog.conf, add the following two lines:

# Send all SYSLOG events to the Snare Central
*.*@12.23.34.45

  • Please substitute the IP address, or the DNS name, of the Snare Central for the string "12.23.34.45"
  • Modify the file /etc/snort/snort.conf to include the following line:

output alert_syslog: LOG_AUTH LOG_ALERT

  • An existing (or possibly, multiple) 'output' line may already exist in the file - that is acceptable. Snort will be able to send output to both targets.
  • Restart your snort network intrusion detection system and syslog daemon. Depending on your distribution this may be one of:
    • /etc/init.d/snortd; /etc/init.d/syslog restart
    • service snortd restart; service syslog restart

...

  • Look in /var/log/messages for errors.
  • Run manually:
    • /usr/sbin/snort -D -i "ppp0" -c /etc/snort/snort.conf
  • ..then look in /var/log/messages for errors

Collecting ACF2 Data

The Snare Central is able to collect ACF2 processed reports, via FTP transfer. The processed reports need to be transferred to a particular directory on the Snare Central, which will then be uploaded by Snare Central processes, on a daily basis.

The ACF2 processed reports are based on specific utilities, provided with the ACF2. The utilities produce formatted reports on the following activity on a mainframe, which can then be collected by the Snare Central, and used for reporting:

...

The end of this chapter contains a listing of an example JCL which could be used to run, extract and send the ACF2 processed reports to the Snare Central. This sample job has been set up for the Logonid Modification Log report, but could easily be configured for all the reports listed above. Each step in the sample job below performs the following steps. Note that a fixed transfer library name is used because a reference to this library is stored in an FTP parm library which cannot be changed with each run. Some of the programs used in this job are defined below.

  • Deletes previous day's FTP transfer library.
  • Runs ACF2 report, placing output in a GDG (7 generations kept).
  • Allocate new FTP transfer library and copy report from GDG created in previous step.
  • FTP the transfer library to Snare Central. The 'snarexfer' FTP user must be used. This user defaults to the "/data/SnareCollect" directory on the Snare Central. The ACF2 processed reports must be placed in the "ACF2Log" sub-directory. So the full path becomes: "/data/SnareCollect/ACF2Log". Member level security is used to protect the FTP lid password.

The IEBGENER program used in the sample job is an IBM-supplied utility program designed to generate copies of data sets when disk storage or tape is involved. The IKJEFT01 program is the TSO/E program, and is used to perform a TSO function within a batch job.

 


Code Block
titleCSCSNR01
linenumberstrue
********************************** Top of Data **********************************
//CSCSNR01 JOB (P,SCF81),ACT.SECURITY,CLASS=C,MSGCLASS=J
/*JOBPARM SYSAFF=PROD
//-----------------------------------------------------------------
//*
//* JOB TO PRODUCE ACF2 LIDMOD REPORT FOR XFER TO SNARE SERVER
//*
//*---------- DELETE TEMP XFER LIB ---------------------------------
//*
//STEP1 EXEC PGM=IKJEFT01,REGION=8192K
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSTERM DD SYSOUT=*
//SYSUDUMP DD SYSOUT=*
//SYSTSIN DD *
DELETE 'CSC.SNARE01.LIDMODS.XFER'
//*
//*---------- ACF2 LID DB MODIFICATION LOG REPORT ------------------
//*
//STEP2 EXEC PGM=ACFRPTLL
//SYSPRINT DD DSN=CSC.SNARE01.LIDMODS.REPORT(+1),
//
DISP=(,CATLG),
//
VOL=SER=BTCH52,
//
UNIT=SYSDA,
//
SPACE=(TRK,(60,5),RLSE),
//
DCB=(GDGMODEL,RECFM=FB,LRECL=142,BLKSIZE=27974)
//SYSUDUMP DD SYSOUT=*
//REC01 DD DSN=CTF.SMFJR,DISP=SHR
//SYSIN DD *
MASK(********)
DETAIL
NOUPDATE
SYSID(****)
//*
//*---------- COPY REPORT FROM GDG TO XFER LIB ---------------------
//*
//COPY
EXEC PGM=IEBGENER
//SYSPRINT DD SYSOUT=*
//SYSUT1
DD DSN=CSC.SNARE01.LIDMODS.REPORT(+1),
DISP=SHR
//SYSUT2
DD DSN=CSC.SNARE01.LIDMODS.XFER,
//
DISP=(NEW,CATLG,DELETE),
//
VOL=SER=BTCH52,
//
UNIT=SYSDA,
//
SPACE=(TRK,(60,5),RLSE),
//
DCB=*.SYSUT1
//*
DCB=(RECFM=FB,LRECL=142,BLKSIZE=27974)
//SYSIN
DD DUMMY
//*
//*---------- FTP XFER FILE TO SNARE SERVER ------------------------
//*
//STEP4 EXEC FTP,
//
SERVER='CSCSNARE',
//
FTPUSER='SNAREXFER',
//
FTPCMDS='CSCSNR01',
//
ENV='PROD',
//
SOUT='*'
//*
//*---------- Notify Security Monitoring Team if job fails ---------
//*
//*JOBFAIL IF ((RC > 4) | (ABEND)) THEN
//*
//SENDMEMO EXEC PGM=IEBGENER
//SYSPRINT DD SYSOUT=*
//SYSUT1 DD *
HELO NCC
MAIL FROM:<PSC0SCHD@AGENCY.COM>
RCPT TO:<ITSECMON@AGENCY.COM>
DATA
TO:ITSECMON<ITSECMON@AGENCY.COM>
SUBJECT:SNARE REPORT FTP JOB FAILURE: JOB CSCSNR01
PLEASE CHECK SDSF OUTPUT FOR THIS JOB ASAP AND DETERMINE WHY.
>> THIS E-MAIL IS GENERATED BY A BATCH JOB RUNNING ON THE
>> AGENCY'S MAINFRAME ENVIRONMENT.
.
QUIT
/*
//SYSUT2 DD SYSOUT=(B,SMTP)
//SYSIN DD DUMMY
//*
//JOBFAIL ENDIF
//*===================================================================

...

RACF resource violation logs can be batch-imported to the Snare Central. In particular, ACCESS, DELRES, and JOBINIT logs are supported directly, .

...

Info
titleLog format

RACF logs are fixed-column logs. The Snare Central assumes the following format:

  • EVENT TYPE: Characters 1-8
  • EVENT QUALIFIER: Characters 10-17 (Eg; SUCCESS, INVPSWD, RACINITD)
  • TIME: Characters 19-26
  • DATE: Characters 28-37
  • SYSTEM: Characters 39-42 (SYSTEM ID)
  • USER ID: Characters 59-66
  • GROUP ID: Characters 68-75
  • TERMINAL (HOSTNAME): Characters 171-178
  • JOB NAME: Characters 180-187
  • USER NAME: Characters 556-575
  • ATTRIBUTES: (True/False)
    • VIOLATION: 44-47
    • BYPASS: 107-110
    • SPECIAL USER: 602-605
    • PRIV: 646-649 

...

Sidewinder firewall logs can be exported to CSV, and transferred to the Snare Central for processing.

The Snare Central, will utilise the following fields:

...

IIS logs should retain the header information, that includes the 'Fields' definition line.

The Snare Central requires the following fields to be included:

...

In situations where systems are air-gapped, or have sporadic internet connectivity, directly transferring the archived log data to the Snare Central via FTP is possible.

...

  • String order may not match the order found in normal Snare agent logs.
    • Some existing Snare Central objectives may require strings to be in a particular order, to pull out information of particular interest, from the 'Strings' section of events, such as as user name.
  • String names may not match those found in normal Snare agent logs.
    • The string "SubjectUserSid" in the EVTX file, is actually translated to "Subject: Security ID:" in many events.
    • The string "SubjectUserName" in the EVTX file may be "User Name" in some circumstances, or "Account Name" in others. There is no obvious consistency , and there does not seem to be a generally available lookup-table to hint at what translations are appropriate.
    • The Snare Central will attempt to convert the 'CamelCase' string headers to space-included versions, which are more likely to match those displayed by the Windows event viewer (and therefore transmitted by Snare), however, case may be incorrect in some circumstances:
      • SubjectUserId may be translated as "Subject User Id", whereas the Windows event view will display it as "Subject User ID".
      • There are a few 'special cases' defined in the EVTX converter, that may fix the more obvious examples.
  • The contents of the 'Data' field is not currently supported for conversion.
  • Content that is usually interpreted at display-time in the Windows event viewer, or at transmission time in the Snare agents, will not be interpreted.
    • At event display-time, the Windows event viewer interrogates the registry, and sometimes native or third party DLL's, to try and resolve event template components to human readable text. The Snare for Windows agent does the same, when it converts the events to text-format prior to transmission.
    • These DLL's/registry entries are not guaranteed to be installed on all windows machines - for example, Internet Information Server template conversion DLL's will not be installed on a server that is not running IIS.
    • As such, information that is available to a Snare Agent on the source system, is NOT available to the Snare Central when it attempts to convert the binary EVTX log data to text format.
    • Human-readable event descriptions that are often included within the strings section, will not be available.
  • Date/Time values within the EVTX files are in UTC format, and the EVTX files do not contain UTC offset information for the source server.
  • In general, the conversion tool may require assistance in determining the source of the source EVTX file (eg: Security, Application, System, etc).
    • The two points above, can be addressed with the assistance of file path hints.
    • Logs should be included in one of the following file paths, depending on the log type/source:
      • /data/SnareCollect/MSWinEVTX/Security
      • /data/SnareCollect/MSWinEVTX/Application
      • /data/SnareCollect/MSWinEVTX/System
    • Under these directories, if time zone conversion is required (highly recommended), a directory should be created with the textual representation of the time-zone (but with the forward-slash character switched out for a COLON)
      • For example:
        • /data/SnareCollect/MSWinEVTX/Security/America:New_York
        • /data/SnareCollect/MSWinEVTX/Security/Australia:Adelaide

 


Note
titleExample

A Sample log line, as received by the Snare Central from a Snare Agent, and after conversion from an EVTX file. Key differences are highlighted.

Snare AgentEVTX Converter
2015-02-052015-02-05
14:23:2714:23:27
WIN08R264DC2WIN08R264DC2
WinSecurityWinSecurity

47

47

47194719
Microsoft-Windows-Security-AuditingMicrosoft-Windows-Security-Auditing
TEST\WIN08R264DC2$TEST\WIN08R264DC2$
N/AN/A
Success AuditSuccess Audit
System audit policy was changed.
 

Subject:   Security ID:  S-1-5-18Subject User Sid:  S-1-5-18
Account Name:  WIN08R264DC2$Subject Account Name:  WIN08R264DC2$
Account Domain:  TESTSubject Account Domain:  TEST
Logon ID:  0x3e7Logon Id:  0x3e7

Audit Policy Change:    Category:  System

Category Id: %%8272

Subcategory:  Security State ChangeSubcategory Id: %%12288
Subcategory GUID: {0CCE9210-69AE-11D9-BED3-505054503030}Subcategory Guid: {0CCE9210-69AE-11D9-BED3-505054503030}
Changes:  Success removed, Failure removedAudit Policy Changes: %%8448, %%8450



Info
titleCaveats

It should be noted however, that the EVTX import tool, will 'cheat' in some circumstances, and performs some transformations on events that are considered high priority by Snare Central customers, in order to make them appear very similar to the events generated by Snare Agents. These transformations may include:

  • Reordering fields
  • Relabelling some strings (eg: SubjectUserSid becomes "Subject:    Security ID")
  • Inserting human readable event descriptions.

...

Info
titleTime Zones

The following Time Zones are supported:

Africa:Abidjan

Africa:AccraAfrica:Addis_AbabaAfrica:AlgiersAfrica:Asmara
Africa:AsmeraAfrica:BamakoAfrica:BanguiAfrica:BanjulAfrica:Bissau
Africa:BlantyreAfrica:BrazzavilleAfrica:BujumburaAfrica:CairoAfrica:Casablanca
Africa:CeutaAfrica:ConakryAfrica:DakarAfrica:Dar_es_SalaamAfrica:Djibouti
Africa:DoualaAfrica:El_AaiunAfrica:FreetownAfrica:GaboroneAfrica:Harare
Africa:JohannesburgAfrica:JubaAfrica:KampalaAfrica:KhartoumAfrica:Kigali
Africa:KinshasaAfrica:LagosAfrica:LibrevilleAfrica:LomeAfrica:Luanda
Africa:LubumbashiAfrica:LusakaAfrica:MalaboAfrica:MaputoAfrica:Maseru
Africa:MbabaneAfrica:MogadishuAfrica:MonroviaAfrica:NairobiAfrica:Ndjamena
Africa:NiameyAfrica:NouakchottAfrica:OuagadougouAfrica:Porto-NovoAfrica:Sao_Tome
Africa:TimbuktuAfrica:TripoliAfrica:TunisAfrica:Windhoek
 

America:AdakAmerica:AnchorageAmerica:AnguillaAmerica:AntiguaAmerica:Araguaina
America:Argentina:Buenos_AiresAmerica:Argentina:CatamarcaAmerica:Argentina:ComodRivadaviaAmerica:Argentina:CordobaAmerica:Argentina:Jujuy
America:Argentina:La_RiojaAmerica:Argentina:MendozaAmerica:Argentina:Rio_GallegosAmerica:Argentina:SaltaAmerica:Argentina:San_Juan
America:Argentina:San_LuisAmerica:Argentina:TucumanAmerica:Argentina:UshuaiaAmerica:ArubaAmerica:Asuncion
America:AtikokanAmerica:AtkaAmerica:BahiaAmerica:Bahia_BanderasAmerica:Barbados
America:BelemAmerica:BelizeAmerica:Blanc-SablonAmerica:Boa_VistaAmerica:Bogota
America:BoiseAmerica:Buenos_AiresAmerica:Cambridge_BayAmerica:Campo_GrandeAmerica:Cancun
America:CaracasAmerica:CatamarcaAmerica:CayenneAmerica:CaymanAmerica:Chicago
America:ChihuahuaAmerica:Coral_HarbourAmerica:CordobaAmerica:Costa_RicaAmerica:Creston
America:CuiabaAmerica:CuracaoAmerica:DanmarkshavnAmerica:DawsonAmerica:Dawson_Creek
America:DenverAmerica:DetroitAmerica:DominicaAmerica:EdmontonAmerica:Eirunepe
America:El_SalvadorAmerica:EnsenadaAmerica:Fort_WayneAmerica:FortalezaAmerica:Glace_Bay
America:GodthabAmerica:Goose_BayAmerica:Grand_TurkAmerica:GrenadaAmerica:Guadeloupe
America:GuatemalaAmerica:GuayaquilAmerica:GuyanaAmerica:HalifaxAmerica:Havana
America:HermosilloAmerica:Indiana:IndianapolisAmerica:Indiana:KnoxAmerica:Indiana:MarengoAmerica:Indiana:Petersburg
America:Indiana:Tell_CityAmerica:Indiana:VevayAmerica:Indiana:VincennesAmerica:Indiana:WinamacAmerica:Indianapolis
America:InuvikAmerica:IqaluitAmerica:JamaicaAmerica:JujuyAmerica:Juneau
America:Kentucky:LouisvilleAmerica:Kentucky:MonticelloAmerica:Knox_INAmerica:KralendijkAmerica:La_Paz
America:LimaAmerica:Los_AngelesAmerica:LouisvilleAmerica:Lower_PrincesAmerica:Maceio
America:ManaguaAmerica:ManausAmerica:MarigotAmerica:MartiniqueAmerica:Matamoros
America:MazatlanAmerica:MendozaAmerica:MenomineeAmerica:MeridaAmerica:Metlakatla
America:Mexico_CityAmerica:MiquelonAmerica:MonctonAmerica:MonterreyAmerica:Montevideo
America:MontrealAmerica:MontserratAmerica:NassauAmerica:New_YorkAmerica:Nipigon
America:NomeAmerica:NoronhaAmerica:North_Dakota:BeulahAmerica:North_Dakota:CenterAmerica:North_Dakota:New_Salem
America:OjinagaAmerica:PanamaAmerica:PangnirtungAmerica:ParamariboAmerica:Phoenix
America:Port-au-PrinceAmerica:Port_of_SpainAmerica:Porto_AcreAmerica:Porto_VelhoAmerica:Puerto_Rico
America:Rainy_RiverAmerica:Rankin_InletAmerica:RecifeAmerica:ReginaAmerica:Resolute
America:Rio_BrancoAmerica:RosarioAmerica:Santa_IsabelAmerica:SantaremAmerica:Santiago
America:Santo_DomingoAmerica:Sao_PauloAmerica:ScoresbysundAmerica:ShiprockAmerica:Sitka
America:St_BarthelemyAmerica:St_JohnsAmerica:St_KittsAmerica:St_LuciaAmerica:St_Thomas
America:St_VincentAmerica:Swift_CurrentAmerica:TegucigalpaAmerica:ThuleAmerica:Thunder_Bay
America:TijuanaAmerica:TorontoAmerica:TortolaAmerica:VancouverAmerica:Virgin
America:WhitehorseAmerica:WinnipegAmerica:YakutatAmerica:Yellowknife
 

Antarctica:CaseyAntarctica:DavisAntarctica:DumontDUrvilleAntarctica:MacquarieAntarctica:Mawson
Antarctica:McMurdoAntarctica:PalmerAntarctica:RotheraAntarctica:South_PoleAntarctica:Syowa
Antarctica:TrollAntarctica:Vostok
   



Arctic:Longyearbyen
   
 




Asia:AdenAsia:AlmatyAsia:AmmanAsia:AnadyrAsia:Aqtau
Asia:AqtobeAsia:AshgabatAsia:AshkhabadAsia:BaghdadAsia:Bahrain
Asia:BakuAsia:BangkokAsia:BeirutAsia:BishkekAsia:Brunei
Asia:CalcuttaAsia:ChitaAsia:ChoibalsanAsia:ChongqingAsia:Chungking
Asia:ColomboAsia:DaccaAsia:DamascusAsia:DhakaAsia:Dili
Asia:DubaiAsia:DushanbeAsia:GazaAsia:HarbinAsia:Hebron
Asia:Ho_Chi_MinhAsia:Hong_KongAsia:HovdAsia:IrkutskAsia:Istanbul
Asia:JakartaAsia:JayapuraAsia:JerusalemAsia:KabulAsia:Kamchatka
Asia:KarachiAsia:KashgarAsia:KathmanduAsia:KatmanduAsia:Khandyga
Asia:KolkataAsia:KrasnoyarskAsia:Kuala_LumpurAsia:KuchingAsia:Kuwait
Asia:MacaoAsia:MacauAsia:MagadanAsia:MakassarAsia:Manila
Asia:MuscatAsia:NicosiaAsia:NovokuznetskAsia:NovosibirskAsia:Omsk
Asia:OralAsia:Phnom_PenhAsia:PontianakAsia:PyongyangAsia:Qatar
Asia:QyzylordaAsia:RangoonAsia:RiyadhAsia:SaigonAsia:Sakhalin
Asia:SamarkandAsia:SeoulAsia:ShanghaiAsia:SingaporeAsia:Srednekolymsk
Asia:TaipeiAsia:TashkentAsia:TbilisiAsia:TehranAsia:Tel_Aviv
Asia:ThimbuAsia:ThimphuAsia:TokyoAsia:Ujung_PandangAsia:Ulaanbaatar
Asia:Ulan_BatorAsia:UrumqiAsia:Ust-NeraAsia:VientianeAsia:Vladivostok
Asia:YakutskAsia:YekaterinburgAsia:Yerevan
  


Atlantic:AzoresAtlantic:BermudaAtlantic:CanaryAtlantic:Cape_VerdeAtlantic:Faeroe
Atlantic:FaroeAtlantic:Jan_MayenAtlantic:MadeiraAtlantic:ReykjavikAtlantic:South_Georgia
Atlantic:St_HelenaAtlantic:Stanley
   



Australia:ACTAustralia:AdelaideAustralia:BrisbaneAustralia:Broken_HillAustralia:Canberra
Australia:CurrieAustralia:DarwinAustralia:EuclaAustralia:HobartAustralia:LHI
Australia:LindemanAustralia:Lord_HoweAustralia:MelbourneAustralia:NorthAustralia:NSW
Australia:PerthAustralia:QueenslandAustralia:SouthAustralia:SydneyAustralia:Tasmania
Australia:VictoriaAustralia:WestAustralia:Yancowinna
  


Europe:AmsterdamEurope:AndorraEurope:AthensEurope:BelfastEurope:Belgrade
Europe:BerlinEurope:BratislavaEurope:BrusselsEurope:BucharestEurope:Budapest
Europe:BusingenEurope:ChisinauEurope:CopenhagenEurope:DublinEurope:Gibraltar
Europe:GuernseyEurope:HelsinkiEurope:Isle_of_ManEurope:IstanbulEurope:Jersey
Europe:KaliningradEurope:KievEurope:LisbonEurope:LjubljanaEurope:London
Europe:LuxembourgEurope:MadridEurope:MaltaEurope:MariehamnEurope:Minsk
Europe:MonacoEurope:MoscowEurope:NicosiaEurope:OsloEurope:Paris
Europe:PodgoricaEurope:PragueEurope:RigaEurope:RomeEurope:Samara
Europe:San_MarinoEurope:SarajevoEurope:SimferopolEurope:SkopjeEurope:Sofia
Europe:StockholmEurope:TallinnEurope:TiraneEurope:TiraspolEurope:Uzhgorod
Europe:VaduzEurope:VaticanEurope:ViennaEurope:VilniusEurope:Volgograd
Europe:WarsawEurope:ZagrebEurope:ZaporozhyeEurope:Zurich
 

Indian:AntananarivoIndian:ChagosIndian:ChristmasIndian:CocosIndian:Comoro
Indian:KerguelenIndian:MaheIndian:MaldivesIndian:MauritiusIndian:Mayotte
Indian:Reunion
   
 




Pacific:ApiaPacific:AucklandPacific:BougainvillePacific:ChathamPacific:Chuuk
Pacific:EasterPacific:EfatePacific:EnderburyPacific:FakaofoPacific:Fiji
Pacific:FunafutiPacific:GalapagosPacific:GambierPacific:GuadalcanalPacific:Guam
Pacific:HonoluluPacific:JohnstonPacific:KiritimatiPacific:KosraePacific:Kwajalein
Pacific:MajuroPacific:MarquesasPacific:MidwayPacific:NauruPacific:Niue
Pacific:NorfolkPacific:NoumeaPacific:Pago_PagoPacific:PalauPacific:Pitcairn
Pacific:PohnpeiPacific:PonapePacific:Port_MoresbyPacific:RarotongaPacific:Saipan
Pacific:SamoaPacific:TahitiPacific:TarawaPacific:TongatapuPacific:Truk
Pacific:WakePacific:WallisPacific:Yap
  



Lotus Notes / Domino

The Snare Central is able to connect to a Domino server to retrieve eventlog data from log.nsf. It can also retrieve user and group information, plus access controls. However, some of the default settings in Lotus Domino can cause problems with the Snare Agent; please modify the server as follows: From the Domino Administrator page, click the Configuration tab, expand the Web section and click Internet Sites.

...