[Network]
| This subkey section stores the general network configurations.
|
CacheSize
| Determines the desired count of events in the memory cache. i.e the number of events that Snare should keep if it can't reach at least one of the hosts.If this is set then CacheSizeM cannot be altered.
|
CacheSizeM
| Determines the size of the in memory cache. The value must be between 1 and 1024.If this is set then CacheSize cannot be altered.
|
CheckTime | Number of seconds the agent will internally reload its settings, drop and reestablish network connection. Minimum set time is 300 seconds (5 minutes), maximum is 3600 seconds (1 hour). |
Destination1Delimiter
| The delimiter to be used in the events written to this network destination, including, tab, comma, vertical bar, space and any custom character. By default the delimiter is a tab character.
|
Destination1Format | The format in which the events are sent to the destination:
Snare (0), SYSLOG RFC3164 (1), SYSLOG Alt (2), CEF (3) , LEEF (4), SYSLOG RFC5424 (5), SNARE V2 (6), SYSLOG JSON (7), DEVO (8), DEVO JSON (9).
|
Destination1Host | The IP or hostname of the destination server/SIEM.
|
Destination1mTLSCertID
| This value is of type REG_SZ and is the The ID of the client's SSL/TLS certificate. Client will present the certificate in mutual TLS communication to prove its identity to the server in communication. |
Destination1Port
| Determines the Destination Port number. This value must be in 1-65535 range. Will default to 514 if a SYSLOG header has been specified.
|
Destination1SocketType | Determines the protocol used (0 for UDP, 1 for TCP, 2 for TLS/SSL, 3 for TLS_AUTH, 4 for mTLS ). |
Destination1TLSAuthKey | This value is used when Destination1SocketType is 3 i.e. TLS_AUTH. |
FileOutput1Delimiter | The delimiter to be used in the events written to this file destination, including, tab, comma, vertical bar, space and any custom character. By default the delimiter is a tab character. |
FileOutput1FileName | The path and location of the file the events are sent to.
|
FileOutput1Format | The format to write to the log file. Available formats are:
Snare (0), SYSLOG RFC3164 (1), SYSLOG Alt (2), CEF (3) , LEEF (4), SYSLOG RFC5424 (5), SNARE V2 (6), SYSLOG JSON (7), DEVO (8), DEVO JSON (9). |
NotifyMsgLimit
| Having a value 0 or 1, and determines whether to send or not the EPS notification to server (1 means send and 0 means not to send) whenever agent reaches EPS RateLimit.
|
NotifyMsgLimitFrequency
| Determines the frequency of events per second notification. The value is treated in minutes and only one EPS notification message is sent to server regardless of how many times agent reaches EPS limit during these minutes.
|
RateLimit
| Determines the upper limit for events per second (EPS) that the agent will send to server.
|
SyslogFacility | Represents the SYSLOG facility for SYSLOG format |
SyslogTAGTerminator
| This value is of type REG_DWORD, having value of Set to either 0 or 1
, and determines to
determine whether to use TAB as SYSLOG (RFC3164) TAG Terminator. SYSLOG (RFC3164) IEFT standard allows all alphanumeric characters considered the part of TAG. It is strongly recommended to keep it as 1, else Destination#Delimiter will be used as TAG terminator.
|
|
|
[Config]
| This subkey section stores the general configuration values.
|
AgentLog
| Sets the level of tracing sent by the agent. Values include [0-5] where Fatal (0), Error (1), Warning (2), Info (3), Debug (8), Trace (9).
|
Audit
| Determines whether Snare is to automatically set the system audit configuration. Set this value to 0 for no, or 1 for Yes. Will default to TRUE (1) if not set. The audit configuration includes selecting the audit categories and the retention policy on ALL event log files.
|
CachePath
| This is the disk cache path where the agent will temporarily save all unsent events if the agent needs to restart. Agent will read and send the events on next start.
|
Checksum
| Determines whether Snare includes an MD5 Checksum of the contents of each audit record, with the record in question. Set this value to 0 for no, or 1 for Yes. Will default to FALSE (0) if not set. Note that the checking application will need to strip the final delimiter, plus the MD5 Checksum, from the record before evaluating the record against the checksum.
|
Clientname
| This is the Hostname of the client and if no value has been set, "hostname" command output will be displayed. Must be no more than 100 chars, otherwise will truncate.
|
EventSourceIdText
| Stores the Event Source Id text/value. If the value in EventSourceIdType is 1 (Free Text), then this text/value is included in each event.
|
EventSourceIdType | Stores the option related to specifying Event Source Id: 0(NONE) and 1(Free Text)
|
FileSize | This is the maximum generated size of an output file receiving events. The file is rotated upon reaching this maximum. |
HeartBeat
| This values is the frequency with which a heartbeat is sent, set in minutes.
|
HeartBeatFileExport | This value determines whether heartbeats are logged to a file. 0 for no, or 1 for Yes.
|
HeartBeatOutputPath
| This is the path where the heartbeat messages are exported to, if selected.
|
HostGUID
| Set to the GUID of the specific network card.
|
HostIP
| Set to the IP address of the specific network card.
|
TLS13Minimum
| When disabled (0), Snare Agent supports TLS 1.2 and TLS 1.3 for web connections. When enabled (1), TLS 1.2 is explicitly disabled; browsers connecting to the agent website must support at least TLS 1.3 for ssl connections.
|
UseHostIP
| ThisSet valueto iseither of0 typeor REG_DWORD1 andto determinesd etermine whether Snare should use IP address (as set in HostIP) instead of the hostname in the events' header when sending events. Set this value to 0 for No, or 1 for Yes. Will default to FALSE (0) if not set.
|
UseUTC
| Determines whether Snare should use UTC timestamps instead of the local system time when sending events. Set this value to 0 for no, or 1 for Yes. Will default to FALSE (0) if not set.
|
|
|
[Remote]
| This subkey section stores all the web user interface/remote control parameterssettings.
|
AccessKeyAuth
| Stores the actual password to be used, in encrypted format.
|
Allow
| Set to either 0 or 1 to allow the web user interface to be available. If not set or out of bounds, will default to 0/NO (i.e. not able to be browsed to).
|
LockTime | This value is of type REG_DWORD and is Numeric value used to determine the lock duration in minutes after maximum failed login attempts. |
MaxFailAttempt | This value is of type REG_DWORD and is used Numeric value used to determine the maximum number of failed login attempts that will be accepted before the agent will be locked for a duration (Duration is defined in LockTime). |
Restrict
| Set to either 0 or 1 to signal whether the remote users should be restricted via IP address or not. 0 = no restrictions.
|
RestrictIP
| The IP address that is used to remotely control the agent.
|
WebPort
| This value is the web server port, if it has been set to something other than port 6161. If not set or out of bounds, it will default to port 6161.
|
|
|
[
| SAM]StoresCertificate]
| This section stores SSL/TLS certificates configuration values.
|
DestinationCertPreference | Set to either "ANY" or "STRICT", this value defines the required level of SSL/TLS certificate verification when connecting to a remote destination server. Note: SSL/TLS certificate verification is not relevant if UDP or TCP protocol is used to connect to the destination.
Accepted values are: ANY - (Default) Require an SSL/TLS certificate to be presented, but accept the certificate even if the chain of trust cannot be authenticated, or the hostname does not match the presented certificate. This is useful for self-signed certificates. STRICT - Require an SSL/TLS certificate to be presented, and have both a valid chain of trust and also a hostname matching the certificate. A hostname must be provided in the associated Destination#Host setting , as an IP address will not work. |
DestinationCertPreferenceSAM | Set to either "ANY" or "STRICT", this value defines the required level of SSL/TLS certificate verification when connecting to a Snare Agent Manager server. Accepted values are: ANY - (Default) Require an SSL/TLS certificate to be presented, but accept the certificate even if the chain of trust cannot be authenticated, or the hostname does not match the presented certificate. This is useful for self-signed certificates. STRICT - Require an SSL/TLS certificate to be presented, and have both a valid chain of trust and also a hostname matching the certificate. A hostname must be provided in the SAM1IP setting, as an IP address will not work. |
WebCertID | The thumbprint of the certificate to be used for HTTPS web user interface interactions. By default, Snare Agent generates a self-signed certificate. Customer is welcome to replace it with a CA-signed certificate for improved security. |
|
|
[SAM]
| This section s tores the Snare Agent Manager connection settings
|
SAM1AuthKey
| Key used by the agent to communicate with the Snare Agent Manager.
|
SAM1IP
| The IP/hostname of where SAM is installed, that will communicate with the agent.
|
SAM1Port
| The port number the agent uses to communicate with SAM, port 6262.
|
|
|
[State]
| This section stores data managed internally by the Agent. |
SAMCToken
| Token provided by SAM to the agent.
|
AgentLocked | This value is of type REG_DWORD and is set Set to either 0 or 1 to indicate whether the agent is locked or not due to reaching maximum failed login attempts. |
AgentLockEndTime | This is of type REG_SZ and is String used to store the time when the agent will be back to normal after it has been locked due to reaching maximum failed login attempts. |
LoginAttempts | This value is of type REG_DWORD and is Numeric value used to determine the number of consecutive failed login attempts. |
|
|
[Linux] | This section stores Linux audit sub-system management settings |
AuditBufferSize
| Adjustment of audit buffers is required to avoid causing a too heavy audit load on your system. If the buffers are full then events will not be queued. Default set to 360.
|
AuditCollect | Determines whether Snare is to automatically set the system auditd configuration. Set this value to 0 for no, or 1 for Yes. Will default to TRUE (1) if not set. The auditd configuration will be modified to have dispatcher set to the agent executable regardless of this setting in order for auditd to still launch the agent. |
|
|
[Objective]
| This subkey section stores all the filtering audit policies.
|
Objective#
(where # is a serial no.) | This section describes the format of the audit policies (formerly known as Objectives).
For example: "Objective1": "criticality=1,1,1,1,1,1,0,0,0,0\tmatch=\"\"\tevent=execve,fork,exit,kill,tkill,tgkill",
|
|
|
[Watch]
| This subkey section stores the file watches.
|
Watch#
(where # is a serial no.)
| This section describes the format of the watches.
For example: "Watch1": "criticality=2,2,2,2,2,2,0,0,0,0\tmatch=\"\"\tpath=\/etc\tperms=wa"
|
|
|
[Filter]
| This subkey section stores the Log Filter.
|
Filter# (where # is a serial number)
| This section describes the format of the Filters applied to Log file monitors.
For example: "Filter1": "criticality=0,5,5,5,0,1,0,0,0,0match=\"*\"regex=0state=1uuid=7e90d723-219c-46a6-943e-55573532e05f"
criticality - ten comma-separated integer values ([0-4],[0-7],[0-7],[0-7],[0-10],[1-10],0,0,0,0) representing event criticality for different event formats. First integer is between 0 and 4 indicating the severity of the event in Snare format: 0 - Clear , 1 - Information, 2 - Warning, 3 - Priority, 4 - Critical. Next 3 values are Syslog for each RFC3164, RFC3164 Alt and RFC5424 formats. Syslog values RFC3164 Alt and RFC5424 are copied from Syslog and not used separately. Values 0-7 denote Emergency, Alert, Critical, Error, Warning, Notice, Info and Debug, respectively. CEF is 0 - 10, 0 is least severe and 10 is most severe. LEEF is 1 - 10, 1 is least severe and 10 is most severe. Last 4 values 0,0,0,0 are reserved and not in use.
match= - a string (if regex = 0) or a regular expression (if regex = 1) to match and INCLUDE. Events matching this filter will be collected. DOS wildcard characters ("*" and "?") can be used when regex = 0, for example: match="*"
or
match!= - a string (if regex = 0) or a regular expression (if regex = 1) to match and EXCLUDE. Events matching this filter will not be collected.
regex - integer indicating whether the match string is a regular expression: 0 - no; 1 - yes
state - an integer representing the state of Filter configuration: 0 - Disabled; 1 - Enabled; 2 - Requiring Service Restart
uuid - a unique 16-byte identifier of this Filter.
See Log Filter Configuration page in this User Guide for more details.
|
|
|
[Log]
| This subkey section stores the Log Monitors.
|
Log# (where # is a serial number)
| This section describes the format of the log file monitors.
For example:
"Log1": "logtype=0logval=\"\"linetype=1lineval=\"1\"watchtype=0watchval=\"1\"dirfilter=\"\/var\/log\"filefilter=\"*.log\"features=0state=1uuid=8b5678d1-abc2-467c-af05-5318b9d1c94d"
Note: ( '\' is an escape character meaning that the next character is interpreted literally, as part of string.
logtype - an integer representing the type of logs being collected: 0 - Generic log format(default); 1 - Apache web logs; 2 - Exchange message tracking logs pre 2007; 3 - Exchange message tracking logs 2007; 4 - Exchange message tracking logs 2010/2013; 5 - Microsoft IIS web server logs; 6 - Microsoft ISA firewall logs; 7 - Microsoft ISA web logs; 8 - Microsoft proxy server logs; 9 - Microsoft SMTP logs; 10 - Squid proxy logs; 11 - VMS Security Logs; 12 - Custom Event log; 13 - Microsoft DNS server logs; 14 - NCR ATM Journal Logs; 15 - DHCP Logs
logval - user-defined string that will be used as a log type in the event header if the logtype = 12 - Custom Event Log.
linetype - an integer defining what comprises a single event: 0 - Single Line (every line in the monitored file is converted to a separate event); 1 - Fixed Number of Lines; 2 - Line separating events (a line specified in lineval acts as event separator)
lineval - if linetype = 1, a string representing the number of lines to be read as one event; if linetype = 2, this is the line that separates events, for example, "<end>".
watchtype - an integer indicating which files should be monitored in the given directory: 0 - All matching files; 1 - Last matching file (alphabetically); 2 - First matching file (alphabetically); 3 - Fixed number of first matching files; 4 - Fixed number of last matching files
watchval - if watchtype = 3 or 4, a string representing the number of first/last matching files, otherwise "1"
dirfilter - a string representing fully qualified path to the desired log file or the directory containing the target log files
filefilter - a string representing the file name or file name pattern to monitor for new logs
features - an integer representing a bitmap of extra features, such as comments inclusion, date-based or regex-based file matching, etc. This value is set programmatically based on other selections.
state - an integer representing the state of Log file monitor configuration. Disabled = 0, Enabled = 1, Requiring Service Restart = 2.
uuid - a unique 16-byte identifier of this Log file monitor.
See Log Configuration page in this User Guide for more details. |
|
|
[FIM]
| This subkey section stores the file integrity monitoring File Integrity Monitoring configuration values.
|
FIM# (where # is a serial no.)
| This section describes the format of FIM configurations. This is composed of the following string:
type=[0|1],alg=[0|1],criticality=[0-4],[0-7],[0-7],
[0-7],[0-10],[1-10],0,0,0,0,
schedule=<CRON_FORMAT>,dirfilter=<DIR_PATH>,filefilter=<INCLUDE_FORMAT>,exclusions=<EXCLUDE_FORMAT>,features=<VALUE>,state=[0|1|2},uuid=<UUID>
type: integer 0 or 1 where 0 indicates File type and 1 indicates Registry type
alg: integer 0 or 1 and indicates the algorithm used to hash the data. SHA256 = 0, SHA512 = 1
criticality: integer between 0 and 4 that indicates the severity of the event. Critical = 4, Priority = 3, Warning = 2, Information = 1, Clear = 0. Next 3 values are Syslog for each RFC3164, RFC3164 Alt and RFC5424. Syslog values RFC3164 Alt and RFC5424 are copied from Syslog and not used separately. Values 0-7 denote Emergency, Alert, Critical, Error, Warning, Notice, Info, Debug. CEF is 0 - 10, 0 is least severe and 10 is most severe. LEEF is 1 - 10, 1 is least severe and 10 is most severe. Last 4 values 0,0,0,0 are reserved are reserved and not in use.
CRON_FORMAT: a string in the CRON format to indicate when the system is to scan. Can be of the form CRON(<min>, <hour>, <day_of_month>, <month>, <day_of_week>) or of one of @hourly or @daily.
DIR_PATH: the full path of the directory from which to start scanning. A terminating path delimiter followed by a * denotes a recursive scan.
INCLUDE_FORMAT: the format of the files to include in the scan. The character * denotes the use of wildcards.
EXCLUDE_FORMAT: the format of the files to exclude from the scan. The * character denotes the use of wildcards.
features: an integer representing a bit-wise set of features.
state: an integer representing the state of FIM configuration. Disabled = 0, Enabled = 1, Requiring Service Restart = 2.
UUID: a string representation of a unique 16-byte value used to identify the configuration.
|