[Network]
| This subkey stores the general network configurations.
|
CacheSize
| Determines
the desired count of events in the memory cache. i.e the number of
events that Snare should keep if it can't reach at least one of the
hosts.If this is set then CacheSizeM cannot be altered.
|
CacheSizeM
| Determines the size of the in memory cache. The value must be between 1 and 1024.If this is set then CacheSize cannot be altered.
|
CheckTime | Number
of seconds the agent will internally reload its settings, drop and
reestablish network connection. Minimum set time is 300 seconds (5
minutes), maximum is 3600 seconds (1 hour). |
Destination1Delimiter
| It
details the IP address or hostname which the event records will be sent.
|
Destination1Format | The format in which the events are sent to the destination:
Snare (0), SYSLOG RFC3164 (1), SYSLOG Alt (2), CEF (3), LEEF (4), SYSLOG RFC5424 (5), SNARE V2 (6), SYSLOG JSON (7). |
Destination1Host | The IP or hostname of the destination server/SIEM.
|
Destination1Port
| Determines the Destination Port number.
This value must be in 1-65535 range. Will default to 514 if a SYSLOG
header has been specified.
|
Destination1SocketType | Determines the protocol used
(0 for UDP, 1 for TCP, 2 for TLS/SSL, 3 for TLS_AUTH). |
Destination1TLSAuthKey | This value is used when Destination1SocketType is 3 i.e. TLS_AUTH. |
FileOutput1Delimiter | This
value ranges from 1 to 255. It includes the path of the files where the
events will be stored per format (e.g. Snare, SYSLOG) |
FileOutput1FileName | The path and location of the file the events are sent to. Multiple files may be set.
|
FileOutput1Format | The format to write to the log file. Available formats are:
Snare (0), SYSLOG RFC3164 (1), SYSLOG Alt (2), CEF (3), LEEF (4), SYSLOG RFC5424 (5), SNARE V2 (6), SYSLOG JSON (7). |
NotifyMsgLimit
| Having a value 0 or 1, and determines whether
to send or not the EPS notification to server (1 means send and 0 means
not to send) whenever agent reaches EPS RateLimit.
|
NotifyMsgLimitFrequency
| Determines the frequency of events per
second notification. The value is treated in minutes and only one EPS
notification message is sent to server regardless of how many times
agent reaches EPS limit during these minutes.
|
RateLimit
| Determines the upper limit for events
per second (EPS) that the agent will send to server.
|
SyslogFacility | Represents the SYSLOG facility for SYSLOG format |
|
|
[Config]
| This subkey stores the general configuration values.
|
AgentLog | Sets the level of tracing sent by the agent. Values include [0-5] where Fatal (0), Error (1), Warning (2), Info (3), Debug (8), Trace (9).
|
Audit
| Determines whether Snare is to
automatically set the system audit configuration. Set this value to 0
for no, or 1 for Yes. Will default to TRUE (1) if not set. The audit
configuration includes selecting the audit categories and the retention
policy on ALL event log files.
|
CachePath | This is the disk cache path where the agent will temporarily save all unsent events if the
agent needs to restart. Agent will read and send the events on next start. |
Checksum
| Determines whether Snare includes an
MD5 Checksum of the contents of each audit record, with the record in
question. Set this value to 0 for no, or 1 for Yes. Will default to
FALSE (0) if not set. Note that the checking application will need to
strip the final delimiter, plus the MD5 Checksum, from the record before
evaluating the record against the checksum.
|
Clientname
| This
is the Hostname of the client and if no value has
been set, "hostname" command output will be displayed. Must be no more
than 100 chars, otherwise will truncate.
|
Delimiter
| Stores the field delimiting character, ONLY if
the destination format SYSLOG has been selected. If more than one char,
only first char will be used. If none set, then TAB will be used. This
is a HIDDEN field, and only available to those users that wish to set a
different delimiter when using the SYSLOG header. This selection option
will not be found in the Snare web pages.
|
EventSourceIdText | Stores the Event Source Id
text/value. If the value in EventSourceIdType is 1 (Free Text), then
this text/value is included in each event.
|
EventSourceIdType | Stores the option related to specifying Event Source Id: 0(NONE) and 1(Free Text)
|
FileSize | This is the maximum generated size of an output file receiving events. The file is rotated upon reaching this maximum. |
HeartBeat | This values is the frequency with which a heartbeat is sent, set in minutes. |
HeartBeatFileExport | This value determines whether heartbeats are logged to a file. 0 for no, or 1 for Yes. |
HeartBeatOutputPath | This is the path where the heartbeat messages are exported to, if selected. |
HostGUID | Set to the GUID of the specific network card. |
HostIP | Set to the IP address of the specific network card. |
TLS13Minimum | When disabled (0), Snare Agent supports TLS 1.2 and TLS 1.3 for web connections. When enabled (1), TLS 1.2 is explicitly disabled; browsers connecting to the agent website must support at least TLS 1.3 for ssl connections. |
UpgradePath | The automatically generated path in which temporary upgrade files are stored.
|
UseHostIP | If checkbox set it resolves the machines IP address from the first wired adapter. It will not
resolve wireless IP's at present. Set this value to 0 for no, or 1 for Yes. |
UseUTC | Determines whether Snare should use UTC
timestamps instead of the local system time when sending events. Set
this value to 0 for no, or 1 for Yes. Will default to FALSE (0) if not
set.
|
|
|
[Remote]
| This subkey stores all the web user interface/remote control parameters.
|
AccessKey
| Used to determine whether a password
is required to access the remote control functions. It is set to either 0
or 1, with 0 signifying no password is required.
|
AccessKeySet
| Stores the actual password to be used, in encrypted format.
|
AccessKeySetSnare1
| Stores the DIGEST password to be used (username "snare"), in encrypted format.
|
AccessKeySetSnare2
| Stores the DIGEST password to be used (username "Snare"), in encrypted format.
|
AccessKeySetSnare3
| Stores the DIGEST password to be used (username "SNARE"), in encrypted format.
|
Allow
| Set to either 0 or 1 to allow the web user interface to be available.
If not set or out of bounds, will default to 0/NO (ie; not able to be
browsed to).
|
AllowBasicAuth | Only available via snare.conf and set to 0 by default. Enable if agent should support basic http authentication in the web UI. |
| LockTime | This value is of type REG_DWORD and is used to determine the lock duration in minutes after maximum failed login attempts. |
| MaxFailAttempt | This value is of type REG_DWORD and is used to determine the maximum number of failed login attempts that will be accepted before the agent will be locked for a duration (Duration is defined in LockTime). |
Restrict
| Set to either 0 or 1 to signal whether
the remote users should be restricted via IP address or not. 0 = no
restrictions.
|
RestrictIP
| The IP address that is used to remotely control the agent.
|
WebPort
| This
value is the web server port, if it has been set to something other
than port 6161. If not set or out of bounds, it
will default to port 6161.
|
|
|
[SAM]
| Stores the Snare Agent Manager settings
|
SAM1AuthKey | Key used by the agent to communicate with the Snare Agent Manager. |
SAM1IP | The IP/hostname of where SAM is installed, that will communicate with the agent. |
SAM1Port | The port number the agent uses to communicate with SAM, port 6262. |
|
|
[State]
|
|
SAMCToken
| Token provided by SAM to the agent.
|
| AgentLocked | This value is of type REG_DWORD and is set to either 0 or 1 to indicate whether the agent is locked or not due to reaching maximum failed login attempts. |
| AgentLockEndTime | This is of type REG_SZ and is used to store the time when the agent will be back to normal after it has been locked due to reaching maximum failed login attempts. |
| LoginAttempts | This value is of type REG_DWORD and is used to determine the number of consecutive failed login attempts. |
|
|
[Linux] |
|
AuditBufferSize | Adjustment of audit buffers is required to avoid causing a too heavy audit load on your system.
If the buffers are full then events will not be queued. Default set to 360. |
| AuditCollect | Determines whether Snare is to
automatically set the system auditd configuration. Set this value to 0
for no, or 1 for Yes. Will default to TRUE (1) if not set. The auditd configuration will be modified to have dispatcher set to the agent executable regardless of this setting in order for auditd to still launch the agent. |
|
|
[Objective]
| This subkey stores all the filtering audit policies.
|
Objective# (where # is a serial no.) | This
section describes the format of the audit policies (formerly known as Objectives). For example:
"Objective1": "criticality=1,1,1,1,1,1,0,0,0,0\tmatch=\"\"\tevent=execve,fork,exit,kill,tkill,tgkill", |
|
|
[Watch]
| This subkey stores the file watches.
|
Watch#
(where # is a serial no.)
| This
section describes the format of the watches. For example:
"Watch1": "criticality=2,2,2,2,2,2,0,0,0,0\tmatch=\"\"\tpath=\/etc\tperms=wa" |
|
|
[Filter]
| This subkey stores the Log Filter.
|
Filter# | This section describes the format of the audit policy filters. Filters are of type REG_SZ, of no greater than 1060 chars, and is composed of the following string (the figures in the brackets represent the maximum size of the strings that can be entered):
Criticality(DWORD)General Match[512]GeneralMatchType(DWORD)
Criticality- Format for this string is [0-4],[0-7],[0-7],[0-7],[0-10],[1-10],0,0,0,0.
eg. criticality=2,5,5,5,7,9,0,0,0,0 match (General Match) - The General match term is the filter expression, and is defined to be any value which includes DOS wildcard characters. It can also include regular expressions if 'regex' box is checked.
eg match="*"
General Match Type - Include/Exclude. If checked Include then match or general match term is equated as [ = ] if checked exclude then it is [ != ].
Regex: =0 (Include general string term to match); =1 (Include regex string term to match)
eg. regex=0
|
|
|
[Log]
| This subsection stores the log monitors |
Log# (where # is a serial number) | This section describes the format of the log monitors. Log monitors are of type REG_SZ, of no greater than 512 chars, and is composed of the following string:
Logtype | LogPath
LogType is optional and is used to inform the Snare server how to process the data stream.
The LogPath is the fully qualified path to the log file that needs to be monitored or the fully qualified path to the directory containing date stamped log files of the form "YYMMDD" (in this case a trailing backslash ('\') is required). Spaces are valid, except at the start of the term.
|
|
|
[FIM]
| This subkey stores the file integrity monitoring configuration values.
|
FIM# (where # is a serial no.)
| This section describes the format of FIM configurations. This is composed of the following string:
type=[0|1],alg=[0|1],criticality=[0-4],[0-7],[0-7],[0-7],[0-10],[1-10],0,0,0,0,
type: integer 0 or 1 where 0 indicates File type and 1 indicates Registry type
alg: integer 0 or 1 and indicates the algorithm used to hash the data. SHA256 = 0, SHA512 = 1
criticality: integer between 0 and 4 that indicates the severity of
the event. Critical = 4, Priority = 3, Warning = 2, Information = 1,
Clear = 0. Next 3 values are Syslog for each RFC3164, RFC3164 Alt and RFC5424. Syslog values RFC3164 Alt and RFC5424 are copied from Syslog and not used separately. Values 0-7 denote Emergency, Alert, Critical, Error, Warning, Notice, Info, Debug. CEF is 0 - 10, 0 is least severe and 10 is most severe. LEEF is 1 - 10, 1 is least severe and 10 is most severe. Last 4 values 0,0,0,0 are reserved are reserved and not in use.
CRON_FORMAT: a string
in the CRON format to indicate when the system is to scan. Can be of the
form CRON(<min>, <hour>, <day_of_month>,
<month>, <day_of_week>) or of one of @hourly or @daily.
DIR_PATH:
the full path of the directory from which to start scanning. A
terminating path delimiter followed by a * denotes a recursive scan.
INCLUDE_FORMAT: the format of the files to include in the scan. The character * denotes the use of wildcards.
EXCLUDE_FORMAT: the format of the files to exclude from the scan. The * character denotes the use of wildcards.
features: an integer representing a bit-wise set of features.
state: an integer representing the state of FIM configuration. Disabled = 0, Enabled = 1, Requiring Service Restart = 2.
UUID: a string representation of a unique 16-byte value used to identify the configuration.
|