Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

Overview

The Snare advanced events search capability allows you to build structured queries using the Snare Query Language (SnareQL) to search for events.

With SnareQL, you can specify advanced criteria using tools such as:

  • Operators such as =, !=, >, LIKE, CONTAINS or regular expressions,

  • Specific field comparisons, such as USERNAME=AJSmith

  • Advanced date limitations such as DATE='last monday'

  • Precedence using parentheses, such as EVENTID='login' AND (TIME < 08:00:00 OR TIME > 17:00:00)

Note, SnareQL is not a database query language, even though it uses a subset and superset of SQL syntax.

SnareQL

SnareQL queries consist of query components, joined by logic operators.

Each query component consists of a field, an operator, and a value. For example:

USERNAME='AJSMITH'

This query will search for events that have a field called “USERNAME” that contains (=) the value “AJSMITH”.

Snare Central is capable of storing massive amounts of forensic data. A simple search like this one, without date/time range limitations could potentially take a very long time to run, since it will attempt to search the entire Snare Central data store.

The Snare Central advanced query tool will impose a query timeout on queries by default, to help you narrow down your search criteria in a reasonable timeframe.

A more complex query may look like this:

USERNAME='AJSMITH' AND EVENTID LIKE '%login' AND SYSTEM REGEX '^(AU|US|UK)-' AND ((DATE='WEEKDAY' AND (TIME < '08:00:00' OR TIME > '17:00:00')) OR DATE='WEEKEND')

This query will search for 'out of hours' logins by AJSmith, from systems with a hostname that identifies them as Australia, US or UK.

Different log types will often contain different fields, and event fields with the same names may be formatted slightly differently. Windows uses numeric identifiers for the field EVENTID (eg: 512, 4593), whereas Solaris and Linux will use more descriptive terms such as “login - ftp”.

DATE and TIME fields, though stored in the format YYYY-MM-DD and HH:MM:SS respectively within the Snare Central data store, can support indirect values such as “this time last week” or “the first day of this month”, or “last saturday”, or “5” (which translates to ‘now minus 5 days’, in the case of DATE, or ‘now minus 5 seconds’ in the case of TIME) .

In addition, some functions are available that can modify field contents.

USERNAME='AJSMITH' AND EVENTID LIKE '%login' AND MINUTE(TIME) < 15 AND DATE='today'

This query will search for logins by AJSmith, in the first 15 minutes of each hour of the current day.

Precedence in Queries

Snare query components are evaluated in the order specified in the query; however precedence can be explicitly specified using brackets……



Note: See Atlassian doco for sample..

Reference


Description

Reference

Field

A field in SnareQL is a word that represents a field within a particular log type.

Operator

An operator in SnareQL is one or more symbols or words that compare the value of a field on its left with one or more values on its right. Some operators may use the NOT keyword.

Logical Element

A logical element in SnareQL is a word that joins two or more clauses together to forma a complex SnareQL query

  • AND

  • OR

  • NOT

Value

A string designed to represent the contents of a field in an event within the Snare Central datastore.

Function

A function in SnareQL appears as a word followed by parentheses, which may contain a field.

A function performs a calculation on the contents of the field (the value) and returns the results.

  • 15MIN(TIME) - quadrant

  • 15MINFLOOR(TIME) - time to the 15 minute floor (eg: 17:23:45 will be 17:15:00)

  • HOUR(TIME) - 0-24

  • HOURMINUTE(TIME) - 17:23

  • MINUTE(TIME)

  • SECONDS(TIME)

  • DAYOFWEEK(DATE) - 1: Sunday, 2: Monday, .. 7: Saturday

  • No labels