Regular Expression Filters

Each destination can be configured to forward only particular events. The default behavior for each destination depends on the first filter.

If the first filter is set to INCLUDE, then only events that match the filters will be sent to the destination.

If the first filter is set to EXCLUDE, then all events will be sent to the destination, except for those that are specifically excluded by the subsequent filters.

Starting from Snare Central 8.4.0, Destination regular expressions are using RE2 syntax.
Earlier versions used PCRE syntax.

Examples of matches are listed below:

Example: Match a particular hostname in an event sent by a Snare Agent

Snare agents transmit the hostname as the first element of the event, followed by a tab. Some options to capture 'myhostname' are shown below. Which option you use, will depend on the format your log source uses to send through events.

^myhostname\t

^myhostname(\.mydomain)\t

^([Mm]y[Hh]ostname|MYHOSTNAME)

Match syslog events

How specific your regular expression matches are will depend on your requirements.

^<[0-9]+>
^<[0-9]{1,3}>
^<[0-9]+>(Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec) [1-9 ][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9]

Search for events that contain a particular word (eg: username)

Search for a 'whitespace' character, followed by the text 'myword' followed by another whitespace character, or an end-of-line marker.

\smyword(\s|$)

Note

It is important to note that any matches are performed on the string in the format in which it arrives at the Reflector and not on the format that it will be translated to when sent to the remote destination. All matches are case sensitive and use RE2 based regular expression formats (8.4.0 or newer), or PCRE (prior to 8.4.0).