Snare reports begin life extremely simply. As you add more components, and more complex match settings, Snare will enable greater flexibility, and more configuration options.

Objective Header

The objective header displays:

• The icon that is currently associated with the objective.
• The objective title (Failed User Logins), the data source it currently interrogates (Windows Security), and the documentation assigned to the objective.
• A modular objective configuration management panel, described below.

Criticality

An objective can be assigned a criticality level by clicking on the green, yellow, orange or red radio buttons.

The initial Snare Central dashboard will highlight generated objectives that fall into each criticality category.

Objective Type

Snare includes a range of 'templates' (often referred to as an 'Objective Type' in the Snare Central user interface) to make the job of a Snare administrator easier when crafting a new objective. These templates are hard-coded in Snare Central, may pre-define custom search criteria for you, will sometimes include custom code to perform tasks, and may be updated and expanded on each release of Snare Central.

A list of the templates included in Snare Central is available in the 'Modular Objective Templates' chapter, but here are some representative samples:

• Report whenever a user attempts to access a sensitive file on a Windows file server.
• Notify administrators when a particular Solaris user attempts to run a command.
• Show modifications to permission flags, for ACF2 accounts.
• Show all attempts to gain access to the root account on AIX systems.
• Compare the current CISCO PIX or Router configuration to an authorised version.
• Display events related to electronic mail delivery, for Gauntlet firewalls.
• Search syslog data for attempts to use the 'sudo' or 'su' commands to escalate privileges.
• Search IPTables firewall logs for dropped packets that have a source address of a non-routable IP block.
• Highlight attempts to port-scan a NetScreen firewall.
• Show attempts to change the configuration of a Nortel VPN Router.
• Monitor attempts to access RACF resources.
• Highlight failed authentication attempts on a SOCKS server.
• Display results from the Snort network intrusion detection system.
• Report on inappropriate material accessed through the corporate proxy server.
• Show out-of-hours login access for Windows systems.

 Once the "Objective Type" button is selected, a new dialog will appear in the objective window.

General objective template categories are displayed in the tree-menu to the left. Once an objective category is selected, a list of available objective types will be displayed in the right-hand section of the dialog. Click on the appropriate 'Select' button to choose a template.

A checkbox is available at the bottom left hand side of the dialog window, which will hide categories for which there is no event data on your Snare Central.

Unlock Objective

Objectives that are based on a pre-defined objective template can be 'unlocked', in order to change the pre-defined match settings, but once they are unlocked, they may no longer include the custom tokens, or custom modular components, and will not have their components upgraded by the InterSect Alliance team with new releases.

Objectives that are 'locked' can still have additional match settings and tokens, added to the mix. Match settings and tokens are explored further below.

Field Settings

The field settings section displays a list of the 'fields' that are available to use in your search criteria, and also as input fields for modular output components.

Snare also allows you to 'break apart' an existing field, and place the resulting sub-string into a field with a new name; this is known as a 'Token'.

Tokens

If a small part of an existing field needs to be captured for further analysis, or reporting reasons, a new token can be defined by clicking on the green 'Add New' button.
A new dialog window will appear, which will allow you to configure your new token.

Safend Protector File Logging Alter Details: User: george Computer: Machine1234 Client GMT: 8/10/2011 4:13:23 AM Client Local Time: 8/10/2011 3:13:23 PM Server Time: 8/10/2011 4:13:30 AM Group: Policy: policy Device Description: Disk drive Device Info: Kingston DataTraveler 2.0 USB Device Port: USB Device Type: Removable Storage Devices Vendor: 13FE Model: 1D00 Distinct ID: ID001 Details: File Name: file.pdf File Type: pdf File Size: 50945 Created: 8/10/2011 3:13:23 PM Modified: 8/10/2011 2:23:44 PM Action: Write

Configure Match Settings

Snare's query builder is a flexible tool that allows you to create very complex search criteria, incorporating precedence, logical operations, and advanced matching capabilities.

Show Current Query

Although Snare does not utilise a database back-end for data storage, queries created with the Snare query builder are translated into SQL syntax, and passed through a translation layer.

Selecting the '[Show Current Query]' link in the title panel, will pop up a new dialog that displays the SQL query that would be run against the Snare datastore, based on your current match settings.

Adding a New Match

Selecting the 'Add New Match' button will append a new row to your existing match settings. By default, the new row will use 'Date' as the target field, ">" as the comparison operator, and the input field will be initially blank.

Match Row Components

Drag and Drop grab bar 

Each match row can be moved up or down, and positioned before or after other match criteria. Click and hold the grab bar, and drag the match row, to rearrange. Snare evaluates matches from top to bottom.

Field to use

Select the field to use for your search criteria, by clicking on this button. A drop-down menu will appear, that will detail the fields that you can choose from.

Snare breaks up event logs into a series of fields for you, when the event arrives at Snare Central. As described in the section on 'Tokens' above, you can also choose to create meta-fields that represent a predictable portion of a larger field. These tokens will appear in the drop-down menu after you create them.

Comparison operator

The comparison operators available for selection depend on the field you have chosen. Numeric, date, and time values will have the following comparison operators available:

• Equals (=)
• Greater than (>)
• Less than (<)
• Greater than or equal to (>=)
• Less than or equal to (<=)
• Not equal to (!=)
• Includes
  • You may include several comma-separated values in the input field - eg: 1,2,3,7,9
• Excludes
  • You may include several comma-separated values in the input field - eg: 1,2,3,7,9

String values will have the following comparison operators available:

• Equals (=)
• Not equal to (!=)
• Contains
  • This will search for a simple case insensitive substring
• Like
  
  • Implements a SQL LIKE operator. LIKE uses the 'percent' sign for wildcards - so for example, a search for "%login%failed%" will match the string "attempted login for user 'fred' failed at 17:23:01"
• Regexp
  • Implements a RE2-compatible regular expression search. As highlighted above, regular expressions are complex, but extremely powerful and flexible string search functions.
    
    • Tip: Snare co-opts the "start of string" and "end of string" characters ("^" and "$" respectively) to refer to the start of the contents of the field you are currently operating on, and the end of the field, rather than referencing the entire line.
• Not Regexp
  • Excludes all fields that match the supplied regular expression.
• Includes
  • You may include several comma-separated values in the input field - eg: fred,jim,tony
• Excludes
  • You may include several comma-separated values in the input field - eg: fred,jim,tony

Input field

A flexible input field that allows you to specify search criteria based on your field and comparison operator.

Note that Snare also allows you to compare two fields, rather than entering an actual value here. If, for example, you had two username fields (USERNAME, and TARGETUSER) in your data source, and you wished to return events in the query where the two were not equal, you could:

• Set USERNAME as your 'Field to Use'
• Set != as your 'Comparison Operator'
• Enter TARGETUSER in the Input field, surrounded by two '@' characters:
  • @TARGETUSER@

These two '@' symbols, indicate to Snare that the contents of the input field refers to a "Field to use" as highlighted above, rather than a static comparison value. The '@' symbols will be removed, and processed by Snare. Tokens are supported, and the following comparison operations are valid:

• =
• !=
• >
• <
• >=
• <=

Contextual selection button

This button appears for some fields, and provides you with the ability to quickly select either:

• A range of values that have been captured from the last 30 days' worth of log data, or
• A range of common, or recommended, values.
  
  

Match row indentation

The Snare Central query builder is able to implement explicit operation precedence for your match terms, by using indentation of match and logic rows. In this way, groups of match terms can be joined using a variety of logical operations such as AND and OR.

If you are familiar with the use of brackets in mathematical operations, an increase in indentation is analogous to opening a bracket. A decrease of indentation is analogous to closing a bracket.

Many queries do not require row indentation. For example, if we were trying to implement a simple 'outside of work hours' query, we would want to look for events that occur outside of 9am to 5pm (for example), or that occur on a weekend.

If we were writing this in mathematical, or SQL-like notation, we would use the following:

IF TIME < '09:00:00' OR TIME > '17:00:00' OR DATE = 'saturday' OR DATE = 'sunday'

In the Snare Central query builder, it would look like this:

However, if we wanted to ONLY report on out-of-hours events that are tagged with the username "Fred", then we would need to do something a little more complex, and add in operational precedence / brackets. Our new string would look like this:

IF USERNAME = "Fred" AND (TIME < '09:00:00' OR TIME > '17:00:00' OR DATE = 'saturday' OR DATE = 'sunday')

Note the addition of the AND, and the brackets. This would mean that both the date/time component AND the UserName component had to be matched, for an event to be reported. If an event occurred on a weekend, but it was not for the user Fred, it would not meet the criteria we specified.

Recall that increasing our indentation factor for a particular row, is equivalent to opening a bracket. In this case, we would need to add the 'UserName = Fred' match row at the top of the match rows, and then increase the indentation of every row after the logic element associated with the UserName match:

In effect, because all of the rows with the same indentation (as indicated by the number of exposed arrows to the left of the row) are 'grouped', they are enclosed within the same bracket group, as illustrated by the following image.

By utilising the indentation of match and logic rows, complex logical precedence operations can be designed.

Remove match and logic row

Removes the current match row, and the associated logic row, from the Snare query builder. Snare will ask you for confirmation that you wish to remove the row, and then remove the appropriate match from the configuration settings.

Logical operators

Choose from "AND", "OR", or "NOT" (which translates to "AND NOT").

Output and Configuration Component

Output and configuration components can be dragged from the top half of this section, into the bottom half, titled "Drop Components Here to add them to the objective output". This will result in either:

• A new output component being added to the report (for example, a line graph, or a table of log data), or
• Additional configuration settings displayed, that can be applied to the objective (for example, adding the option to only display users who have an expired account, on the Windows domain).

The number, and type of output components, depends significantly on the data source that is being interrogated.
  

Most components, when added to the objective, will also create a 'configuration panel' that allows you to control the output of each component. A '15 minute pattern map', for example, will provide the option of using a standard linear colour scale for the output, an exponential colour scale that highlights different ranges of data, or even a visual map of a particular target output field. Some of the more common output components are highlighted below.

Pattern Map

The 15 minute pattern map provides a visual overview of event log data, displaying an indication of the volume, or contents of each separate 15 minute segment within the reporting period, as a colour selected from an appropriate area of graduated scale.

The pattern map can be configured to use a standard scale, an exponential scale, or to map the contents of a particular field. Exponential mode can highlight particular patterns that are difficult to see in the standard colour mode.

Each element of the pattern map can be clicked on, with your left mouse button, to search for the data that comprises that particular 15 minute segment. A new dialog will appear in the objective panel that shows the underlying data. The data can be sorted by clicking on a column header.

Clicking on a date, to the left of the pattern map, will attempt to generate a table listing all events for that particular day, that match the objective search criteria.

Table

To include a dump of event data that matches the search criteria specified for an objective, the 'Tabular Details' modular component can be dragged into the inclusion list.

Fields that should be included within the table output can be dragged from the top half of this section, into the panel titled "Include these fields in the table output".

When a field is dragged into the inclusion list, ascending and descending sort buttons will appear next to the field. Sort criteria is evaluated left to right. Fields can be reordered within the inclusion list in order to modify the sort output. The order of the fields in the inclusion list, will also define the order that they appear in the tabular output component.

By default, the table will display a subset of the data that matches the objective search criteria. The default settings are 500 rows, at 50 rows per page.

Results can be 'grouped' to produce a tally of events that contain common field values. In order to activate this, choose the fields that should participate in the 'group', and add them to the table field inclusion list. Select the checkbox next to "Produce a total of the unique values for the included fields", in the "Summary Information" section of the table configuration component. You may also choose to sort by the total unique values column, and potentially rename the column from the default "TOTAL" to something that better represents your data.

For example, based on the table output screenshot above, if you wanted to analyse the most common destination ports by date, you could add fields 'Date', 'Proto', 'Action' and 'DstPort' to the field inclusion list.

After the objective regenerates, your table displays a new column, which shows how many events share the same Date, Protocol, Action and Destination port, out of all events that match the search criteria specified in the objective.

Fields that are numeric, or tokens that are derived from a numeric field, will also be included as an option under the 'Produce a SUM of the values of the following integer field'. This feature is useful in situations where you wish to know information like:

• Who are the top 10 users of bandwidth, through our corporate proxy server or firewall? (ie: Produce a sum of 'Bytes' per-user or per-IP)
  
  

CSV (Tab delimited) and text dumps of the table data can also be produced. These will be available as an attachment to the objective.

Horizontal Graph

Horizontal graphs can be created by adding this element to your modular inclusion list. Select a field to use as a basis for the graph by choosing an option under "Produce a horizontal graph of the total event count for this element".

The number of graph 'rows' to be included can be defined, and you can also sort the graph by either the total count (descending), or by the actual field value (alphanumerically).

Pie Graph

Pie graphs can be created by adding this element to your modular inclusion list. Select a field to use as a basis for the graph by choosing an option under "Produce a pie graph of the total event count for this element".

You can specify the preferred number of segments to be shown in the pie graph. If these segments do not represent 100% of the returned results, an additional 'Other' segments will be displayed on the pie graph.

Line Graph

A line graph of total events can be created by adding this element to your modular inclusion list. You may specify that events should be graphed by Day, Week, Month or Year.

PDF Output

To include a PDF of the objective output, add this component to the modular objective inclusion list. The PDF will be available from the 'Attachments' button in the top panel, and will be included with any electronic mail messages that are sent as a result of this objective being regenerated.

Annotations 

To make objective annotations add this component to the modular objective inclusion list. Once the objective is regenerated, the annotations form is available for editing. By default this content does not go out to end-users in email or when a PDF report is generated, however this can be changed by ticking the associated checkbox in the Annotations configuration.

Real-time Alert

Activating real-time alerts for any objective activates a module in the collection subsystem, that scans incoming data for events that match your query terms. Real-time alerts can be sent out via email.

Destination Port Map

This output component appears for data sources that include a destination IP address, and destination port - such as firewalls, or network intrusion detection systems.
The destination port map shows destination ports hit during the period specified in the objective match settings, as a clickable exponentially-scaled dot-map. Areas of higher activity are represented as colours towards the top end of the colour spectrum.

Geolocation Map

This output component draws lines that represent the country of origin for source and destination IP addresses, for firewall/NIDS related data sources.

Random Image Selection

For proxy-server related objectives, a random selection of images can be displayed to provide a general overview of image-related browsing habits.

Bandwidth by User / Site

For proxy-server related objectives, the top sites by bandwidth, and/or top authenticated users by bandwidth utilisation can be displayed.