Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

Overview

The Snare advanced events search capability allows you to build structured queries using the Snare Query Language (SnareQL) to search for events.

With SnareQL, you can specify advanced criteria using tools such as:

  • Operators such as =, !=, >, LIKE, CONTAINS or regular expressions,

  • Specific field comparisons, such as USERNAME=AJSmith

  • Advanced date limitations such as DATE='last monday'

  • Precedence using parentheses, such as EVENTID='login' AND (TIME < 08:00:00 OR TIME > 17:00:00)

Note, SnareQL is not a database query language, even though it uses a subset and superset of SQL syntax.

SnareQL

SnareQL queries consist of query components, joined by logic operators.

Each query component consists of a field, an operator, and a value. For example:

USERNAME='AJSMITH'

This query will search for events that have a field called “USERNAME” that contains (=) the value “AJSMITH”.

Snare Central is capable of storing massive amounts of forensic data. A simple search like this one, without date/time range limitations could potentially take a very long time to run, since it will attempt to search the entire Snare Central data store.

The Snare Central advanced query tool will impose a query timeout on queries by default, to help you narrow down your search criteria in a reasonable timeframe.

A more complex query may look like this:

USERNAME='AJSMITH' AND EVENTID LIKE '%login' AND SYSTEM REGEX '^(AU|US|UK)-' AND ((DATE='WEEKDAY' AND (TIME < '08:00:00' OR TIME > '17:00:00')) OR DATE='WEEKEND')

This query will search for 'out of hours' logins by AJSmith, from systems with a hostname that identifies them as Australia, US or UK.

Different log types will often contain different fields, and event fields with the same names may be formatted slightly differently. Windows uses numeric identifiers for the field EVENTID (eg: 512, 4593), whereas Solaris and Linux will use more descriptive terms such as “login - ftp”.

DATE and TIME fields, though stored in the format YYYY-MM-DD and HH:MM:SS respectively within the Snare Central data store, can support indirect values such as “this time last week” or “the first day of this month”, or “last saturday”, or “5” (which translates to ‘now minus 5 days’, in the case of DATE, or ‘now minus 5 seconds’ in the case of TIME) .

In addition, some functions are available that can modify field contents.

USERNAME='AJSMITH' AND EVENTID LIKE '%login' AND MINUTE(TIME) < 15

This query will search for logins by AJSmith, in the first 15 minutes of each hour of the day.

  • 15MIN(TIME) - quadrant

  • 15MINFLOOR(TIME) - time to the 15 minute floor (eg: 17:23:45 will be 17:15:00)

  • HOUR(TIME) - 0-24

  • HOURMINUTE(TIME) - 17:23

  • MINUTE(TIME)

  • SECONDS(TIME)

  • DAYOFWEEK(DATE) - 1: Sunday, 2: Monday, .. 7: Saturday

MOVE THIS STUFF ^^ down into an info table.

Precedence in Queries

Snare query components are evaluated in the order specified in the query; however precedence can be explicitly specified using brackets.



  • No labels