The Snare dispatcher receives data from the native Linux audit subsystem. The native audit daemon reports data in such a way that:
- It is 'programmatically' difficult to determine how many 'lines' make up an audit event. Some lines can be repeated, with slightly different values.
- You can have multiple, identical tokens for an event (e.g. two "path=" tokens)
- Event lines may be interleaved (i.e. you might get two lines from event # 1000, then one line from event # 1001, then another line from event # 1000).
- Some filename characters are translated into their HEX equivalents which will make matching filenames difficult.
Snare for Linux uses an internal cache to amalgamate all lines relating to an individual event, into "one line per event" format, once appropriate filtering/event selection has taken place. An event will look like this once processed by Snare:
127.0.0.1 LinuxKAudit 0 event,fchmod,2018-05-15 00:00:01 sequence,1219936 uid,4294967295,unknown euid,0,root gid,0,root egid,0,root process,,/usr/lib/systemd/systemd-logind return,0,yes name,null exe,/usr/lib/systemd/systemd-logind success,yes return,0 syscall,91,fchmod uid,unknown euid,root gid,root egid,root arch, name,null a0,17 a1,1a4 a2,fbad2484 a3,24 items,1 ppid,1 pid,742 uid,0 suid,0 fsuid,0 sgid,0 fsgid,0 tty,none ses,4294967295 comm,systemd-logind key,obj-3-1 item,0 inode,17098379 dev,00:13 mode,0100600 ouid,0 ogid,0 rdev,00:00 objtype,NORMAL proctitle,/usr/lib/systemd/systemd-logind snareseq,33945
Snare for Linux presents the information in a series of token/data groups. Three different field separators are used in order to facilitate follow-on processing - TABS (by default) separate 'tokens', COMMAS separate data within each token. A 'token' is a group of related data, comprising a 'header', and a series of comma separated fields which make up data that relates to the header. Depending on the log format selected to be sent to the destination SIEM, different delimiters may be selected to separate the 'tokens'.