Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Version History

« Previous Version 4 Next »

The purpose of this section is to discuss the makeup of the configuration items in the registry. The Snare configuration registry key is located at HKEY_LOCAL_MACHINE\SOFTWARE\Intersect Alliance\SnareMSSQL, and this location may not be changed. If the configuration key does not exist, the SnareMSSQL service will create it during installation, but will not actively audit events until a correctly formatted audit policy is present.

SNARE can be configured in several different ways, namely:

  • Via the remote control interface (Recommended).
  • By manually editing the registry (NOT Recommended).

The format of the audit configuration registry subkeys is discussed below.

[Config]

This subkey stores the general agent configuration data.

AgentLog
This value is of type REG_DWORD and sets the level of tracing sent by the agent.  Values include [0-5] where Fatal (0), Error (1), Warning (2), Info (3), Debug (8), Trace (9).
CachePath
This is the disk cache path where the agent will temporarily save all unsent events if the agent needs to restart. Agent will read and send the events on next start.

Checksum

This value is of type REG_DWORD, and determines whether the agent includes an MD5 Checksum of the contents of each audit record, with the record in question. Set this value to 0 for no, or 1 for Yes. Will default to FALSE (0) if not set. Note that the checking application will need to strip the final delimiter, plus the MD5 Checksum, from the record before evaluating the record against the checksum.

Clientname

REG_SZ If no value has been set, "hostname" command output will be displayed. Must be no more than 100 chars, otherwise will truncate.

Delimiter

REG_SZ Stores the field delimiting character, ONLY if syslog header has been selected. If more than one char, only first char will be used. If none set, then TAB will be used. This is a HIDDEN field, and only available to those users that wish to set a different delimiter when using the SYSLOG header. This selection option will not be found in the SNARE front end or the web pages.

EventSourceId

This is of type REG_SZ and stores the Windows Registry path from where to read the Event Source Id text/value. If the value in EventSourceIdType is 2 (Registry Path), then the text/value in the registry, specified by the path, is included in each event.

EventSourceIdText

This is of type REG_SZ and directly stores the Event Source Id text/value. If the value in EventSourceIdType is 1 (Free Text), then this text/value is included in each event.

EventSourceIdType

This is of type REG_DWORD and stores the option related to specifying Event Source Id: 0(NONE), 1(Free Text), 2(Registry Path).

FileSizeThis is the maximum generated size of an output file receiving events. The file is rotated upon reaching this maximum.
HeartBeatREG_DWORD The frequency, in minutes, with which the agent will send out a heartbeat message. A value of zero (0) will disable this feature.
HeartBeatFileExport
This value determines whether heartbeats are logged to a file. Set this value to 0 for no, or 1 for Yes.
HeartBeatOutputPath
This is the path where the heartbeat messages are exported to, if selected.
HostGUID
This value is of type REG_SZ. Set to the GUID of the specific network card.
HostIP
This value is of type REG_SZ. Set to the IP address of the specific network card.
LookupTimeout

REG_DWORD The frequency, in minutes, with which the SnareMSSQL agent will recheck the members of any groups specified in the User Search Filter.

MemCheckLimit
REG_DWORD The frequency, in minutes, when the memory usage limit of the MSSQL agent will be checked.
MemCheckTimeout
REG_DWORD This is the maximum memory the MSSQL agent can utilize during any stage of execution (2-200 minutes)
MSSQLPortNumbers
REG_SZ This is a comma-delimited list of MSSQL listening ports to support MSSQL configurations with specific listening port(s). Each port numer is of REG_DWORD. Port 1433 specifies a dynamic port.
TLS13Minimum
REG_DWORD When disabled (0), Snare Agent supports TLS 1.2 and TLS 1.3 for web connections. When enabled (1), TLS 1.2 is explicitly disabled; browsers connecting to the agent website must support at least TLS 1.3 for ssl connections.

TraceCount

REG_DWORD The number of trace files maintained by Microsoft SQL Server.

TracePath

REG_SZ The location where SNARE will store its trace files.

TraceSize

REG_DWORD The size of any trace files written by MS SQL Server

UnencryptedObjREG_DWORD If set to one it will store the audit policy in plain text in the registry, otherwise if set to zero, the audit policy will be encrypted in the registry. This setting may be used for standalone or cluster mode.
UpgradePath
This value is of type REG_SZ.  The automatically generated path in which temporary upgrade files are stored.
UseHostIP
If set it resolves the machines IP address from the first wired adapter. It will not resolve wireless IP's at present. Set this value to 0 for no, or 1 for Yes.  If set, ClientName will be ignored.

UseUTC

REG_DWORD Timestamp logs using Coordinated Universal Time instead of local time if set to 1.



[Objective]

This subkey stores all the filtering audit policies (formerly known as objectives).

Objective# (where # is an integer number)

Audit Policies are of type REG_BINARY and contain an encrypted copy of the individual settings comprising an audit policy.
Manual configuration of an audit policies is unsupported.



[Network]

This subkey stores the general network configurations.

CacheSize

This value is of type REG_DWORD, and determines the desired count of events in the memory cache. If this is set then CacheSizeM cannot be altered.

CacheSizeM

This value is of type REG_DWORD, and determines the size of the in memory cache. The value must be between 1 and 1024.If this is set then CacheSize cannot be altered.

CheckTimeNumber of seconds the agent will internally reload its settings, drop and reestablish network connection. Minimum set time is 300 seconds (5 minutes), maximum is 3600 seconds (1 hour).

Destination1Delimiter

This sub key is of type REG_SZ and is a comma separated list of destinations, which should be a maximum of 100 characters each. It details the IP address or hostname which the event records will be sent (NB: multiple hosts only available in supported agent). See Appendix - Delimiters.

Destination1FormatThis value is of type REG_DWORD and is the format in which the events are sent to the destination:
Snare (0), SYSLOG RFC3164 (1), SYSLOG Alt (2), CEF (3), LEEF (4), SYSLOG RFC5424 (5), SNARE V2 (6), SYSLOG JSON (7). DEVO (8), DEVO JSON (9).
Destination1HostThis value is of type REG_SZ and is the IP or hostname of the destination server/SIEM.

Destination1mTLSCertID

This value is of type REG_SZ and is the ID of the client's certificate. Client will present the certificate in mutual TLS communication to prove its identify to the server in communication.

Destination1Port

This value is of type REG_DWORD, and determines the Destination Port number. This value must be in 1-65535 range. Will default to 514 if a SYSLOG header has been specified.

Destination1SocketTypeThis value is of type REG_DWORD, and determines the protocol used (0 for UDP, 1 for TCP, 2 for TLS/SSL, 3 for TLS_AUTH, 4 for mTLS). This feature only appears in supported agents.
Destination1TLSAuthKeyThis value is of type REG_SZ and is used when Destination1SocketType is 3 i.e. TLS_AUTH. 
FileOutput1DelimiterThis value ranges from 1 to 255. It includes the path of the files where the events will be stored per format (e.g. Snare, SYSLOG)
FileOutput1FileNameThe path and location of the file the events are sent to.  Multiple files may be set.
FileOutput1FormatThe format to write to the log file. Available formats are: 
Snare (0), SYSLOG RFC3164 (1), SYSLOG Alt (2), CEF (3), LEEF (4), SYSLOG RFC5424 (5), SNARE V2 (6), SYSLOG JSON (7), DEVO (8), DEVO JSON (9).

NotifyMsgLimit

This value is of type REG_DWORD having value 0 or 1, and determines whether to send or not the EPS notification to server (1 means send and 0 means not to send) whenever agent reaches EPS RateLimit. This feature only appears in supported agents.

NotifyMsgLimitFrequency

This value is of type REG_DWORD, and determines the frequency of events per second notification. The value is treated in minutes and only one EPS notification message is sent to server regardless of how many times agent reaches EPS limit during these minutes. This feature only appears in supported agents.

RateLimit

This value is of type REG_DWORD, and determines the upper limit for events per second (EPS) that the agent will send to server. This feature only appears in supported agents.
SyslogFacilityThis value represents the SYSLOG facility for SYSLOG format



[Remote]

This subkey stores all the remote control parameters.

AccessKeyAuth

REG_SZ Stores a hash of the password.

Allow

REG_DWORD Determines the availability of the remote control feature. If not set or out of bounds, will default to 0/NO (ie; not able to be remote controlled).
LockTimeThis value is of type REG_DWORD and is used to determine the lock duration in minutes after maximum failed login attempts.
MaxFailAttemptThis value is of type REG_DWORD and is used to determine the maximum number of failed login attempts that will be accepted before the agent will be locked for a duration (Duration is defined in LockTime).

Restrict

REG_DWORD Determines whether the remote users should be restricted via IP address or not. 0 = no restrictions.

RestrictIP

This is of type REG_SZ and is the IP address set from above.

WebPort

REG_DWORD The web server port, if it has been set to something other than port 6161. It is of type REG_DWORD. If not set or out of bounds, it will default to port 6161.



[SAM]
Stores the Snare Agent Manager settings
SAM1AuthKey
Key used by the agent to communicate with the Snare Agent Manager.
SAM1IP
The IP/hostname of where SAM is installed, that will communicate with the agent.
SAM1Port
The port number the agent uses to communicate with SAM, port 6262.
SAM1Token
Token provided by SAM to the agent.


[State]


SAMCToken

Token provided by SAM to the agent.

AgentLockedThis value is of type REG_DWORD and is set to either 0 or 1 to indicate whether the agent is locked or not due to reaching maximum failed login attempts.
AgentLockEndTimeThis is of type REG_SZ and is used to store the time when the agent will be back to normal after it has been locked due to reaching maximum failed login attempts.
LoginAttemptsThis value is of type REG_DWORD and is used to determine the number of consecutive failed login attempts.   
  • No labels