Intersect Alliance, part of the Prophecy International Holdings Group, is a team of leading information technology security specialists. In particular, Intersect Alliance are noted leaders in key aspects of IT Security, including host intrusion detection. Our solutions have and continue to be used in the most sensitive areas of Government and business sectors.
Intersect Alliance intend to continue releasing tools that enable users, administrators and clients worldwide to achieve a greater level of productivity and effectiveness in the area of IT Security, by simplifying, abstracting and/or solving complex security problems.
Intersect Alliance welcomes and values your support, comments, and contributions.
For more information on the Enterprise Agents, Snare Server and other Snare products and licensing options, please contact us as follows:
The Americas +1 (800) 834 1060 Toll Free | +1 (303) 771 2666 Denver
Asia Pacific +61 8 8211 6188 Adelaide Australia
Europe and the UK +44 (797) 090 5011
Email intersect@intersectalliance.com
Visit www.intersectalliance.com
Event output format
The Epilog service collects data from the identified log files and passes it unaltered to the identified network destination. Whitespace is the primary element used separate elements within the data. An audit event may look something like this:
Example:
flash ApacheLog 0 10.0.3.2 - - [16/Jun/2008:10:10:00 +1000] "GET / HTTP/1.1" 200 44
The information in blue, as shown in the above record, is information added by the Epilog service. The format of this information is as follows:
<hostname><log_type><unused><log_event>
Epilog Windows registry configuration description
Details on the audit configuration are discussed in the Audit Configuration section. The purpose of this section is to discuss the makeup of the configuration items in the registry. The Epilog configuration registry key is located at HKEY_LOCAL_MACHINE\SOFTWARE\Intersect Alliance\Epilog, and this location may not be changed. If the configuration key does not exist, the Epilog service will create it during installation, but will not actively audit events until a correctly formatted at least one log monitor is present.
Epilog can be configured in several different ways, namely:
Via the remote control interface (Recommended).
By manually editing the registry (NOT Recommended).
The format of the audit configuration registry subkeys is discussed below.
[Config] |
This subkey stores the delimiter and clientname values. |
Delimiter |
This is of type REG_SZ and stores the field delimiting character, ONLY if syslog header has been selected. If more than one char, only first char will be used. If none set, then TAB will be used. This is a HIDDEN field, and only available to those users that wish to set a different delimiter when using the SYSLOG header. This selection option will not be found in the Remote Control Interface. |
Clientname |
This is the Hostname of the client and is of type REG_SZ. If no value has been set, "hostname" command output will be displayed. Must be no more than 100 chars, otherwise will truncate. |
UseUTC |
This value is of type REG_DWORD and determines whether Snare should use UTC timestamps instead of the local system time when sending events. Set this value to 0 for no, or 1 for Yes. Will default to FALSE (0) if not set. |
|
|
[Objective] |
This subkey stores all the filtering objectives. |
Objective# (where # is a serial number) |
This section describes the format of the objectives. Objectives are of type REG_SZ, of no greater than 1060 chars, and is composed of the following string (the figures in the brackets represent the maximum size of the strings that can be entered): |
[Network] |
This subkey stores the general network configurations. |
Destination |
This sub key is of type REG_SZ and is a comma separated list of destinations, which should be a maximum of 100 characters each. It details the IP address or hostname which the event records will be sent (NB: multiple hosts only available in supported agent). |
DestPort |
This value is of type REG_DWORD, and determines the Destination Port number. This value must be in 1-65535 range. Will default to 514 if a SYSLOG header has been specified. |
Syslog |
This value is of type REG_DWORD, and determines whether a SYSLOG header will be added to the event record. Set this value to 0 for no SYSLOG header. Will default to TRUE (1) if not set. |
SyslogDest |
This value is of type REG_DWORD, and determines the SYSLOG Class and Criticality. This value will default to 13 if not set, or out of bounds. |
SocketType |
This value is of type REG_DWORD, and determines the protocol used (0 for UDP, 1 for TCP, 2 for TLS/SSL). This feature only appears in supported agents. |
EncryptMsg |
This value is of type REG_DWORD, and determines if encryption should be used (0 for No, 1 for Yes). This feature only appears in supported agents. |
CacheSizeM |
This value is of type REG_DWORD, and determines the size of the event cache. The value must be between 1 and 1024. This feature only appears in supported agents. |
RateLimit |
This value is of type REG_DWORD, and determines the upper limit for events per second (EPS) that the agent will send to server. This feature only appears in supported agents. |
NotifyMsgLimit |
This value is of type REG_DWORD having value 0 or 1, and determines whether to send or not the EPS notification to server (1 means send and 0 means not to send) whenever agent reaches EPS RateLimit. This feature only appears in supported agents. |
NotifyMsgLimitFrequency |
This value is of type REG_DWORD, and determines the frequency of events per second notification. The value is treated in minutes and only one EPS notification message is sent to server regardless of how many times agent reaches EPS limit during these minutes. This feature only appears in supported agents. |
[Remote] |
This subkey stores all the remote control parameters. |
Allow |
"Allow" is of type REG_DWORD, and set to either 0 or 1 to allow remote control If not set or out of bounds, will default to 0/NO (ie; not able to be remote controlled). |
WebPort |
This value is the web server port, if it has been set to something other than port 6162. It is of type REG_DWORD. If not set or out of bounds, it will default to port 6162. |
WebPortChange |
This value is of type REG_DWORD, and set to either 0 or 1 to signal whether the web port should be changed or not. 0 = no change. |
Restrict |
This value is of type REG_DWORD, and set to either 0 or 1 to signal whether the remote users should be restricted via IP address or not. 0 = no restrictions. |
RestrictIP |
This is of type REG_SZ and is the IP address set from above. |
AccessKey |
This value is of type REG_DWORD and is used to determine whether a password is required to access the remote control functions. It is set to either 0 or 1, with 0 signifying no password is required. |
AccessKeySet |
This is of type REG_SZ, and stores the actual password to be used, in encrypted format. |
|
|
[Log] |
This subkey stores all the log monitors. |
|
Log# (where # is a serial number) |
This section describes the format of the log monitors. Log monitors are of type REG_SZ, of no greater than 512 chars, and is composed of the following string: |
LogPath |