Output Modification Modules
- Gerard Tuguigui
- Andrew Madge
- Leigh Purdie (Unlicensed)
Snare Central provides several layers of increasing flexibility. Although a majority of Snare Central customers will be fully comfortable with creating objectives in the user interface, there are also opportunities for advanced users to change the way that Snare reports data.
Snare uses a range of computer languages to accomplish tasks. High-speed languages such as C, C++ or Golang are used in places where speed is critical, such as the front-end collection system, or the code that interrogates the data store. Higher level 'scripting' languages such as Perl or PHP are used for presentation tasks.
Output modification modules can accomplish several tasks:
- Change the colour of an entire row, based on the content of the row.
- Change the colour of a particular field, based on the content of the field, or the content of a row element.
- Change the content of a field, based on the previous content of a field, or the content of a row element.
Example
- For Windows Security logs, use the USERNAME field to scan for the user in question in the corporate personnel directory. If the user exists, append an image link, so that the user's personnel photo is displayed alongside the user name.
- When an account is created on a Windows server, highlight the user name in green. When an account is removed, highlight the user name in red.
- For PIX firewall events that indicate a packet has been blocked, highlight the entire row in red.
Output modification modules should share the same name as the field, or Token, for which they are designed to modify, but in uppercase characters, and appended with ".php". So, for example, if you wished to create an output modification module for the 'USERNAME' field, you would create a file called 'USERNAME.php'.
If you wished the output modification module to change ANY field called 'USERNAME', regardless of the data source (eg: regardless of whether it was a Windows Security data source, an IP Tables Firewall Log data source, or a Squid Proxy data source), then you would create the file in /data/SnareUI/Global/Modules/USERNAME.php
If you wished the output modification module to be specific to a data source, you would create the file in /data/SnareUI/Global/Modules/DATASOURCENAME/USERNAME.php - where DATASOURCENAME is the name of the data source (eg: CISCORouterLog, WinSecurity, Tru64Audit)
An example follows that:
- Is stored in the WinSecurity directory (
/data/SnareUI/Global/Modules/WinSecurity/DESTUSER.php). - Modifies the 'DESTUSER' field; a Token defined in several Windows Security related objectives.
- Changes the colour of the entire row to RED, if the Windows EventID is '999'.
- Changes the colour of the DESTUSER field to:
- Green, if the event is related to user creation.
- Red, if the event is related to user removal.
- Blue, if the user has been modified or enabled.
- Orange, if the user account has been disabled.
- Modifies the contents of the DESTUSER field so that the text is surrounded by the HTML "strikeout" elements, if the event is related to user removal.
<?php
class DESTUSER
{
function Colour($text,$row)
{
if(in_array($row["EVENTID"],array(624,4720))) {
return("green"); # User Created
}
if(in_array($row["EVENTID"],array(630,4726))) {
return("red"); # User Removed
}
if(in_array($row["EVENTID"],array(625,626,642,4720,4730))) {
return("blue"); # User modified/enabled
}
if(in_array($row["EVENTID"],array(629,4725))) {
return("orange"); # User account disabled
}
# Fallback.
if(strstr($row["STRINGS"],"Created")) {
return("green");
} else if(strstr($row["STRINGS"],"Deleted")) {
return("red");
} else if(strstr($row["STRINGS"],"Changed")) {
return("blue");
}
}
function PrintData($text,$row)
{
if(in_array($row["EVENTID"],array(630,4726))) {
$text="<strike>$text</strike>";
}
return($text);
}
function RowColour($row)
{
if($row["EVENTID"]==999) {
return("red");
}
}
}
?>