[Certificate]
| This subkey stores SSL/TLS certificates configuration values.
|
DestinationCertPreference | This value is of type REG_SZ, and defines the required level of SSL/TLS certificate verification when connecting to a remote destination server. Note: SSL/TLS certificate verification is not relevant if UDP or TCP protocols are used to connect to the destination. Accepted values are: ANY - (Default) Require an SSL/TLS certificate to be presented, but accept the certificate even if the chain of trust cannot be authenticated, or the hostname does not match the presented certificate. This is useful for self-signed certificates. STRICT - Require an SSL/TLS certificate to be presented, and have both a valid chain of trust and also a hostname matching the certificate. A hostname must be provided in the associated Destination#Host setting , as an IP address will not work. |
DestinationCertPreferenceSAM | This value is of type REG_SZ, and defines the required level of SSL/TLS certificate verification when connecting to a Snare Agent Manager server. Accepted values are: ANY - (Default) Require an SSL/TLS certificate to be presented, but accept the certificate even if the chain of trust cannot be authenticated, or the hostname does not match the presented certificate. This is useful for self-signed certificates. STRICT - Require an SSL/TLS certificate to be presented, and have both a valid chain of trust and also a hostname matching the certificate. A hostname must be provided in the SAM1IP setting, as an IP address will not work. |
WebCertID | The thumbprint of the certificate to be used for HTTPS web user interface interactions. By default, Snare Agent generates a self-signed certificate. Customer is welcome to replace it with a CA-signed certificate for improved security. |
|
|
[Config]
| This subkey stores the general configuration values.
|
AdvancedAudit
| This value is of type REG_DWORD, and determines whether Snare is using advanced audit policy or not. Set this value to 1 for using advanced audit policy, or 0 for using basic audit policy.
|
AgentLog
| This value is of type REG_DWORD and sets the level of tracing sent by the agent. Values include [0-5] where Fatal (0), Error (1), Warning (2), Info (3), Debug (8), Trace (9).
|
Audit
| This value is of type REG_DWORD, and determines whether Snare is to automatically set the system audit configuration. Set this value to 0 for no, or 1 for Yes. Will default to TRUE (1) if not set. The audit configuration includes selecting the audit categories and the retention policy on ALL event log files.
|
AuditAll | This value is of type REG_DWORD, and determines whether Snare is to automatically set the system audit configuration for 'Any Event' audit policy. Set this value to 0 for no, or 1 for Yes. Will default to FALSE (0) if not set. The audit configuration includes selecting the all audit categories i.e. System Audit, Logon Audit, ObjectAccess Audit, PrivilegeUse Audit, DetailedTracking Audit, PolicyChange Audit, AccountManagement Audit, DirectoryServiceAccess Audit and AccountLogon Audit). Enable this option *only* when when you know what you are doing. This registry key is ignored if 'Audit' is not set. |
CachePath
| This is the disk cache path where the agent will temporarily save all unsent events if the agent needs to restart. Agent will read and send the events on next start.
|
Checksum
| This value is of type REG_DWORD, and determines whether Snare includes an MD5 Checksum of the contents of each audit record, with the record in question. Set this value to 0 for no, or 1 for Yes. Will default to FALSE (0) if not set. Note that the checking application will need to strip the final delimiter, plus the MD5 Checksum, from the record before evaluating the record against the checksum.
|
ClearTabs | If set to 1 then all tab characters '\t' in the event string will be removed. |
Clientname
| This is the Hostname of the client and is of type REG_SZ. If no value has been set, "hostname" command output will be displayed. Must be no more than 100 chars, otherwise will truncate.
|
CritAudit
| This value is of type REG_DWORD, and determines whether Snare will only send an event for the highest criticality match
| Delimiter
| This is of type REG_SZ and stores the field delimiting character, ONLY if the destination format SYSLOG has been selected. If more than one char, only first char will be used. If none set, then TAB will be used. This is a HIDDEN field, and only available to those users that wish to set a different delimiter when using the SYSLOG header. This selection option will not be found in the Snare front end or the web pages. event for the highest criticality match
|
EnableUSB
| This value is of type REG_DWORD, and determines whether Snare should actively capture USB auditing events (XP/Vista/Windows7/10/11/2003/2008/2012/2016/2019/2022). Set this value to 0 for no, or 1 for Yes. Will default to FALSE (0) if not set. To collect file based events on removable media it requires that advanced audit policies are set either at the GPO/Local Policy level to audit Object Access\Audit Removable Storage or if Advanced auditing is enabled in the agent as the default objective policy 15 will capture the relevant eventids but will need the additional removable media object access to be added to the list.
|
EpilogImport | This value is of type REG_DWORD, and determines whether Snare should import Logs and Filters settings from the Snare Epilog Agent (if installed in the same machine). Set this value to 0 for No, or 1 for Yes. Will default to False (0) if not set. |
EpilogImportComplete | This value is of type REG_DWORD, and stores the status of whether Snare has imported the Logs and Filters settings from the Snare Epilog agent (if installed in the same machine). This value is set programmatically and should not be edited manually. |
EventSourceId
| This is of type REG_SZ and stores the Windows Registry path from where to read the Event Source Id text/value. If the value in EventSourceIdType is 2 (Registry Path), then the text/value in the registry, specified by the path, is included in each event.
|
EventSourceIdText
| This is of type REG_SZ and directly stores the Event Source Id text/value. If the value in EventSourceIdType is 1 (Free Text), then this text/value is included in each event.
|
EventSourceIdType
| This is of type REG_DWORD and stores the option related to specifying Event Source Id: 0(NONE), 1(Free Text), 2(Registry Path)
|
FileAudit
| This value is of type REG_DWORD, and determines whether Snare is to automatically set the file system audit configuration. Set this value to 0 for no, or 1 for Yes. Will default to FALSE (0) if not set.
|
FileSize | This is the maximum generated size of an output file receiving events. The file is rotated upon reaching this maximum.is the maximum generated size of an output file receiving events. The file is rotated upon reaching this maximum. |
HeartBeat
| This values is the frequency with which a heartbeat is sent, set in minutes. |
HeartBeatFileExport | This value determines whether heartbeats are logged to a file. Set this value to 0 for no, or 1 for Yes. |
HeartBeatOutputPath
| This is the path where the heartbeat messages are exported to, if selected. |
HostGUID
| This value is of type REG_SZ. Set to the GUID of the specific network card.
|
HostIP
| This value is of type REG_SZ . Set to the IP address of the specific network card.
|
IISLogFlush | This value is of type REG_DWORD. Enabling this setting will allow IIS to immediately flush all log messages, allowing Windows Agent to get them. |
LeaveRetention
| This value is of type REG_DWORD and determines whether Snare should leave the existing Log Retention settings as they are on each event log. Set this value to 0 for no, or 1 for Yes. Will default to FALSE (0) if not set.
|
TLS13Minimum
| This value is of type REG_DWORD. When disabled (0), Snare Agent supports TLS 1.2 and TLS 1.3 for web connections. When enabled (1), TLS 1.2 is explicitly disabled; browsers connecting to the agent website must support at least TLS 1.3 for ssl connections. |
UpgradePath
| This value is of type REG_SZ. The automatically generated path in which temporary upgrade files are stored.
|
UseHostIP
| If checkbox set it resolves the machinesThis value is of type REG_DWORD and determines whether Snare should use IP address from(as theset firstin wiredHostIP) adapter.instead Itof willthe nothostname resolvein wirelessthe IP's at presentevents' header when sending events. Set this value to 0 for noNo, or 1 for Yes. Will default to FALSE (0) if not set.
|
UseUTC
| This value is of type REG_DWORD and determines whether Snare should use UTC timestamps instead of the local system time when sending events. Set this value to 0 for no, or 1 for Yes. Will default to FALSE (0) if not set.
|
|
|
[FIM]
| This subkey stores the file integrity monitoring configuration values.
|
FIM# (where # is a serial number)
| This section describes the format of FIM configurations. This value is of type REG_SZ , of no greater than 1060 chars and is composed of the following string:
type=[0|1],alg=[0|1],criticality=[0-4],[0-7],[0-7],
[0-7],[0-10],[1-10],0,0,0,0
,schedule=<CRON_FORMAT>,dirfilter=<DIR_PATH>,filefilter=<INCLUDE_FORMAT>,exclusions=<EXCLUDE_FORMAT>,features=DWORD,state=[0|1|2},uuid=<UUID>
type: integer 0 or 1 where 0 indicates File type and 1 indicates Registry type
alg: integer 0 or 1 and indicates the algorithm used to hash the data. SHA256 = 0, SHA512 = 1
criticality: integer between 0 and 4 that indicates the severity of the event. Critical = 4, Priority = 3, Warning = 2, Information = 1, Clear = 0. Next Next 3 values are Syslog for each RFC3164, RFC3164 Alt and RFC5424. Syslog values RFC3164 Alt and RFC5424 are copied from Syslog and not used separately. Values 0-7 denote Emergencydenote Emergency, Alert, Critical, Error, Warning, Notice, Info, Debug. CEF is 0 is 0 - 10, 0 is least severe and 10 is most severe. LEEF is 1 is 1 - 10, 1 is least severe and 10 is most severe. Last 4 values 0,0,0,0 are reserved and not in use
CRON_FORMAT: a string in the CRON format to indicate when the system is to scan.
Can be of the form CRON(<min>, <hour>, <day_of_month>, <month>, <day_of_week>) or of one of @hourly or @daily.
DIR_PATH: the full path of the directory from which to start scanning. A terminating path delimiter followed by a * denotes a recursive scan.
INCLUDE_FORMAT: the format of the files to include in the scan. The character * denotes the use of wildcards.
EXCLUDE_FORMAT: the format of the files to exclude from the scan. The * character denotes the use of wildcards.
features: an integer representing a bit-wise set of features.
state: an integer representing the state of FIM configuration. Disabled = 0, Enabled = 1, Requiring Service Restart = 2.
UUID: a string representation of a unique 16-byte value used to identify the configuration.
|
|
|
[FAM] | This subkey stores the file/folder activity monitoring configuration values. |
FAM# (where # is a serial number)
| This section describes the format of FAM configurations. This value is of type REG_SZ, of no greater than 1060 chars and is composed of the following string:
Folder c:\test Success FAM_CONTAINER_INHERIT_ACE|FAM_OBJECT_INHERIT_ACE FAM_GENERIC_ALL=1 Include * Include * 0 Include * 4,4,4,4,0,1,0,0,0,0
<AUDIT POLICY/OBJECT TYPE>: FILE | FOLDER
<AUDIT POLICY OBJECT>: File/Folder path
<EVENT TYPE>: SUCCESS | FAIL | BOTH
<AUDIT POLICY INHERIT SCOPE>: One or more of inherit values i.e. CONTAINER_INHERIT_ACE,INHERIT_ONLY_ACE,INHERITED_ACE,NO_PROPAGATE_INHERIT_ACE,OBJECT_INHERIT_ACE
<AUDIT POLICY PERMISSIONS>: Selected policy permissions i.e. ACCESS_SYSTEM_SECURITY={1,0},MAXIMUM_ALLOWED={1,0},GENERIC_ALL={1,0},GENERIC_EXECUTE={1,0},GENERIC_WRITE={1,0},GENERIC_READ={1,0},DELETE_ACCESS={1,0},READ_CONTROL={1,0},WRITE_DAC={1,0},WRITE_OWNER={1,0},SYNCHRONIZE_ACCESS={1,0}
<EVENT ID SEARCH TYPE>: INCLUDE | EXCLUDE
<EVENT ID SEARCH VALUES>: Comma separated numeric values
<GENERAL SEARCH TERM TYPE>: INCLUDE | EXCLUDE
<GENERAL SEARCH VALUES>: TEXT | WILDCARD FORMAT | REGEX FORMAT
<IS REGEX SEARCH>: 1 | 0
<USER SEARCH TYPE>: INCLUDE | EXCLUDE
<USER SEARCH VALUES>: Comma separated wildcard valuesseparated string values. MS-DOS wildcard characters ("*" and "?") are allowed.
<CRITICALITIES>: Comma separated criticalities values
|
|
|
[RIM] | This subkey stores the registry integrity monitoring configuration values. |
RIM# (where # is a serial number)
| This section describes the format of RIM configurations. This value is of type REG_SZ, of no greater than 1060 chars and is composed of the following string:
type=[0|1],alg=[0|1],criticality=[0-4],[0-7],[0-7],[0-7],[0-10],[1-10],0,0,0,0,schedule=<CRON_FORMAT>,regrootkey=<ROOT_KEY>,pathfilter=<REG_PATH>,inclusions=<INCLUDE_FORMAT>,exclusions=<EXCLUDE_FORMAT>,features=DWORD,state=[0|1|2},uuid=<UUID>
type: integer 0 or 1 where 0 indicates File type and 1 indicates Registry type
alg: integer 0 or 1 and indicates the algorithm used to hash the data. SHA256 = 0, SHA512 = 1
criticality: First integer is between 0 and 4 that indicates the severity of the event in Snare format as Critical = 4, Priority = 3, Warning = 2, Information = 1, Clear = 0. Next Next 3 values are Syslog for each RFC3164, RFC3164 Alt and RFC5424. Syslog values RFC3164 Alt and RFC5424 are copied from Syslog and not used separately. Values 0-7 denote Emergencydenote Emergency, Alert, Critical, Error, Warning, Notice, Info, Debug. CEF is 0 is 0 - 10, 0 is least severe and 10 is most severe. LEEF is 1 is 1 - 10, 1 is least severe and 10 is most severe. Last 4 values 0,0,0,0 are reserved and not in use
CRON_FORMAT: a string in the CRON format to indicate when the system is to scan.
Can be of the form CRON(<min>, <hour>, <day_of_month>, <month>, <day_of_week>) or of one of @hourly or @daily.
ROOT_KEY: a string representation of the windows registry root key from which to start scanning.
REG_PATH: a registry path to the key or value to scan. The character * denotes the use of wildcards.
INCLUDE_FORMAT: the format of the registry values to include in the scan. The character * denotes the use of wildcards.
EXCLUDE_FORMAT: the format of the registry to exclude from the scan. The * character denotes the use of wildcards.
features: an integer representing a bit-wise set of features.
state: an integer representing the state of RIM configuration. Disabled = 0, Enabled = 1, Requiring Service Restart = 2.
UUID: a string representation of a unique 16-byte value used to identify the configuration. |
|
|
[RAM] | This subkey stores the registry activity monitoring configuration values. |
RAM# (where # is a serial number)
| This section describes the format of RAM configurations. This value is of type REG_SZ , of no greater than 1060 chars and is composed of the following string:
Registry MACHINE\SOFTWARE\InterSect Alliance\Epilog Both RAM_CONTAINER_INHERIT_ACE RAM_GENERIC_ALL=1 Include * Include * 0 Include * 2,4,4,4,0,1,0,0,0,0 <AUDIT POLICY/OBJECT TYPE>: REGISTRY
<AUDIT POLICY OBJECT>: Registry path
<EVENT TYPE>: SUCCESS | FAIL | BOTH
<AUDIT POLICY INHERIT SCOPE>: Always CONTAINER_INHERIT_ACE
<AUDIT POLICY PERMISSIONS>: Selected policy permissions i.e. ACCESS_SYSTEM_SECURITY={1,0},MAXIMUM_ALLOWED={1,0},GENERIC_ALL={1,0},GENERIC_EXECUTE={1,0},GENERIC_WRITE={1,0},GENERIC_READ={1,0},DELETE_ACCESS={1,0},READ_CONTROL={1,0},WRITE_DAC={1,0},WRITE_OWNER={1,0},SYNCHRONIZE_ACCESS={1,0} <EVENT ID SEARCH TYPE>: INCLUDE | EXCLUDE <EVENT ID SEARCH VALUES>: Comma separated numeric values <GENERAL SEARCH TERM TYPE>: INCLUDE | EXCLUDE <GENERAL SEARCH VALUES>: TEXT | WILDCARD FORMAT | REGEX FORMAT <IS REGEX SEARCH>: 1 | 0 <USER SEARCH TYPE>: INCLUDE | EXCLUDE <USER SEARCH VALUES>: Comma separated wildcard values <CRITICALITIES>: Comma separated criticalities values |
[AdvObjective]
| This subkey stores all the filtering advanced audit policies.
|
AdvObjective#
(where # is a serial number)
| This section describes the format of the advanced audit policies (formerly
known as Objectives). Audit Policies are of type REG_SZ and composed of the following JSON format.
Registry Value:
{
"events": [],1,0}
<EVENT ID SEARCH TYPE>: INCLUDE | EXCLUDE
<EVENT ID SEARCH VALUES>: Comma separated numeric values
<GENERAL SEARCH TERM TYPE>: INCLUDE | EXCLUDE
<GENERAL SEARCH VALUES>: TEXT | WILDCARD FORMAT | REGEX FORMAT
<IS REGEX SEARCH>: 1 | 0
<USER SEARCH TYPE>: INCLUDE | EXCLUDE
<USER SEARCH VALUES>: Comma separated wildcard values
<CRITICALITIES>: Comma separated criticalities values |
|
|
[AdvObjective]
| This subkey stores all the filtering advanced audit policies.
|
AdvObjective#
(where # is a serial number)
| This section describes the format of the advanced audit policies (formerly known as Objectives). Audit Policies are of type REG_SZ and composed of the following JSON format.
Registry Value:
{
"events": [], // all selected high level events / sub-categories in audit policy
"event_id_match": {
"exclude": "0", // 0 for include
"data": [] //all given event ids
},
"general_match": {
"exclude": "0", // 0 for include
"data": "***" // (*) at start and end of the string
},
"general_match_regex": "0/1",
"user_match": {
"exclude": "0-1", // 0 for include
"data": [] // all selected high level events / sub-categories in audit policy"event_id_all given user
},
"source_match": {
"exclude": "0-1", // 0 for include
"data": [] //all given event idssources
},
" generalevent_ matchtype": {
" excludeActivityTracing": "0/1", // 0 for include "data": "***" // (*) at start and end of the string },"general_match_regex
"Critical": "0/1",
"Error": "0/1",
"FailureAudit": "0/1",
"Information": "0/1",
"SuccessAudit": "0/1",
"Verbose": "0/1",
"Warning": "0/1"
},
" userlog_ matchtype": {
" excludeApplication": "0 -/1", // 0 for include
" dataCustomEventLog": [] //all given user }"0/1",
" source_matchDFSReplication": {
" exclude": "0 -/1", // 0 for include
" dataDNSServer": [] //all given sources }"0/1",
" event_typeDirectoryService": {"0/1",
" ActivityTracingLegacyFRS": "0/1",
" CriticalSecurity": "0/1",
" ErrorSystem": "0/1"
},
" FailureAuditcriticality": {
"snare_alert_level": "0-4",
"syslog3164_alert_level": "0 /1-7",
" InformationsyslogAlt_alert_level": "0 /1-7",
" SuccessAuditsyslog5424_alert_level": "0 /1-7",
" Verbosecef_alert_level": "0 /1-10",
" Warningleef_alert_level": "0 /1-10" },
" log_typereserve1": {"0",
" Applicationreserve2": "0 /1",
" CustomEventLogreserve3": "0 /1",
" DFSReplicationreserve4": "0 /1", "DNSServer": "0/1", "DirectoryService": "0/1", "LegacyFRS": "0/1", "Security": "0/1", "System": "0/1" },"criticality": { "snare_alert_level": "0-4", "syslog3164_alert_level": "0-7", "syslogAlt_alert_level": "0-7", "syslog5424_alert_level": "0-7", "cef_alert_level": "0-10", "leef_alert_level": "0-10", "reserve1": "0", "reserve2": "0", "reserve3": "0", "reserve4": "0" } }
Criticality- Critical = 4, Priority = 3, Warning = 2, Information = 1, Clear = 0. Next 3 values are Syslog for each RFC3164, RFC3164 Alt and RFC5424. Syslog values RFC3164 Alt and RFC5424 are copied from Syslog and not used separately. Values 0-7 denote Emergency, Alert, Critical, Error, Warning, Notice, Info, Debug. CEF is 0 - 10, 0 is least severe and 10 is most severe. LEEF is 1 - 10, 1 is least severe and 10 is most severe. Last 4 values 0,0,0,0 are reserved and not in use.
EventID Match Type (event_id_match.exclude): = 0 (Include events that match the event id; = 1 for Exclude)
General Match Type (general_match.exclude): = 0 (Include events that match general search term in the event; = 1 for Exclude)
User Match Type (user_match.exclude): = 0 (Include events that match user search term; = 1 for Exclude)
Source Match Type (source_match.exclude): = 0 (Include events that match source search term; = 1 for Exclude)
Event Type: The different event types are mentioned and those values are checkboxes where checked = 1.
Event Log Type: The different log types are mentioned and those values are checkboxes where checked = 1.
The match terms (event_id_match.data, general_match.data, user_match.data and source_match.data) are the filter expressions and are defined to be any value (except TAB) which includes DOS wildcard characters. Note that these are NOT regular expressions with the exception of the General Match term. This has the option of interpreting the search string as a Perl Compatible Regular Expression by selecting the checkbox (Regular expression) next to it. If it is not selected, the default simple search is used. NOTE: Semicolons are actually "TAB" characters.
|
[Objective]
| This subkey stores all the filtering audit policies.
|
Objective#
(where # is a serial number)
| This section describes the format of the audit policies (formerly
known as Objectives). Audit Policies are of type REG_SZ, of no greater than 1060 chars, and is composed of the following string (the figures in the brackets represent the maximum size of the strings that can be entered):
Criticality(DWORD);Event Type(DWORD);Event Log Type(DWORD);EventID Match[256];General Match[512];UserMatchType(DWORD);User Match[256];EventIDMatchType(DWORD);GeneralMatchType(DWORD); SourceName Match[256];SourceNameMatchType(DWORD);TruncateList[2048];
Criticality- It consists of a string with 10 values [0-4],[0-7],[0-7],
[0-7],[0-10],[1-10],0,0,0,0. First i
nteger between 0 and 4 that indicates the severity of the event. Critical = 4, Priority = 3, Warning = 2, Information = 1, Clear = 0. Next 3 values are Syslog for each RFC3164, RFC3164 Alt and RFC5424. Syslog values RFC3164 Alt and RFC5424 are copied from Syslog and not used separately. Values 0-7 denote Emergency, Alert, Critical, Error, Warning, Notice, Info, Debug. CEF is 0 - 10, 0 is least severe and 10 is most severe. LEEF is 1 - 10, 1 is least severe and 10 is most severe. Last 4 values 0,0,0,0 are reserved and not in use
User Match Type: =0 (Include users that match user search term type; =1 for Exclude)
EventID Match Type: =0 (Include events that match the entire audit policy; =1 for Exclude)
Event Type: Success=16, Failure=8, Error=4, Information=2, Warning=1. (These values are checkboxes, hence the sum of the selected values is recorded).
Event Log Type: Custom=64, Security=32, System=16, Application=8, Directory Service=4, DNS Server=2, File Replication=1. (These values are checkboxes, hence the sum of the selected values is recorded).
The match terms (EventID Match, General Match and User Match) are the filter expressions and are defined to be any value (except TAB) which includes DOS wildcard characters. Note that these are NOT regular expressions with the exception of the General Match term. This has the option of interpreting the search string as a Perl Compatible Regular Expression by selecting the checkbox next to it. If it is not selected, the default simple search is used.
NOTE: Semicolons are actually "TAB" characters.
|
|
[Network]
| This subkey stores the general network configurations.
|
CacheSize
| This value is of type REG_DWORD, and determines the desired count of events in the memory cache. If this is set then CacheSizeM cannot be altered.
|
CacheSizeEventLog
| This value is of type REG_DWORD, and displays the maximum log size as displayed in Windows Event Viewer.
|
CacheSizeM "
}
}
Criticality- Critical = 4, Priority = 3, Warning = 2, Information = 1, Clear = 0. Next 3 values are Syslog for each RFC3164, RFC3164 Alt and RFC5424. Syslog values RFC3164 Alt and RFC5424 are copied from Syslog and not used separately. Values 0-7 denote Emergency, Alert, Critical, Error, Warning, Notice, Info, Debug. CEF is 0 - 10, 0 is least severe and 10 is most severe. LEEF is 1 - 10, 1 is least severe and 10 is most severe. Last 4 values 0,0,0,0 are reserved and not in use.
EventID Match Type (event_id_match.exclude): = 0 (Include events that match the event id; = 1 for Exclude)
General Match Type (general_match.exclude): = 0 (Include events that match general search term in the event; = 1 for Exclude)
User Match Type (user_match.exclude): = 0 (Include events that match user search term; = 1 for Exclude)
Source Match Type (source_match.exclude): = 0 (Include events that match source search term; = 1 for Exclude)
Event Type: The different event types are mentioned and those values are checkboxes where checked = 1.
Event Log Type: The different log types are mentioned and those values are checkboxes where checked = 1.
The match terms (event_id_match.data, general_match.data, user_match.data and source_match.data) are the filter expressions and are defined to be any value (except TAB) which includes DOS wildcard characters. Note that these are NOT regular expressions with the exception of the General Match term. This has the option of interpreting the search string as a Perl Compatible Regular Expression if general_match_regex is set to TRUE (1). Otherwise the default simple text matching with wildcards ("*" or "?") is used.
|
|
|
[Objective]
| This subkey stores all the filtering audit policies.
|
Objective#
(where # is a serial number)
| This section describes the format of the audit policies (formerly known as Objectives). Audit Policies are of type REG_SZ, of no greater than 1060 chars, and is composed of the following string (the figures in the brackets represent the maximum size of the strings that can be entered):
Criticality(DWORD);Event Type(DWORD);Event Log Type(DWORD);EventID Match[256];General Match[512];UserMatchType(DWORD);User Match[256];EventIDMatchType(DWORD);GeneralMatchType(DWORD); SourceName Match[256];SourceNameMatchType(DWORD);
Criticality- It consists of a string with 10 values [0-4],[0-7],[0-7],[0-7],[0-10],[1-10],0,0,0,0. First integer between 0 and 4 that indicates the severity of the event. Critical = 4, Priority = 3, Warning = 2, Information = 1, Clear = 0. Next 3 values are Syslog for each RFC3164, RFC3164 Alt and RFC5424. Syslog values RFC3164 Alt and RFC5424 are copied from Syslog and not used separately. Values 0-7 denote Emergency, Alert, Critical, Error, Warning, Notice, Info, Debug. CEF is 0 - 10, 0 is least severe and 10 is most severe. LEEF is 1 - 10, 1 is least severe and 10 is most severe. Last 4 values 0,0,0,0 are reserved and not in use
User Match Type: =0 Include users that match user search term; =1 for Exclude
EventID Match: a pre-defined string representing a group of EventIDs to be matched, for example: Logon_Logoff, Process_Events, Reboot_Events, User_Group_Management_Events, Security_Policy_Events, User_Right_Events, Other_Object_Access_Events. The list of all EventIDs included in each pre-defined group, see Appendix C in this User Guide. Alternatively, EventID Match can contain a comma-separated list of eventIDs, or a "*" wildcard, meaning any event.
EventID Match Type: =0 Include events that match the entire audit policy; =1 for Exclude
Event Type: Success=16, Failure=8, Error=4, Information=2, Warning=1. (These values are checkboxes, hence the sum of the selected values is recorded).
Event Log Type: Custom=64, Security=32, System=16, Application=8, Directory Service=4, DNS Server=2, File Replication=1. (These values are checkboxes, hence the sum of the selected values is recorded).
The match terms (General Match and User Match) are the filter expressions and are defined to be any value (except TAB) which includes DOS wildcard characters. Note that these are NOT regular expressions with the exception of the General Match term. This has the option of interpreting the search string as a Perl Compatible Regular Expression by selecting the checkbox next to it. If it is not selected, the default simple search is used.
NOTE: Semicolons are actually "TAB" characters.
|
|
|
[Network]
| This subkey stores the general network configurations.
|
CacheSize
| This value is of type REG_DWORD, and determines the desired count of events in the memory cache. If this is set then CacheSizeM cannot be altered.
|
CacheSizeEventLog
| This value is of type REG_DWORD, and displays the maximum log size as displayed in Windows Event Viewer.
|
CacheSizeM
| This value is of type REG_DWORD, and determines the size of the in memory cache. The value must be between 1 and 1024.If this is set then CacheSize cannot be altered.
|
CacheSizeSet
| This value is of type REG_DWORD, and determines if the agent should set the Windows Event Log size (0 for No, 1 for Yes).
|
CheckTime | Number of seconds the agent will internally reload its settings, drop and reestablish network connection. Minimum set time is 300 seconds (5 minutes), maximum is 3600 seconds (1 hour). |
Destination1Delimiter
| The delimiter to be used in the events written to this network destination, including, tab, comma, vertical bar, space and any custom character. By default the delimiter is a tab character.
|
Destination1Format | This value is of type REG_DWORD and is the format in which the events are sent to the destination: Snare (0), SYSLOG RFC3164 (1), SYSLOG Alt (2), CEF (3) , LEEF (4), SYSLOG RFC5424 (5), SNARE V2 (6), SYSLOG JSON (7), DEVO (8), DEVO JSON (9).
|
Destination1Host | This value is of type REG_SZ and is the IP or hostname of the destination server/SIEM.
|
Destination1mTLSCertID
| This value is of type REG_SZ and is the ID of the client's certificate. Client will present the certificate in mutual TLS communication to prove its identity to the server in communication.
|
Destination1Port
| This value is of type REG_DWORD, and determines the size of the in memory cache. The Destination Port number. This value must be between 1 and 1024.If this is set then CacheSize cannot be altered.
CacheSizeSet in 1-65535 range. Will default to 514 if a SYSLOG header has been specified.
|
Destination1SocketType | This value is of type REG_DWORD, and determines | if the agent should set the Windows Event Log size the protocol used (0 for | NoUDP, 1 for | Yes).
CheckTime | Number of seconds the agent will internally reload its settings, drop and reestablish network connection. Minimum set time is 300 seconds (5 minutes), maximum is 3600 seconds (1 hour). |
Destination1Delimiter
| This sub key TCP, 2 for TLS/SSL, 3 for TLS_AUTH, 4 for mTLS). This feature only appears in supported agents. |
Destination1TLSAuthKey | This value is of type REG_SZ and | is a comma separated list of destinations, which should be a maximum of 100 characters each. It details the IP address or hostname which the event records will be sent (NB: multiple hosts only available in supported agent). See Appendix - Delimiters.
Destination1Format | This value is of type REG_DWORD and is the format in which the events are sent to the destination:is used when Destination1SocketType is 3 i.e. TLS_AUTH. |
FileOutput1Delimiter | The delimiter to be used in the events written to this file destination, including, tab, comma, vertical bar, space and any custom character. By default the delimiter is a tab character.
|
FileOutput1FileName | The path and location of the file the events are sent to.
|
FileOutput1Format | The format to write to the log file. Available formats are:
Snare (0), SYSLOG RFC3164 (1), SYSLOG Alt (2), CEF (3) , LEEF (4), SYSLOG RFC5424 (5), SNARE V2 (6), SYSLOG JSON (7), DEVO (8), DEVO JSON (9). |
Destination1Host NotifyMsgLimit
| This value is of type REG_ SZ and is the IP or hostname of the destination server/SIEM.
| Destination1mTLSCertID
DWORD having value 0 or 1, and determines whether to send or not the EPS notification to server (1 means send and 0 means not to send) whenever agent reaches EPS RateLimit. This feature only appears in supported agents.
|
NotifyMsgLimitFrequency
| This value is of type REG_
| SZ DWORD, and
| is determines the
| ID of the client's certificate. Client will present the certificate in mutual TLS communication to prove its identify to the server in communication.
Destination1Port frequency of events per second notification. The value is treated in minutes and only one EPS notification message is sent to server regardless of how many times agent reaches EPS limit during these minutes. This feature only appears in supported agents.
|
RateLimit
| This value is of type REG_DWORD, and determines the Destination Port number. This value must be in 1-65535 range. Will default to 514 if a SYSLOG header has been specified.
| Destination1SocketType
upper limit for events per second (EPS) that the agent will send to server. This feature only appears in supported agents.
|
SyslogFacility | This value represents the SYSLOG facility for SYSLOG format |
SyslogTAGTerminator
| This value is of type REG_DWORD, having value of 0 or 1, and determines
| the protocol used (0 for UDP, 1 for TCP, 2 for TLS/SSL, 3 for TLS_AUTH, 4 for mTLS). This feature only appears in supported agents.
Destination1TLSAuthKey | This value is of type REG_SZ and is used when Destination1SocketType is 3 i.e. TLS_AUTH. |
FileOutput1Delimiter | This value ranges from 1 to 255. It includes the path of the files where the events will be stored per format (e.g. Snare, SYSLOG) |
FileOutput1FileName | The path and location of the file the events are sent to. Multiple files may be set.
|
FileOutput1Format | The format to write to the log file. Available formats are:
Snare (0), SYSLOG RFC3164 (1), SYSLOG Alt (2), CEF (3) , LEEF (4), SYSLOG RFC5424 (5), SNARE V2 (6), SYSLOG JSON (7), DEVO (8), DEVO JSON (9). |
NotifyMsgLimit
| This value is of type REG_DWORD having value 0 or 1, and determines whether to send or not the EPS notification to server (1 means send and 0 means not to send) whenever agent reaches EPS RateLimit. This feature only appears in supported agents.
|
NotifyMsgLimitFrequency
| This value is of type REG_DWORD, and determines the frequency of events per second notification. The value is treated in minutes and only one EPS notification message is sent to server regardless of how many times agent reaches EPS limit during these minutes. This feature only appears in supported agents.
|
RateLimit
| This value is of type REG_DWORD, and determines the upper limit for events per second (EPS) that the agent will send to server. This feature only appears in supported agents.
|
SyslogDynamicCritic
| This value is of type REG_DWORD, and represents the entry DYNAMIC for SYSLOG Priority, for SYSLOG format.
|
SyslogFacility | This value represents the SYSLOG facility for SYSLOG format |
SyslogPriority | This value represents the SYSLOG priority for SYSLOG format |
TruncateList
| This is a CRLF separated list of strings which result in event truncation if matched in the event text.
|
|
|
[Log]
| This subkey stores the log monitors. |
Log# (where # is a serial number) | This section describes the format of the log monitors. Log monitors are of type REG_SZ, of no greater than 512 chars, and is composed of the following string:
Logtype | LogPath
LogType is optional and is used to inform the Snare server how to process the data stream.
The LogPath is the fully qualified path to the log file that needs to be monitored or the fully qualified path to the directory containing date stamped log files of the form "YYMMDD" (in this case a trailing backslash ('\') is required). Spaces are valid, except at the start of the term.
whether to use TAB as SYSLOG (RFC3164) TAG Terminator. SYSLOG (RFC3164) IEFT standard allows all alphanumeric characters considered the part of TAG. It is strongly recommended to keep it as 1, else Destination#Delimiter will be used as TAG terminator.
|
TruncateList
| This is a CRLF separated list of strings which result in event truncation if matched in the event text.
|
|
|
[Log]
| This subkey stores the log monitors. |
Log# (where # is a serial number) | This section describes the format of the log file monitors. Log monitors are of type REG_SZ (string), and the stored value looks similar to this:
logtype=0logval=""linetype=0lineval="1"watchtype=0watchval="1"dirfilter="C:\temp\LogFilterTest\*"filefilter="*.txt"features=16state=1uuid=3a53e96d-bf10-4d2d-b5da-455ca8d34ec5
logtype - an integer representing the type of logs being collected: 0 - Generic log format(default); 1 - Apache web logs; 2 - Exchange message tracking logs pre 2007; 3 - Exchange message tracking logs 2007; 4 - Exchange message tracking logs 2010/2013; 5 - Microsoft IIS web server logs; 6 - Microsoft ISA firewall logs; 7 - Microsoft ISA web logs; 8 - Microsoft proxy server logs; 9 - Microsoft SMTP logs; 10 - Squid proxy logs; 11 - VMS Security Logs; 12 - Custom Event log; 13 - Microsoft DNS server logs; 14 - NCR ATM Journal Logs; 15 - DHCP Logs
logval - user-defined string that will be used as a log type in the event header if the logtype = 12 - Custom Event Log.
linetype - an integer defining what comprises a single event: 0 - Single Line (every line in the monitored file is converted to a separate event); 1 - Fixed Number of Lines; 2 - Line separating events (a line specified in lineval acts as event separator)
lineval - if linetype = 1, a string representing the number of lines to be read as one event; if linetype = 2, this is the line that separates events, for example, "<end>".
watchtype - an integer indicating which files should be monitored in the given directory: 0 - All matching files; 1 - Last matching file (alphabetically); 2 - First matching file (alphabetically); 3 - Fixed number of first matching files; 4 - Fixed number of last matching files
watchval - if watchtype = 3 or 4, a string representing the number of first/last matching files, otherwise "1"
dirfilter - a string representing fully qualified path to the desired log file or the directory containing the target log files
filefilter - a string representing the file name or file name pattern to monitor for new logs
features - an integer representing a bitmap of extra features, such as comments inclusion, date-based or regex-based file matching, etc. This value is set programmatically based on other selections
state - an integer representing the state of Log file monitor configuration: 0 - Disabled; 1 - Enabled; 2 - Requiring Service Restart
uuid - a unique 16-byte identifier of this Log file monitor.
See Log Configuration page in this User Guide for more details.
|
|
|
[Filter] | This subkey stores the log filters. |
Filter#
(where # is a serial number)
| AccessKeySetSnare3
This section describes the format of the filtersFilters applied to Log file monitors. Filters are of type REG_SZ , of no greater than 1060 chars(string), and is composed of the following string (the figures in the brackets represent the maximum size of the strings that can be entered):
Criticality(DWORD) General Match[512]GeneralMatchType(DWORD)
Criticality- Format for this string is the stored value looks similar to this:
criticality=1,6,6,6,3,3,0,0,0,0match="*"regex=0state=1uuid=ec27404d-1843-4d58-9617-d25c09f3040c
criticality - ten comma-separated integer values ([0-4],[0-7],[0-7],[0-7],[0-10],[1-10],0,0,0,0 . ) representing event criticality for different event formats. First integer is between 0 and 4 that indicates indicating the severity of the event . Critical = 4, Priority = 3, Warning = 2, Information = 1, Clear = 0. in Snare format: 0 - Clear , 1 - Information, 2 - Warning, 3 - Priority, 4 - Critical. Next 3 values are Syslog for each RFC3164, RFC3164 Alt and RFC5424 formats. Syslog values RFC3164 Alt and RFC5424 are copied from Syslog and not used separately. Values 0-7 denote denote Emergency, Alert, Critical, Error, Warning, Notice, Info and Debug, Debugrespectively. CEF is 0 is 0 - 10, 0 is least severe and 10 is most severe. LEEF is 1 is 1 - 10, 1 is least severe and 10 is most severe. Last 4 values 0,0,0,0 are reserved and not in use.
eg. criticality=2,5,5,5,7,9,0,0,0,0 match (General Match) - The General match term is the filter expression, and is defined to be any value which includes DOS wildcard characters. It can also include regular expressions if 'regex' box is checked.
eg match="*"
General Match Type - Include/Exclude. If checked Include then match or general match term is equated as [ = ] if checked exclude then it is [ != ].
Regex: =0 (Include general string term to match); =1 (Include regex string term to match)
eg. regex=0
|
[Remote]
| This subkey stores all the remote control parameters.
|
AccessKey
| This value is of type REG_DWORD and is used to determine whether a password is required to access the remote control functions. It is set to either 0 or 1, with 0 signifying no password is required.
|
AccessKeySet
| This is of type REG_SZ, and stores the actual password to be used, in encrypted format.
|
AccessKeySetSnare1
| This is of type REG_SZ, and stores the DIGEST password to be used (username "snare"), in encrypted format.
|
AccessKeySetSnare2
| This is of type REG_SZ, and stores the DIGEST password to be used (username "Snare"), in encrypted format.
|
match= - a string (if regex = 0) or a regular expression (if regex = 1) to match and INCLUDE. Events matching this filter will be collected. DOS wildcard characters ("*" and "?") can be used when regex = 0, for example: match="*"
or
match!= - a string (if regex = 0) or a regular expression (if regex = 1) to match and EXCLUDE. Events matching this filter will not be collected.
regex - integer indicating whether the match string is a regular expression: 0 - no; 1 - yes
state - an integer representing the state of Filter configuration: 0 - Disabled; 1 - Enabled; 2 - Requiring Service Restart
uuid - a unique 16-byte identifier of this Filter.
See Log Filter Configuration page in this User Guide for more details.
|
|
|
[Remote]
| This subkey stores all the remote control parameters.
|
AccessKeyAuth
| This is of type REG_SZ, and stores the DIGEST actual password to be used (username "SNARE"), in encrypted format.
|
Allow
| "Allow" is of type REG_DWORD, and set to either 0 or 1 to allow remote control. If not set or out of bounds, will default to 0/NO (ie; i.e. not able to be remote controlled).
| AllowBasicAuth |
Only available via the registry. Set to 0 by default. Enable if agent should support basic http authentication in the web UI. | LockTime
| This value is of type REG_DWORD and is used to determine the lock duration in minutes after maximum failed login attempts. |
MaxFailAttempt
| This value is of type REG_DWORD and is used to determine the maximum number of failed login attempts that will be accepted before the agent will be locked for a duration (Duration is defined in LockTime). |
Restrict
| This value is of type REG_DWORD, and set to either 0 or 1 to signal whether the remote users should be restricted via IP address or not. 0 = no restrictions.
|
RestrictIP
| This is of type REG_SZ and is the IP address set from above.
|
WebPort
| This value is the web server port, if it has been set to something other than port 6161. It is of type REG_DWORD. If not set or out of bounds, it will default to port 6161.
|
|
|
[SAM]
| Stores the Snare Agent Manager settings
|
SAM1AuthKey
| Key used by the agent to communicate with the Snare Agent Manager.
|
SAM1IP
| The IP/hostname of where SAM is installed, that will communicate with the agent.
|
SAM1Port
| The port number the agent uses to communicate with SAM, port 6262.
|
|
|
[State]
| This section stores data managed internally by the Agent. |
SAMCToken
| Token provided by SAM to the agent.
|
AgentLocked
| This value is of type REG_DWORD and is set to either 0 or 1 to indicate whether the agent is locked or not due to reaching maximum failed login attempts.
|
AgentLockEndTime | This is of type REG_SZ and is used to store the time when the agent will be back to normal after it has been locked due to reaching maximum failed login attempts.
|
LoginAttempts | This value is of type REG_DWORD and is used to determine the number of consecutive failed login attempts.
|