[Config]
| This subkey stores the general configuration values.
|
AgentLog | This value is of type REG_DWORD and sets the level of tracing sent by the agent. Values include [0-5] where Fatal (0), Error (1), Warning (2), Info (3), Debug (8), Trace (9).
|
CachePath | This is the disk cache path where the agent will temporarily save all unsent events if the agent needs to restart.
Agent will read and send the events on next start. |
Checksum
| This value is of type REG_DWORD, and determines whether Snare includes an MD5 Checksum of the contents of each audit record, with the record in question. Set this value to 0 for no, or 1 for Yes. Will default to FALSE (0) if not set. Note that the checking application will need to strip the final delimiter, plus the MD5 Checksum, from the record before evaluating the record against the checksum.
|
ClearTabs | If set to 1 then all tab characters '\t' in the event string will be removed. |
Clientname
| This is the Hostname of the client and is of type REG_SZ. If no value has been set, "hostname" command output will be displayed. Must be no more than 100 chars, otherwise will truncate.
|
CritAudit
| This value is of type REG_DWORD, and determines whether Snare will only send an event for the highest criticality match
|
Delimiter
| This is of type REG_SZ and stores the field delimiting character, ONLY if the destination format SYSLOG has been selected. If more than one char, only first char will be used. If none set, then TAB will be used. This is a HIDDEN field, and only available to those users that wish to set a different delimiter when using the SYSLOG header. This selection option will not be found in the Snare front end or the web pages.
|
EnableUSB
| This value is of type REG_DWORD, and determines whether Snare should actively capture USB auditing events (XP/2003/2008/2012 only). Set this value to 0 for no, or 1 for Yes. Will default to FALSE (0) if not set.
|
EpilogImport
| This value is of type REG_DWORD, and determines whether Snare should import Logs and Filters settings from the Snare Epilog Agent (if installed in the same machine). Set this value to 0 for No, or 1 for Yes. Will default to True (1) if not set.
|
EpilogImportComplete
| This value is of type REG_DWORD, and stores the status of whether Snare has imported the Logs and Filters settings from the Snare Epilog agent (if installed in the same machine). This value is set programmatically and should not be edited manually.
|
EventSourceId
| This is of type REG_SZ and stores the Windows Registry path from where to read the Event Source Id text/value. The text/value in the registry, specified by this path, is included in each event.
|
FileAudit
| This value is of type REG_DWORD, and determines whether Snare is to automatically set the file system audit configuration. Set this value to 0 for no, or 1 for Yes. Will default to TRUE (1) if not set.
|
FileSize | This is the maximum generated size of an output file receiving events. The file is rotated upon reaching this maximum. |
HeartBeat | This values is the frequency with which a heartbeat is sent, set in minutes. |
HeartBeatFileExport | This value determines whether heartbeats are logged to a file. Set this value to 0 for no, or 1 for Yes. |
HeartBeatOutputPath | This is the path where the heartbeat messages are exported to, if selected. |
HostGUID | This value is of type REG_SZ
|
HostIP | This value is of type REG_SZ |
LeaveRetention | This value is of type REG_DWORD and determines whether Snare should leave the existing Log Retention settings as they are on each event log. Set this value to 0 for no, or 1 for Yes. Will default to FALSE (0) if not set.
|
UpgradePath | This value is of type REG_SZ. The automatically generated path in which temporary upgrade files are stored.
|
UseHostIP | If checkbox set it resolves the machines IP address from the first wired adapter. It will not resolve wireless IP's
at present. Set this value to 0 for no, or 1 for Yes. |
UseUTC | This value is of type REG_DWORD and determines whether Snare should use UTC timestamps instead of the local system time when sending events. Set this value to 0 for no, or 1 for Yes. Will default to FALSE (0) if not set.
|
|
|
[Objective]
| This subkey stores all the filtering objectives.
|
Objective#
(where # is a serial number)
| This section describes the format of the objectives. Objectives are of type REG_SZ, of no greater than 1060 chars, and is composed of the following string (the figures in the brackets represent the maximum size of the strings that can be entered):
Criticality(DWORD);Event Type(DWORD);Event Log Type(DWORD);EventID Match[256];General Match[512];UserMatchType(DWORD);User Match[256];EventIDMatchType(DWORD);GeneralMatchType(DWORD); SourceName Match[256];SourceNameMatchType(DWORD);TruncateList[2048];
Criticality-integer between 0 and 4 that indicates the severity of the event. Critical = 4, Priority = 3, Warning = 2, Information = 1, Clear = 0
User Match Type: =0 (Include users that match user search term type; =1 for Exclude)
EventID Match Type: =0 (Include events that match the entire objective; =1 for Exclude)
Event Type: Success=16, Failure=8, Error=4, Information=2, Warning=1. (These values are checkboxes, hence the sum of the selected values is recorded).
Event Log Type: Custom=64, Security=32, System=16, Application=8, Directory Service=4, DNS Server=2, File Replication=1. (These values are checkboxes, hence the sum of the selected values is recorded).
The match terms (EventID Match, General Match and User Match) are the filter expressions and are defined to be any value (except TAB) which includes DOS wildcard characters. Note that these are NOT regular expressions with the exception of the General Match term. This has the option of interpreting the search string as a Perl Compatible Regular Expression by selecting the checkbox next to it. If it is not selected, the default simple search is used.
NOTE: Semicolons are actually "TAB" characters.
|
|
|
[Network]
| This subkey stores the general network configurations.
|
CacheSize
| This value is of type REG_DWORD, and determines the desired count of events in the memory cache. If this is set then CacheSizeM cannot be altered.
|
CacheSizeEventLog
| This value is of type REG_DWORD, and displays the maximum log size as displayed in Windows Event Viewer.
|
CacheSizeM
| This value is of type REG_DWORD, and determines the size of the in memory cache. The value must be between 1 and 1024.If this is set then CacheSize cannot be altered.
|
CacheSizeSet
| This value is of type REG_DWORD, and determines if the agent should set the Windows Event Log size (0 for No, 1 for Yes).
|
CheckTime | Number of seconds the agent will internally reload its settings, drop and reestablish network connection. Minimum set time is 300 seconds (5 minutes). |
Destination1Delimiter
| This sub key is of type REG_SZ and is a comma separated list of destinations, which should be a maximum of 100 characters each. It details the IP address or hostname which the event records will be sent (NB: multiple hosts only available in supported agent). See Appendix - Delimiters.
|
Destination1Format | This value is of type REG_DWORD and is the format the events are sent to the server as such as Snare (0),SYSLOG RFC3164 (1),SYSLOG Alt (2),CEF (3), LEEF (4) and SYSLOG RFC5424 (5).
|
Destination1Host | This value is of type REG_SZ and is the IP or hostname of the destination server/SIEM.
|
Destination1Port
| This value is of type REG_DWORD, and determines the Destination Port number. This value must be in 1-65535 range. Will default to 514 if a SYSLOG header has been specified.
|
Destination1SocketType | This value is of type REG_DWORD, and determines the protocol used
(0 for UDP, 1 for TCP, 2 for TLS/SSL). This feature only appears in
supported agents. |
FileOutput1Delimiter | This value ranges from 1 to 255. It includes the path of the files where the events will be stored per format (e.g. Snare, SYSLOG) |
FileOutput1FileName | The path and location of the file the events are sent to. Multiple files may be set.
|
FileOutput1Format | The format to write to the log, either Snare, SYSLOG, SYSLOG Alt, CEF,LEEF |
NotifyMsgLimit
| This value is of type REG_DWORD having value 0 or 1, and determines whether to send or not the EPS notification to server (1 means send and 0 means not to send) whenever agent reaches EPS RateLimit. This feature only appears in supported agents.
|
NotifyMsgLimitFrequency
| This value is of type REG_DWORD, and determines the frequency of events per second notification. The value is treated in minutes and only one EPS notification message is sent to server regardless of how many times agent reaches EPS limit during these minutes. This feature only appears in supported agents.
|
RateLimit
| This value is of type REG_DWORD, and determines the upper limit for events per second (EPS) that the agent will send to server. This feature only appears in supported agents.
|
SyslogDynamicCritic
| This value is of type REG_DWORD, and represents the entry DYNAMIC for SYSLOG Priority, for SYSLOG format.
|
SyslogFacility | This value represents the SYSLOG facility for SYSLOG format |
SyslogPriority | This value represents the SYSLOG priority for SYSLOG format |
TruncateList
| This is a CRLF separated list of strings which result in event truncation if matched in the event text.
|
|
|
[Log]
| This subkey stores the log monitors. |
Log# (where # is a serial number) | This section describes the format of the log monitors. Log monitors are of type REG_SZ, of no greater than 512 chars, and is composed of the following string:
Logtype | LogPath
LogType is optional and is used to inform the Snare server how to process the data stream.
The LogPath is the fully qualified path to the log file that needs to be monitored or the fully qualified path to the directory containing date stamped log files of the form "YYMMDD" (in this case a trailing backslash ('\') is required). Spaces are valid, except at the start of the term.
|
|
|
[Filter] | This subkey stores the log filters. |
Filter#
(where # is a serial number)
| This section describes the format of the objectives. Objectives are of type REG_SZ, of no greater than 1060 chars, and is composed of the following string (the figures in the brackets represent the maximum size of the strings that can be entered):
General Match[512];GeneralMatchType(DWORD)
General Match Type: =0 (Include entries that match general search term type; =1 for Exclude)
The General match term is the filter expression, and is defined to be any value which includes DOS wildcard characters.(Note that these are NOT regular expressions)
NOTE: Semicolons are actually "TAB" characters.
|
|
|
[Remote]
| This subkey stores all the remote control parameters.
|
AccessKey
| This value is of type REG_DWORD and is used to determine whether a password is required to access the remote control functions. It is set to either 0 or 1, with 0 signifying no password is required.
|
AccessKeySet
| This is of type REG_SZ, and stores the actual password to be used, in encrypted format.
|
AccessKeySetSnare1
| This is of type REG_SZ, and stores the DIGEST password to be used (username "snare"), in encrypted format.
|
AccessKeySetSnare2
| This is of type REG_SZ, and stores the DIGEST password to be used (username "Snare"), in encrypted format.
|
AccessKeySetSnare3
| This is of type REG_SZ, and stores the DIGEST password to be used (username "SNARE"), in encrypted format.
|
Allow
| "Allow" is of type REG_DWORD, and set to either 0 or 1 to allow remote control. If not set or out of bounds, will default to 0/NO (ie; not able to be remote controlled).
|
AllowBasicAuth | Only available via the registry. Set to 0 by default. Enable if agent should support basic http authentication in
the web UI. |
Restrict
| This value is of type REG_DWORD, and set to either 0 or 1 to signal whether the remote users should be restricted via IP address or not. 0 = no restrictions.
|
RestrictIP
| This is of type REG_SZ and is the IP address set from above.
|
WebHttps | Set to 0 | 1 to allow HTTPS (secure session). Setting this to TRUE (1) requires relevant certificate setup. |
WebPort
| This value is the web server port, if it has been set to something other than port 6161. It is of type REG_DWORD. If not set or out of bounds, it will default to port 6161.
|