Configure Destination
Navigate to Reflector UI and open Configure Destination page.
This page lists all the destinations, both internal and external, that the events are sent to.
Note: the first three destinations in the configuration interface are reserved for use by Snare Central internally, and cannot be modified. These internal destinations are marked with padlock icon.
View Destinations List
Destinations tab contains two panels:
Left Panel - List of all the destinations and their status indicators
Right panel - Details of the destination selected from the list on the left
Destinations List contains a user-defined name of the destination, or, alternatively, "Destination #" if the name was not provided, and the following status indicators.
Status Indicators in Destinations List
Each destination is shown with the following color-coded status indicators:
Destination Status
- status is Connected or Sending
- status is Connecting
- status is Disconnected
no heart is displayed for Disabled destinations
Destination Enabled
- destination is Enabled
- destination is Disabled. No events will be sent to this destination.
Destination is a Priority
- destination is a Priority. See Destination Details section below for more info.
- destination is Not a Priority
Destination is Locked
- destination is reserved for use by Snare Central internally, and cannot be modified.
Add Destination
Select + Add Destination tab on the Reflector > Configure Destination page.
The following form will be displayed:
Destination details
Define the following Destination details:
Name - User-friendly name of the destination, used for display purposes. Name can contain alphanumeric characters (a-z, A-Z, 0-9), undersores (_) and hyphens (-). No spaces are allowed.
Enable - Indicates whether sending events to this destination is currently enabled
Priority - Indicates whether this destination is considered a Priority destination
IP/Hostname - An IP address or a hostname to which the Snare Reflector should direct log data
Port - The target port on the destination server to send log data to.
Enter port 6161 if sending data to a Snare Server, unless sending encrypted data.
Enter port 514 to send data to a syslog server, unless the syslog server on the destination listens on a non standard TCP/UDP port.Destination Format - Events will be converted to the selected format before being sent to this destination
Snare Server 7.1+ - Logs will be sent using a Snare Central internal format
Syslog RFC 5424 - Logs will be sent using the latest generation of the syslog protocol, with fields parsed from the source log included within the RFC5424 structuredData element.
Syslog RFC 3164 - Logs will be sent using the older generation of the syslog protocol. Note that some information (such as the 'year' in which the log was generated) will be lost, when using this format
QRadar - Syslog RFC 3164 format, but the Reflector will attempt to remove the first tab-delimited field supplied with the incoming event, as long as it does not include internal spaces, in order to work around a QRadar processing issue
RSA Envision - Syslog RFC 3164 format, but the Reflector will prefix a header to the syslog message, which includes the originating IP address, and the date/time in seconds-since-epoch format that the event arrived at the server
RAW - no conversion - No format conversion will be performed
Generic JSON - Both header and event content information is represented in a single-line JSON format
Elasticsearch bulk delivery - Snare internal format for SATI. Events will be batched up and delivered in groups via a HTTP POST upload to elastic. Logs can also be sent to multiple external Elasticsearch installs and Amazon Opensearch (fork of Elasticsearch) installs with different ports, addresses and filtering.
Syslog 5424 JSON - Syslog RFC 5424 header, with JSON payload. In the event that a Snare V2 format log is received, it will be forwarded in the original format, with any extra enhancements inserted as key/value pairs into the Event/Data/SnareDataMap key.
Syslog RFC5424 - no structuredData - Logs will be sent using the latest generation of the syslog protocol, but will explicitly avoid injecting field data into the structuredData component of RFC5424, if the source event does not already include structuredData.
CEF - The event will be converted to CEF format, where each event field, will be either implemented as a vendor CEF field in the CEF Extension area, or will be mapped to baseline CEF fields. As at the date of this document, the logs from Snare for Windows agents will include the advanced CEF field mapping.
CEF Syslog RFC3164 - CEF format as discussed above, with a Syslog RFC3164 header
Splunk HEC - Format for delivery to Splunk HTTP Event Collector (HEC) over HTTP/HTTPS protocol
Snare Legacy Realtime Delivery - Snare internal legacy format
Snare v8 Data Exchange (JSON) - Snare internal format and also for use from Snare Central to Snare Central forwarding. NOTE: this can only be used to other 8.4.0+ destinations
Microsoft Sentinel - Format for delivery to Microsoft Sentinel over HTTPS protocol
Securonix Syslog - Syslog RFC 3164 format, but the Reflector will attempt to remove the first tab-delimited field if it is a duplication of hostname in the event header
Protocol - Select one of the following network protocols for data delivery. Note: available options may change based on the selected Destination Format
TCP
UDP
TLS - TCP with TLS encryption. Please ensure the destination system supports the TLS protocol
TLS_AUTH - TCP with TLS encryption and authentication
TLS_AUTH is a Snare proprietary protocol that overlays the TLS connection with authentication between source and destination. The same TLS authentication key needs to be configured on this page and in the Snare Central destinationMTLS - mutual TLS (mTLS) protocol. Select this option when receiver also supports mTLS protocol, for example, when sending events to Devo Syslog ELB
HTTP - HTTP delivery to REST APIs provided by the receiver (available with relevant Destination Formats, such as Elasticsearch bulk delivery and Splunk HEC)
HTTPS - HTTPS delivery to REST APIs provided by the receiver (available with relevant Destination Formats, such as Elasticsearch bulk delivery, Splunk HEC and Microsoft Sentinel)
Filters
User can define Filters to only forward matching events to the destination.
By default, no filters are applied, and all the events received by Snare Central are forwarded to the destination.
In the Filters section select Add Filter to add a filter. Multiple filters can be added if required.
In each filter, you can use the following selectors to define which events should be sent to the destination.
Systems | Filter by Systems that generated the events. By default, All systems will match the filter Click the selector and use check boxes to choose systems of interest. Use the Search system... field on top of the drop-down to quickly find a system by host name or IP address. |
Log Types | Filter by Log Types. By default, all log types will match the filter Click the selector and use check boxes to choose from available log types. Use the Search Log Type... field on top of the drop-down to quickly find a log type. |
Search Text | Filter by content in any event field, use the Search input field.
|
Filter Mode | Specify whether to INCLUDE or EXCLUDE the events that match the filter. |
Multiple Filters
In some cases user may want to add additional filters to describe multiple rules with different combinations of parameters.
Click Add Filter icon in the Filters section header to add additional filter row
Click Remove Filter icon in the filter row to remove it
Click Move Down and Move Up icons to reorder the filters.
If an event matches both an INCLUDE and EXCLUDE rule, then the last matching rule will be applied. See Example 4 below.
The default behavior for events that do not match any filter depends on the first filter:
If the first filter is set to INCLUDE, then only events that match the filters will be sent to the destination.
If the first filter is set to EXCLUDE, then all events will be sent to the destination, except for those that are specifically excluded by the subsequent filters.
Filter Examples
Example 1
Send only "LinuxAudit" events from selected Ubuntu machines, containing string "login":
Example 2
Send all events, excluding "AgentHeartBeat" log type:
Example 3
Send only events that match the "WinSecurity" log type OR that contain the substring "1234" delimited by tabs for "All Log Types":
Example 4
Send "WinSecurity" events, except events that contain the event ID substring 5156 or 4663 delimited by tabs:
Search Replace
The Snare Reflector can be configured to modify events on the fly per destination, between reception and retransmission.
You can either do the search and replace in the event data based on the incoming format (before converting it to the destination format), or based on the outgoing format (after converting it to the destination format), by simply setting the toggle button to "Apply Search-Replace filters to events in INCOMING format" or "Apply Search-Replace filters to events in OUTGOING format".
Search terms should be specified as RE2 regular expression matches, with optional round brackets, to denote string sub-matches.
Replacement terms can be specified as normal strings, or as a string compatible with the formats specified in ECMA-262, ECMAScript Language Specification, Chapter 15 part 5.4.11 String.prototype.replace. (FWD.1)
Multiple Search-Replace Filters
In some cases user may want to add additional filters to describe multiple Search-Replace rules.
Click Add Filter icon in the Search Replace section header to add a Search-Replace filter row
Click Remove Filter icon in the filter row to remove it
Click Move Down and Move Up icons to reorder the Search-Replace filters.
It is important to note that search-replacements are cumulative. If multiple search-replace rules are defined for a destination, each will operate on the result of the previous search-replace action.
Search-replace actions are case-sensitive.
Search-Replace Filter Examples
A common use for search and replace filters, is to convert delimiters from one character to another.
Example 1
The following displays the command to change the event data delimiters from "\t" (tab) to "|" (pipe) based on the format as it arrives in the Snare Central, then after the changes are made, it will then be converted to the destination format:
Example 2
The following will convert the event data to the destination format first, then after the format conversion, it will then change the event data delimiters from "\t" (tab) to"|" (pipe):
Add Destination and Restart Reflector
After entering all the destination details, click ADD DESTINATION at the bottom of the dialog.
Snare Reflector needs to be restarted for the changes in destination configuration to take effect. Events received via UDP connection may be lost during service restart.
Confirmation screen is displayed:
Select ADD AND RESTART to save the new destination and restart the Snare Reflector service
or
Select ADD WITHOUT RESTART to save the new destination without restarting the Snare Reflector service. This may be useful if several destinations need to be added/modified prior to restarting the service.
or
Select CANCEL to cancel the saving operation and return to Add Destination dialog.
Reflector can be restarted at a later stage.
If the changes were saved without restarting, the following banner will be shown at the top of all the Reflector configuration pages:
Click RESTART SNARE REFLECTOR to apply the changes at any convenient time.
View Destination Details
Select Destinations tab on the Reflector > Configure Destination page.
In the left panel select the destination you are interested in. The destination details will be presented in the right panel.
The header of the right panel contain the following information: Destination Name | Destination Status | Filtering information
For detailed description of all the destination parameters, see Add Destination section above.
Modify Destination
Only user-defined destinations can be modified.
First 3 destinations are reserved for internal use by Snare Central, and cannot be modified. These internal destinations are marked with padlock icon.
Select Destinations tab on the Reflector > Configure Destination page.
In the left panel select the destination that needs to be modified.
Edit any fields of the destination, add/remove filters and search-replace rules as required.
For detailed description of all the destination parameters, see Add Destination section above.
Select Update to save the settings.
Snare Reflector needs to be restarted for the changes in destination configuration to take effect. Events received via UDP connection may be lost during service restart.
Confirmation screen is displayed:
Select UPDATE AND RESTART to update the destination and restart the Snare Reflector service
or
Select UPDATE WITHOUT RESTART to update the destination without restarting the Snare Reflector service. This may be useful if several modifications need to be done prior to restarting the service.
or
Select CANCEL to cancel the update operation and close this confirmation screen
Enable/Disable Destination
Select Destinations tab on the Reflector > Configure Destination page.
Click on the destination to see its details in the right panel.
Use Enable toggle in the right panel to enable/disable the destination.
Select Update to save the settings.
Snare Reflector needs to be restarted for the changes in destination configuration to take effect.
Select UPDATE AND RESTART in the confirmation dialog to proceed.
Note: Events received via UDP connection may be lost during service restart.
The disabled destination will not be displayed on the dashboard.
Delete Destination
Select Destinations tab on the Reflector > Configure Destination page.
Click on the destination to see its details in the right panel.
Select Delete Destination button in the header of the destination details.
Confirmation screen is displayed:
Snare Reflector needs to be restarted for the changes in destination configuration to take effect. Events received via UDP connection may be lost during service restart.
Select DELETE AND RESTART to delete the destination and restart the Snare Reflector service
or
Select DELETE WITHOUT RESTART to delete the destination without restarting the Snare Reflector service. This may be useful if several modifications need to be done prior to restarting the service.
or
Select CANCEL to cancel the deletion operation