Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The purpose of this section is to discuss the parameter settings of the configuration file. The Snare configuration file is located at /etc/security/snare.conf, and this location may not be changed. If the configuration file does not exist, the audit daemon will not actively audit events until a correctly formatted configuration file is present.

...

The format of the audit configuration file is discussed below.

[Network]

This section stores the general network configurations.

CacheSize

Determines the desired count of events in the memory cache. i.e the number of events that Snare should keep if it can't reach at least one of the network destinations. The value must be between 1 and 65536 events. If this is set then CacheSizeM cannot be altered.
Default value is 3200.

CacheSizeM

Determines the size of the in memory cache in MB. The value must be between 1 and 1024. If this is set then CacheSize cannot be altered.

CheckTime

Number of seconds the agent will internally reload its settings, drop and reestablish network connection. Minimum set time is 300 seconds (5 minutes), maximum is 3600 seconds (1 hour).

Destination1Delimiter

The delimiter to be used in the events written to this network destination, including, tab, comma, vertical bar, space and any custom character.  By default the delimiter is a tab character.

Destination1Format

The

format

in

which

the

events

are

sent

to

the

destination:
Snare

(0), SYSLOG RFC3164

(1),

SYSLOG

Alt

(2), CEF

(3), LEEF

(4), SYSLOG

RFC5424

(5),

SNARE

V2

(6),

SYSLOG

JSON

(7), DEVO

(8),

DEVO

JSON

(9).

Destination1Host

The IP or hostname of the destination server/SIEM.

Destination1mTLSCertID

This value is of type REG_SZ and is the

The ID of the client's certificate. Client will present the certificate in mutual TLS communication to prove its identity to the server in communication.

Destination1Port

Determines the Destination Port number. This value must be in 1-65535 range. Will default to 514 if a SYSLOG header has been specified.

Destination1SocketType

Determines the protocol used (0 for UDP, 1 for TCP, 2 for TLS/SSL, 3 for TLS_AUTH, 4 for mTLS).

Destination1TLSAuthKey

This value is used when Destination1SocketType is 3 i.e. TLS_AUTH.

FileOutput1Delimiter

The delimiter to be used in the events written to this file destination, including, tab, comma, vertical bar, space and any custom character.  By default the delimiter is a tab character.

FileOutput1FileName

The path and location of the file the events are written to. 

Note: only events that were sent to at least one network destination will be written to the file destination.

FileOutput1Format

The format to write to the log file. Available formats are:
Snare (0), SYSLOG RFC3164 (1), SYSLOG Alt (2), CEF (3), LEEF (4), SYSLOG RFC5424 (5), SNARE V2 (6), SYSLOG JSON (7), DEVO (8), DEVO JSON (9).

NotifyMsgLimit

Having a value 0 or 1, and determines whether to send or not the EPS notification to server (1 means send and 0 means not to send) whenever agent reaches EPS RateLimit.

NotifyMsgLimitFrequency

Determines the frequency of events per second notification. The value is treated in minutes and only one EPS notification message is sent to server regardless of how many times agent reaches EPS limit during these minutes.

RateLimit

Determines the upper limit for events per second (EPS) that the agent will send to server.

SyslogFacility

Represents the SYSLOG facility for SYSLOG format

[Config]

This section stores the general configuration values.

AgentLog
Sets the level of

SyslogTAGTerminator

Set to either 0 or 1 to determine whether to use TAB as SYSLOG (RFC3164) TAG Terminator. SYSLOG (RFC3164) IEFT standard allows all alphanumeric characters considered the part of TAG. It is strongly recommended to keep it as 1, else Destination#Delimiter will be used as TAG terminator.



[Config]

This section stores the general configuration values.

AgentLog

Sets the level of tracing sent by the agent.  Values include [0-5] where Fatal (0), Error (1), Warning (2), Info (3), Debug (8), Trace (9).

Audit

Determines whether Snare is to automatically set the system audit configuration. Set this value to 0 for no, or 1 for Yes. Will default to TRUE (1) if not set. 

CachePath

This

is

the

disk

backup

path

where

the

agent

will

temporarily

save

all

unsent

events

from

its

memory

cache

if

the


agent

needs

to

restart.

Agent

will

read

and

send

the

events

on

next

start.

Checksum

Determines whether Snare includes an MD5 Checksum of the contents of each audit record, with the record in question. Set this value to 0 for no, or 1 for Yes. Will default to FALSE (0) if not set. Note that the checking application will need to strip the final delimiter, plus the MD5 Checksum, from the record before evaluating the record against the checksum.

Clientname

This is the Hostname of the client and if no value has been set, "hostname" command output will be displayed. Must be no more than 100 characters, otherwise will be truncated.

EventSourceIdText

Stores the Event Source Id text/value. If the value in EventSourceIdType is 1 (Free Text), then this text/value is included in each event.

EventSourceIdType

Stores the option related to specifying Event Source Id: 0(NONE) and 1(Free Text)

FileSize 

This is the maximum generated size of an output file receiving events. The file is rotated upon reaching this maximum.

HeartBeat

This

value

is

the

frequency

with

which

a

heartbeat

is

sent,

set

in

minutes.

HeartBeatFileExport

This

value

determines

whether

heartbeats

are

logged

to

a

file.

0

for

no,

or

1

for

Yes.

HeartBeatOutputPath

This

is

the

path

where

the

heartbeat

messages

are

exported

to,

if

selected.

HostGUID

Set

to

the

GUID

of

the

specific

network

card.

HostIP

Set to the IP address of the specific network card.

TLS13Minimum

When

disabled

(0),

Snare

Agent

supports

TLS

1.2

and

TLS

1.3

for

web

connections.

When

enabled

(1),

TLS

1.2

is

explicitly

disabled;

browsers

connecting

to

the

agent

website

must

support

at

least

TLS

1.3

for

ssl

connections.

UpgradePath

The automatically generated path in which temporary upgrade files are stored.

UseHostIP

If checkbox is set it resolves the machine's


Set to either 0 or 1 to determine whether Snare should use IP address 
from
(as 
the
set 
first
in 
wired
HostIP) 
adapter.
instead 
It
of 
will
the 
not
resolve wireless IPs at present
hostname in the events' header when sending events. Set this value to 0 for 
no
No, or 1 for Yes. Will default to FALSE (0) if not set.

UseUTC

Determines whether Snare should use UTC timestamps instead of the local system time when sending events. Set this value to 0 for no, or 1 for Yes. Will default to FALSE (0) if not set.



[Remote]

This section stores

all

the web user interface/remote control parameters.

AccessKeyAuth

Stores the actual password to be used, in encrypted format.

Allow

Set to either 0 or 1 to allow the web user interface to be available. If not set or out of bounds, will default to 0/NO (ie; not able to be browsed to).

LockTime

This value is of type REG_DWORD and is

Numeric value used to determine the lock duration in minutes after maximum failed login attempts.

MaxFailAttempt

This value is of type REG_DWORD and is

Numeric value used to determine the maximum number of failed login attempts that will be accepted before the agent will be locked for a duration (Duration is defined in LockTime).

Restrict

Set to either 0 or 1 to signal whether the remote users should be restricted via IP address or not. 0 = no restrictions.

RestrictIP

The IP address that is used to remotely control the agent.

WebPort

This value is the web server port, if it has been set to something other than port 6161. If not set or out of bounds, it will default to port 6161.





[

SAM

Certificate]

This

section stores the Snare Agent Manager

section stores SSL/TLS certificates configuration values.

DestinationCertPreference

Set to either "ANY" or "STRICT", this value defines the required level of SSL/TLS certificate verification when connecting to a remote destination server. Note: SSL/TLS certificate verification is not relevant if UDP or TCP protocol is used to connect to the destination.

Accepted values are:
ANY - (Default) Require an SSL/TLS certificate to be presented, but accept the certificate even if the chain of trust cannot be authenticated, or the hostname does not match the presented certificate. This is useful for self-signed certificates.
STRICT - Require an SSL/TLS certificate to be presented, and have both a valid chain of trust and also a hostname matching the certificate. A hostname must be provided in the associated Destination#Host setting, as an IP address will not work.


DestinationCertPreferenceSAM

Set to either "ANY" or "STRICT", this value defines the required level of SSL/TLS certificate verification when connecting to a Snare Agent Manager server.

Accepted values are:
ANY - (Default) Require an SSL/TLS certificate to be presented, but accept the certificate even if the chain of trust cannot be authenticated, or the hostname does not match the presented certificate. This is useful for self-signed certificates.
STRICT - Require an SSL/TLS certificate to be presented, and have both a valid chain of trust and also a hostname matching the certificate. A hostname must be provided in the SAM1IP setting, as an IP address will not work.

WebCertID

The thumbprint of the certificate to be used for HTTPS web user interface interactions. 

By default, Snare Agent generates a self-signed certificate. Customer is welcome to replace it with a CA-signed certificate for improved security. 



[SAM]

This section stores the Snare Agent Manager settings.

SAM1AuthKey

Key

used

by

the

agent

to

communicate

with

the

Snare

Agent

Manager.

SAM1IP

The

IP/hostname

of

where

SAM

is

installed,

that

will

communicate

with

the

agent.

SAM1Port

The

port

number

the

agent

uses

to

communicate

with

SAM,

port

6262.



[State]

This section stores data managed internally by the Agent.

SAMCToken

Token provided by SAM to the agent.

AgentLocked

This value is of type REG_DWORD and is set

Set to either 0 or 1 to indicate whether the agent is locked or not due to reaching maximum failed login attempts.

AgentLockEndTime

This is of type REG_SZ and is

String used to store the time when the agent will be back to normal after it has been locked due to reaching maximum failed login attempts.

LoginAttempts

This value is of type REG_DWORD and is

Numeric value used to determine the number of consecutive failed login attempts.

 

 



[Objective]

This section stores all the filtering audit policies (formerly known as objectives) for filtering macOS audit events.

Objective#


(where

#

is

a

serial

no.


starting

with

1)

This section describes the format of the audit policies. For example:

"Objective1": "criticality=1,1,1,1,1,1,0,0,0,0\tevent=exec,execve\treturn=*\tuser=.*\tmatch=.*",

criticality: Format for this string is [0-4],[0-7],[0-7],[0-7],[0-10],[1-10],0,0,0,0. First integer is between 0 and 4 that indicates the severity of the Snare format event. Critical = 4, Priority = 3, Warning = 2, Information = 1, Clear = 0. Next 3 values are Syslog for each RFC3164, RFC3164 Alt and RFC5424. Syslog values RFC3164 Alt and RFC5424 are copied from Syslog and not used separately. Values 0-7 denote Emergency, Alert, Critical, Error, Warning, Notice, Info, Debug. CEF is 0 - 10, 0 is least severe and 10 is most severe. LEEF is 1 - 10, 1 is least severe and 10 is most severe. Last 4 values 0,0,0,0 are reserved and not in use

event: comma-separated list of macOS audit events to collect, or * for all
return: filter by event return value: success, failure, or * for any
user: regular expression for filtering by user. Use = to include matching event, or != to exclude it.
match:  regular expression to search for in the content of an event. Use = to include matching event, or != to exclude it.



[Filter]

This

subkey

section stores the Log Filter.

Filter#

(where

#

is

a

serial

number)

This

section

describes

the

format

of

the

Filters

applied

to

Log

file

monitors.

For

example:

"Filter1":

"criticality=0,5,5,5,0,1,0,0,0,0match=\"*\"regex=0state=1uuid=7e90d723-219c-46a6-943e-55573532e05f"

criticality

-

ten

comma-separated

integer

values

([0-4],[0-7],[0-7],[0-7],[0-10],[1-10],0,0,0,0)

representing

event

criticality

for

different

event

formats.

First

integer

is

between

0

and

4

indicating

the

severity

of

the

event

in

Snare

format:

0

-

Clear

,

1

-

Information,

2

-

Warning,

3

-

Priority,

4

-

Critical.

Next

3

values

are

Syslog

for

each

RFC3164,

RFC3164

Alt

and

RFC5424

formats.

Syslog

values

RFC3164

Alt

and

RFC5424

are

copied

from

Syslog

and

not

used

separately.

Values

0-7

denote

Emergency,

Alert,

Critical,

Error,

Warning,

Notice,

Info

and

Debug,

respectively.

CEF

is  0

-

10,

0

is

least

severe

and

10

is

most

severe.

LEEF

is  1

-

10,

1

is

least

severe

and

10

is

most

severe.

Last

4

values

0,0,0,0

are

reserved

and

not

in

use.
match=

-

a

string

(if

regex

=

0)

or

a

regular

expression

(if

regex

=

1)

to

match

and

INCLUDE.

Events

matching

this

filter

will

be

collected.

DOS

wildcard

characters

("*"

and

"?")

can

be

used

when

regex

=

0,

for

example:

match="*"
or
match!=

-

a

string

(if

regex

=

0)

or

a

regular

expression

(if

regex

=

1)

to

match

and

EXCLUDE.

Events

matching

this

filter

will

not

be

collected.


regex

-

integer

indicating

whether

the

match

string

is

a

regular

expression:

0

-

no;

1

-

yes
state

-

an

integer

representing

the

state

of

Filter

configuration:

0

-

Disabled;

1

-

Enabled;

2

-

Requiring

Service

Restart
uuid

-

a

unique

16-byte

identifier

of

this

Filter.

See

Log

Filter

Configuration

page

in

this

User

Guide

for

more

details.



[Log]

This section stores the Log Monitors.

Log#

(where

#

is

a

serial

number)

This

section

describes

the

format

of

the

log

file

monitors. 

For

example:

"Log1":

"logtype=0logval=\"\"linetype=1lineval=\"1\"watchtype=0watchval=\"1\"dirfilter=\"\/var\/log\"filefilter=\"syslog\"features=0state=1uuid=8b5678d1-abc2-467c-af05-5318b9d1c94d"

logtype

-

an

integer

representing

the

type

of

logs

being

collected:

0

-

Generic

log

format(default);

1

-

Apache

web

logs; 

2

-

Exchange

message

tracking

logs

pre

2007;

3

-

Exchange

message

tracking

logs

2007;

4

-

Exchange

message

tracking

logs

2010/2013;

5

-

Microsoft

IIS

web

server

logs;

6

-

Microsoft

ISA

firewall

logs;

7

-

Microsoft

ISA

web

logs;

8

-

Microsoft

proxy

server

logs;

9

-

Microsoft

SMTP

logs;

10

-

Squid

proxy

logs;

11

-

VMS

Security

Logs;

12

-

Custom

Event

log;

13

-

Microsoft

DNS

server

logs;

14

-

NCR

ATM

Journal

Logs;

15

-

DHCP

Logs

logval

-

user-defined

string

that

will

be

used

as

a

log

type

in

the

event

header

if

the

logtype

=

12

-

Custom

Event

Log.

linetype

-

an

integer

defining

what

comprises

a

single

event:

0

-

Single

Line

(every

line

in

the

monitored

file

is

converted

to

a

separate

event);

1

-

Fixed

Number

of

Lines;

2

-

Line

separating

events

(a

line

specified

in

lineval

acts

as

event

separator)

lineval

-

if

linetype

=

1,

a

string

representing

the

number

of

lines

to

be

read

as

one

event;

if

linetype

=

2,

this

is

the

line

that

separates

events,

for

example,

"<end>".

watchtype

-

an

integer

indicating

which

files

should

be

monitored

in

the

given

directory:

0

-

All

matching

files;

1

-

Last

matching

file

(alphabetically);

2

-

First

matching

file

(alphabetically);

3

-

Fixed

number

of

first

matching

files;

4

-

Fixed

number

of

last

matching

files

watchval

-

if

watchtype

=

3

or

4,

a

string

representing

the

number

of

first/last

matching

files,

otherwise

"1"

dirfilter

-

a

string

representing

fully

qualified

path

to

the

desired

log

file

or

the

directory

containing

the

target

log

files

filefilter

-

a

string

representing

the

file

name

or

file

name

pattern

to

monitor

for

new

logs

features

-

an

integer

representing

a

bitmap

of

extra

features,

such

as

comments

inclusion,

date-based

or

regex-based

file

matching,

etc.

This

value

is

set

programmatically

based

on

other

selections.

state

-

an

integer

representing

the

state

of

Log

file

monitor

configuration.

Disabled

=

0,

Enabled

=

1,

Requiring

Service

Restart

=

2.

uuid

-

a

unique

16-byte

identifier

of

this

Log

file

monitor.

See

Log

Configuration

page

in

this

User

Guide

for

more

details. 



[FIM]

This section stores the File Integrity Monitoring configuration values.

FIM#


(where # is a serial no. starting with 1)

This section describes the format of FIM configurations. This is composed of the following string:

type=[0|1],alg=[0|1],criticality=[0-4],[0-7],[0-7],[0-7],[0-10],[1-10],0,0,0,0,schedule=<CRON_FORMAT>,dirfilter=<DIR_PATH>,filefilter=<INCLUDE_FORMAT>,exclusions=<EXCLUDE_FORMAT>,features=<VALUE>,state=[0|1|2},uuid=<UUID>

type: integer 0 or 1 where 0 indicates File type and 1 indicates Registry type

alg: integer 0 or 1 and indicates the algorithm used to hash the data. SHA256 = 0, SHA512 = 1

criticality: First integer is between 0 and 4 that indicates the severity of the Snare format event. Critical = 4, Priority = 3, Warning = 2, Information = 1, Clear = 0. Next 3 values are Syslog for each RFC3164, RFC3164 Alt and RFC5424. Syslog values RFC3164 Alt and RFC5424 are copied from Syslog and not used separately. Values 0-7 denote Emergency, Alert, Critical, Error, Warning, Notice, Info, Debug. CEF is  0 - 10, 0 is least severe and 10 is most severe. LEEF is  1 - 10, 1 is least severe and 10 is most severe. Last 4 values 0,0,0,0 are reserved and not in use

CRON_FORMAT: a string in the CRON format to indicate when the system is to scan. Can be of the form CRON(<min>, <hour>, <day_of_month>, <month>, <day_of_week>) or of one of @hourly or @daily.

DIR_PATH: the full path of the directory from which to start scanning. A terminating path delimiter followed by a * denotes a recursive scan.

INCLUDE_FORMAT: the format of the files to include in the scan. The character * denotes the use of wildcards.

EXCLUDE_FORMAT: the format of the files to exclude from the scan. The * character denotes the use of wildcards.

features: an integer representing a bit-wise set of features.

state: an integer representing the state of FIM configuration. Disabled = 0, Enabled = 1, Requiring Service Restart = 2.

UUID: a string representation of a unique 16-byte value used to identify the configuration.



[License]

This section stores the agent licenses.

License#

(where

#

is

a

serial

no.

starting

with

1)

This section stores the agent's licenses text, if the agent licenses are managed locally rather than

via Snare

via Snare Agent Manager (SAM).

"License1":

"Product-Name=...",